Keeping the lid on your cookie jar

Cookie jarThere’s been a lot of noise in the past few days about the EU Cookie law and how it affects website owners in the UK and EU.

The EU outlawed the practice of dropping of cookies without users consent on May 26th 2011. And at midnight last Friday night, 25th May 2012 millions of website owners in the UK were almost criminalised overnight.

Concern has been high that many UK web site owners will have woken up on Saturday as criminals and to an extent they did.  However it is important to note that the Information Commissioner’s Office (ICO), the government body responsible for the law made a fundamental change in the wording of the law less than 48 hours before the deadline for full implementation in the UK fell.

What is key is their amendment that implied consent can be used to achieve compliance, which is a move away from the original explicit informed consent. The ICO’s guidance document version 3 states:

While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.

It was always purported that the law, which was passed in the EU on May 26th 2011 and became fully implemented in UK law on the 25th May 2012, was that website owners would have to seek consent from a user prior to dropping cookies on their devices.

Early reporting on the new rule led some to believe that an explicit, opt-in style consent would be required for every cookie each time it was set.

The amendment and clarification from the ICO means that it is actually a lot easier to achieve compliance than at first thought and it is a lot less intrusive and potentially misleading for your visitors.

What does this mean for the visitors?

Well for the most part no real change however some major UK brands made efforts to comply ahead of the May 25th deadline.

You  will begin to see more visible and prominent applications for your consent to the use of various cookies. This may take the shape of overlays, banners or pop-ups. It may also be manifest in additional check boxes on sign up forms.

For example BT implemented a complex opt-in cookie consent scheme which has been cited as a model example. Others have followed the implied consent approach. The Guardian for example has a simple banner across the top of the page telling users that the site uses cookies and that continued use implies consent:
The guardian implied consent for cookies

The BBC’s approach to obtaining cookie consent on their home page only with a link to a page where you can opt out of various types of cookie:

BBC cookie consent

But what are all these cookies about anyway?

Essentially cookies are tiny text files that contain little pieces of information and they are served up by the website and stored on your machine whilst you are visiting a website.

They’ve always been available to web developers and have been used for years as a means to temporarily hold pertinent data to assist in the smooth operation of or enhanced user experience.

Examples of the type of data that could be held in a cookie:

  • items in a shopping cart
  •  how far through a process you are
  • the time your visit started
  • whether you are logged in or not
  • your IP address
  • the last time you visited the site
  • your name or user name.

They can be used to collate anonymous, statistical data relating to website usage in general by a third party analytics service such as Google Analytics. Website owners and developers use this information to learn how their sites are being used and  test what works for their users and what doesn’t as part of a continuous improvement cycle.

Cookies can be used to store information about browsing preferences and search queries and this can be used later in targeted advertising where a site may rent ad space under an auction scheme. This means that  the adverts served up to a person who has visited lots of sites about dog breeding for example may be served up with dog food adverts whilst another with a keen interest in sailing may be served up with adverts for sailing holidays.

Social media sharing widgets may place cookies on the sites to remember that you already “liked” this page, or tweeted about it via tweet button.

Cookies are set for use later by the same server that put them there and they are not accessible by any other server. Generally speaking cookies are used enhance or make more efficient the way a site presents it’s self to you.

How does this affect my privacy?

Cookies don’t really affect your privacy that much.  But they do fall firmly in to the category of data stored or accessed from a user’s computer which is what the legislation is really about.

What this new law really represents is increased transparency and more power over how websites use information about you or your browsing behaviour.

I believe that privacy of the individual is to be treated with the utmost respect and in many ways what this new law represents is good for privacy. However the rhetoric surrounding the new rules has led many to believe that it is a law all about cookies. It isn’t.

This is what the law requires:

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)

That cookies are fundamentally files that are stored and later accessed makes them the focus of attention.

There appears to be a lot of misinterpretation and misunderstanding about the nature and abilities of cookies which makes it appear that the law is been based upon the fundamental misconception that cookies collect data.

Cookies do not and cannot collect data. They contain data that may or may not be identifiable information about the you but they are generated by the server and placed on your device for use later. If a cookie contains identifiable information it will be because you have willingly supplied it to the web service that placed it on your machine such as creating a user profile.

I would argue that it’s not necessarily a breach of a person’s privacy to put information about them on their own device.

This has lead to much confusion and the law is hotly debated in web development circles.

Privacy and data protection becomes a real issue when a website starts to collect more sensitive personal data and in those instances it is more than reasonable that explicit consent is sought prior to collecting the data.

Websites can collect and disseminate data and this law, whilst potentially misguided and heavy handed, seeks to address issues concerning ePrivacy.

Savvy website owners will have being publishing their cookie usage policy for some time as the law to inform visitors regarding cookie usage came into force in 2003. This new law puts more control in the hands of the user.

As a user what you really need to grasp is that by disabling or denying cookies you may be denying yourself  the rich user experience that the web site owner intended for you and sites may not function as well as they might have done with certain cookies enabled.

What does this mean to website owners in the UK?

What it boils down to is transparency and education. We, as website owners, have a duty of care to our visitors to let them know what we are doing with the data that we generate and how we use it for their benefit.

It also means that compliance is now relatively straightforward and simple to implement. Whereas it could have been a real nightmare.

Follow these simple steps to compliance:

  1. Perform a cookie audit to determine what cookies you are using
  2. Make a clear and transparent statement that your website uses cookies and how they are used
  3. Make it very easy for the visitor to find that information
  4. Provide information or links to information that helps a user manage cookie settings
  5. Make a clear statement regarding implied consent

Job done, you are well on the way to compliance. Here is an example of how this site uses cookies.

In a similar vein to web accessibility, it is important for site owners and developers to employ a privacy by design approach. That way privacy and data protection compliance is designed into systems right from the start rather than being bolted on afterwards or ignored.

Over to you

How have you been affected by the new EU cookie law? Share your thoughts and experiences in the comments section  below.

Further reading:

The ICO’s updated Guidance on the rules on use of cookies and similar technologies
Guardian article: Cookies law changed at 11th hour to introduce ‘implied consent’
No Cookie Law: A protest site against the cookie law

Disclaimer:

I am not a legal professional and any opinions and ideas presented, whilst well intended do not constitute the basis of professional legal advice.

Alex Adams

Alex has been designing, developing and managing software projects since 1998. He is a multidisciplinary developer and has worked with a number of languages, technologies and frameworks. When he's not developing, he's a busy husband and dad who finds a bit of time to train for triathlon events.

Click Here to Leave a Comment Below