123 Reg logo Blog

Is the EU’s cookie law confusing you too?

By John - April 19, 2012

You might remember that in May last year some new EU rules came into force. Dubbed the ‘EU cookie law’, the legislation says websites have to get permission from users before storing pieces of information called cookies on their computers.

What are cookies?

Cookies are small text files which websites place on visitors’ computers. They’re typically used to identify that particular visitor and provide them with a better experience. Cookies are a crucial part of many website functions which we take for granted.

For instance, it’s usually cookies which allow online shops to remember what items you have in your shopping trolley. They’re also used to keep you logged in to a website, or to provide valuable usage statistics and information to website owners.

If you run a website, it almost certainly uses cookies. Their most likely function is to monitor visitor numbers and behaviours through tools like Google Analytics. They may also be used to display relevant adverts to visitors, or – if you sell online – to power key parts of your online shopping system.

What the cookie law says

Although the cookie law came in last year, the Information Commissioner’s Office (ICO) decided to give websites a year to implement the rules. The deadline is 26 May 2012 – after that date, websites which don’t comply with the law could be fined up to £500,000.

The implications of the new cookie law could be far-reaching, yet there’s still a lot of confusion about how the rules should be interpreted and what websites need to do to comply. As a result, many websites are taking a ‘wait and see’ approach.

In short, the new rules require websites to get permission from visitors before placing any cookies on their computer. Permission must be informed and overt, which means you have to ask visitors outright if you can put cookies on their computer, and explain clearly what the cookies are used for.

You can’t bury the information in your website’s terms and conditions and leave it at that.

The only exceptions to this are cookies deemed essential to providing functions visitors have asked for. But you can’t rely on this to cover many of your cookies.

The ICO guidance on the new law (PDF link) says that “this exemption is a narrow one”. It’s certainly not likely to cover cookies for analytics purposes, which is one of the most common uses of cookies – particularly for smaller websites.

Implementing the cookie law

Even with the May deadline fast approaching, hardly any websites have done anything obvious to comply with the cookie law.

The few which have begun seeking permission tend to use messages displayed at the top of the screen or overlaid on the website’s pages.

As you’d expect, the ICO website has an opt-in message at the top of every page. And BT has begun displaying a message (right) to explain a bit more about its cookies, although it’s debatable whether this is a proper opt-in.

But by and large, most websites are keeping their cards close to their chest. That’s understandable, when you look at the commercial implications: when the ICO added an opt-in message to its website, measured visitors dropped by about 90%.

That didn’t mean the site was receiving fewer visitors – it just meant people weren’t opting in to cookies, so the ICO couldn’t track what those people were doing.

For sites which rely on accurate visitor data to make money, the implications are significant. Adding an opt-in could leave them at a disadvantage to competitors, which is why there’s a real reluctance on the part of website owners to be the first to move.

The bare minimum

It’s looking very unlikely that many websites will have implemented a cookie opt-in by 26 May. But that doesn’t mean they won’t be doing anything at all. In fact, the ICO – which is responsible for enforcing the rules – has suggested that the most important thing is to take steps in the right direction. If you can show you’re moving towards full compliance then you’re unlikely to be targeted.

As a bare minimum, it’s important to have an understanding of what cookies your website uses and plan how you might implement an opt-in.

It’s useful to know exactly what cookies your website uses anyway, and you can do this relatively easily using tools like Bitstorm View Cookies or Attacat Cookie Audit. These will show you what cookies your website creates as you move through the pages.

The harder bit is working out how you would create an opt-in function on your site. As we’ve seen, most websites display a message to users – but the tricky bit is creating the back-end logic to ensure cookies are only set once people have given their permission.

If you’re not adept with computer code, you might need some help from a web developer to accomplish this. There are some ‘plug and play’ tools available, like Optanon and this tool from Wolf Software (designed for sites using Google Analytics), which could make things easier.

Don’t do nothing

Although there is still a fair amount of uncertainty around the new law, it’s fair to say that doing nothing is not a good option. In the long-term, people’s attitudes and understanding of cookies may change – and web browsers may include settings to help provide a consistent opt-in.

But for now the onus of complying with the law falls very much on individual website operators. And while the chance of being prosecuted may be small (at least to begin with), doing nothing at all is a dangerous move. To start with, review guidance from the ICO (PDF link) and try and establish what cookies your website currently uses.