If you use cookies on your website, your website must comply with the European Union e-Privacy Directive (otherwise known as the “cookie law”!). You’ve probably seen those annoying popup boxes on lots of websites asking you to accept cookies, which were introduced after this directive came into force in 2012. This guide brings the issue up to date and looks at what website owners are doing in 2014.
What is a “Cookie”?
A cookie is a small text file, normally just comprising of a few letters and numbers, downloaded onto a user’s computer or device when they’re browsing a website. These cookies are sent back to the originating website on each subsequent visit and can help websites personalise the experience for visitors, such as keeping them logged-in or saving their preferences.
For example, the BBC Weather website allows visitors to save their desired location (e.g. Southend-on-Sea, Essex) and show them the weather forecast in this area on each subsequent visit. This happens because the BBC website has saved a cookie on the visitor’s device, then loads this cookie again whenever the visitor returns to personalise their experience.
Cookies are also often used by website owners for analytics purposes, such as reporting how many times a visitor has returned to the website and what pages they’ve visited.
Common Sense approach to the EU Cookie Law
The EU Cookie Law requires websites to tell their visitors if they use cookies and what these cookies are used for. Some websites have adopted huge cookie disclaimer banners, which take over a user’s screen when they arrive on a webpage!
A more common sense approach, however, has been adopted by many high-profile websites, who now add a more discreet notice to their pages. For example, Marks & Spencer simply add a small “cookie” link in the footer of their website. The electrical retailer Currys follow the same principal.
A slightly more visible approach is used by Thomas Cook on their website, who have put the link at the top of their page, whilst Expedia (see below) have also chosen to include a simple link in the website’s header, but with an icon beside it.
Other websites have used a banner approach, which either loads at the top or bottom of the screen, which seems to the most cautious method.
You can see a great list of examples of what various other big names have implemented on their own websites by seeing Econsultancy’s EU cookie law report.
Advice from the Information Commissioner’s Office on analytics cookies:
Lots of websites use visitor tracking services, e.g. from Google Analytics or StatCounter. What do the regulations mean for these types of cookies?
It’s well worth reading the advice given by the Information Commissioner’s Office (ICO), who are the body enforcing these regulations in the UK. The last update (at the time of writing this blog) was published in 2012.
The ICO say:
It’s clearly the case that the majority of websites undertake some form of analytics activity and most of those will use cookies to facilitate some if not all of that activity. The Information Commissioner recognises that gaining explicit opt-in consent for analytics cookies is difficult and that implied consent might be the most practical and user-friendly option.
The approach used by Marks & Spencer, Currys, Thomas Cook and Expedia, in our examples above, appears to be acceptable.
Pop-ups or similar techniques such as message bars or header bars might initially seem an easy option to achieve compliance… but it’s also one which might well spoil the experience of using a website if not implemented carefully.
The ICO adds:
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
The advice we’re giving to our own clients…
Firstly, we must make this very clear – Primary Image Ltd is not qualified to offer any legal advice!
We did, however, listen to a talk by one of UK’s leading digital solicitors – Peter Wright – at the recent WordCamp Sheffield conference and he gave some useful advice on what the EU Cookie Law means today. (Out of interest, you can see Peter’s slides that’s he uploaded, which mainly cover social media law, but unfortunately you won’t hear his very interesting commentary to some of these cases!). His view was that obtrusive cookie banners are not the only option for website owners.
Having a well written Cookie Policy is highly advisable, with clear links so your website’s visitors can easily find it. You should tell your visitors what the cookies are used for, whether your own website or a third-party (e.g. Google Analytics) sets these cookies, how long they may remain stored on a visitor’s device, and any other relevant information. You may also want to add some brief information on how visitors can block cookies in their browser software if they so wish. The ICO link above has further advice.
For our clients at Primary Image, we have provided a sample template as a guide, however we strongly recommend website owners take their own professional legal advice. We’re currently offering two different options to our clients, which are:
(a) a simple text-link directing visitors to their Cookie Policy, normally in the footer, or;
(b) a popup box that loads at the bottom of their webpage, which includes a link to their Cookie Policy (like the image below).
Our clients are, of course, also free to give us any other instructions on how they wish the Cookie Policy to be implemented on their own website.
In summary, the EU e-Privacy Directive isn’t as scary as some people make out and you don’t need to let it take over your website. Have a look at what some of the largest UK brands are doing with their websites. Most likely, they will have consulted their top legal advisers to find a solution that they believe is compliant and the best for their visitors, so doing something similar could be suitable for your website!
Update 31/05/2014:
I came across this cookie banner on lingscars.com, which is a highly amusing website! The lady behind this company appeared on the BBC’s Dragons’ Den programme a few years ago and she’s certainly a character!
Mike founded Primary Image in 2010. He specialises in the WordPress website platform and speaks regularly at national web design conferences. Mike became a member (MCIPR) of the Chartered Institute of Public Relations in 2015.
Comments
Hello
Interesting article which raises a couple of questions:
1. How do I find out what cookies my website has?
2. Where do I find out what they do?
3. Who sets them?
4. How do I find out how long they’re on there for?
I’ve been on the ICO website. They have a popup which lists what cookies they have and what their function is (informative) but they don’t say where to get this information from.
Can you advise, please?
Hi Shan – if you use the Chrome browser, you can install an extension called the “Cookie Audit Tool’ which allows you to see what cookies are being served. There’s also this online tool which allows you to check your home page for free (amongst others if you search for something like “cookie audit”) – http://www.onlinecookieaudit.com – and that will answer 1 / 3 / 4. In terms of what a specific cookie does, some of these online services will help classify their purpose, but by looking at the cookie names you can normally work out what they do. Mike
Hi Shan
You can also use http://www.cookiebot.com – they have a cookie-scanner at their front page.