The EU Cookie Law – what to do now

As the enforcement date of 26 May 2012 approaches, we provide an update on the situation.

As the enforcement date of 26 May 2012 approaches, we provide an update on the situation.

Much has been written, and is being written, about the new so-called Cookie Law that the UK Information Commissioner’s Office (ICO) is mandated to enforce with effect from 26 May 2012. In his January article, Paul Boag concluded that “this really isn’t turning into the doomsday scenario some have suggested”.

Paul was right. However, now is the time to take some simple steps to make sure that your site is in good shape.

If you have taken a look at the ICO’s website and run screaming from the extreme solution it has implemented don’t worry. Fortunately, the ICO’s will not be enforcing such an extreme position on others.

So, what should you do? While a definitive position simply doesn’t exist right now, the following seem like reasonable steps.

  1. Identify all the cookies associated with your site, where they are being served from and what they do.
  2. Make sure you have a reasonably prominent link to your privacy policy and rename it Privacy and cookies policy to be on the safe side.
  3. List the cookies on your Privacy and cookies policy page. For first party cookies (i.e. those served by your website) list their name and purpose. For third party cookies (such as Google Analytics cookies) list the source, name and purpose.
  4. If you use social buttons to enable sharing of pages you should note in your Privacy and cookies policy that you do so and that scripts from third party sites have been used and that those third parties might be gathering usage information.
  5. Similarly, if you use third party services such as YouTube or Vimeo you should note this too and state that they may gather usage information.

So how prominent is prominent? John Lewis, for example, previously had a footer link “Security & privacy”. It has lifted this to the header and renamed it “Privacy & cookies”. Do you need to do this? My view is that, like the Number 10 website, Marks and Spencer and many others, a link in the footer will be sufficient.

 

John Lewis website
John Lewis website

 

Should you list your cookies? John Lewis and Number 10, for example, contain lists but so far Marks and Spencer, for example, has not listed its cookies. My recommendation would be to include a list of cookies together with some instructions about disabling cookies in major browsers.

 

A list of number 10s cookies
A list of number 10’s cookies

 

So how do you audit the cookies on your site? Unfortunately, this isn’t completely straightforward. The easiest way of doing this that I know of is to use Firefox with the Firebug and Firecookie extensions installed. Firecookie lists cookies on a page-by-page basis, so you’ll need to visit all sections of the site to ensure that you find all cookies.

You may also need to do some detective work when you are auditing your cookies. First party cookies, i.e. those that are served by your site, are clear. For example, first party cookies served by the Boagworld site will be listed with a domain of www.boagworld.com. Where things get more confusing is with some third party cookies, for example Google Analytics cookies (which are prefixed with __utm). On www.boagworld.com these show up with a domain of .www.boagworld.com (notice the leading . ) even though they have originally come from Google.

You should also include a statement of what the implications of disabling cookies will be. John Lewis is clear: “If cookies aren’t enabled on your computer, it will mean that your shopping experience on our website will be limited to browsing and researching; you won’t be able to add products to your basket and buy them.”

The best guidance that I am aware of is a recently published Econsultancy report. Unfortunately this is not cheap at £250. Econsultancy has however published a detailed, free article on the approach it has taken.

  • http://twitter.com/dubbs2009 Jon Wallace

    So, you are pushing the don’t comply with the legislation e.g. to allow the user to decide whether to allow non-essential site cookies to be set themselves…. route here? For me this does not comply with the law as I understand it. I think your advice to get people to outline and clearly document what cookies their site is setting and any third party services like FB LIKE and TWEET buttons will utilise – but surely these non-vital site cookies should be off by default when the user arrives at ones site?

    If… and it’s a big IF! If we/web community could agree on 1 unified approach here and all implement the same solution then the web users would feel less bombarded with various different approaches here and make this transition a smoother and easier process… Just my 20ps worth anyway!

    I am very interested to see how the ICO will react come May 26th and see if they go after any big sites to enforce the new legislation… only time will tell!

    • http://twitter.com/inventpartners Invent Partners

      “If we/web community could agree on 1 unified approach”

      We did this: http://www.consentify.com – We thought it might be a step towards just such a unified approach. This is just a very quick beta – but the idea is that the user get the compliance message, and is able to signal their general acceptance of cookies from websites. Other website then check that same cookie for consent before showing further notifications. Do we think this could work?

  • http://twitter.com/OliverBirleson Oliver Birleson

    Many websites moving over to using cookie-less technologies on their sites ahead of the cookie law deadline. One of the biggest headaches for people has been how to avoid the decline in analytics data that a consent banner brings.
     There are two main cookie-less analytics systems that sites are using at the moment. Piwick (piwik.org) is an open source system and requires set up on servers.eVisit Analyst is a cookie-less externally hosted system http://www.evisitanalyst.comNow is not the time to ignore the regulations but a time to get websites compliant to protect the privacy of their web visitors.

  • chronicler_Isiah

    I agree with John Wallace (the author of the previous comment). The directive is quite clear in that users must be given the choice to consent to accepting cookies. Education on a site’s use of cookies (as you advocate in your article) is all fine and dandy, but as I understand it is not complying with the law as its written.

    Whatever the ICO says and does to comply  isn’t the template for how anybody else should comply. As the say themselves, they don’t even know what proper compliance looks like anyway.

    The whole thing is a shambles!

    For me a simple pop-up with tick box  “Yes I accept ccokies from this site” plus an extensive cookie explanation within a  Privacy and Cookie policy  seems the bases for sensible compliance. There are lots of ready-made scripts on the interwebs for webmasters to use to help with these pop-up panels (and to ensure Google Analytics does not set a cookie until compliance is given).

    If indeed this turns out to be too belt-and-braces, then the pop-up will go after a few months.

    The truth is that until someone is taken to court then we will not get a clear legal precedent to follow in what to do or implement to be fully compliant.

    I also think that as a caveat to your article you should clearly state that you are not a legal site and that what you are saying here does not constitute proper  legal advice (just in case someone cite’s your advice in court *wink wink* ).

    Cheers
    I

    • http://boagworld.com/ Paul Boag

      I actually it is not true to say you need to ask users to actively accept cookies. Its not that simple. Check out my article from January (http://boagworld.com/news/do-you-need-to-worry-about-the-cookie-crisis/). The ICO have released some guidelines that make it clear that clearly placed Privacy and Cookies page can be enough in some circumstances.

    • http://twitter.com/snapey Mark Snape

      And how is it that we can record the fact that someone says no to cookies? Not with a cookie.
      Every page load is going to ask the same question, and if the visitor bothers to stick around they are going to realise that the only way to get rid of the popup is to say Yes to cookies.

      The alternative is to try and avoid using cookies until the visitor needs to interact with the site in some way – and then present the option to accept cookies or not perform the function

      I can see this meaning things like greyed out ‘Like’ buttons that only become active after the visitor clicks on them and accepts the site’s policies.

  • http://twitter.com/dubbs2009 Jon Wallace

    Oliver – I agree, I can’t see Google creating a cookie less version of GA for EU region – it’s just not worth it for them – a massive business opportunity for a fab free cookie-less Analytics tool has arisen here… I will take a look into those you mention. Facebook and Twitter will also not budge and creation cookie-less LIKE and TWEET buttons – again, it’s not worth the effort I am sure. It’s a shame we are being penalised here for being in the EU and other areas of the globe can continue as before…

    • http://boagworld.com/ Paul Boag

      I don’t think we need to move away from Google Analytics. I am not going to and we are not advising our clients to. The guidelines don’t seem to identify that as a requirement and the legislation is not targeting that anyway. Everybody is over reacting to this. Wait and see. If you are deemed to be in contravention you will be warned. They are not going to suddenly start dragging people to court.
      Cheers,
      Paul

      Paul Boag [ Web Guy, Writer, Speaker and Polymath ]
      W: boagworld.com (http://boagworld.com)
      T: @boagworld (http://twitter.com/boagworld)
      M: 07760 123 120

      • http://twitter.com/dubbs2009 Jon Wallace

        Paul, and others – Have you had a look at the stuff Silktide have been putting out (they are anti the law but have taken steps to cover themselves and offer a great cookie consent tool to help cover others) – http://silktide.com/cookielaw -> I personally follow their approach here and think that Analytics is not a vital cookie for a website – it does not store sinister info, but until the ICO or someone who governs this states what is and what is not acceptable within the boundaries of this legislation I and I imagine many others will air on the side of caution. As I said in an earlier post – I am very keen to see who the ICO target first and what approach they take on the almost inevitable use of GA that site will use…

  • http://twitter.com/_Scruffian Peter B

    Looks like sound advice on the whole. One thing that does concern me, though, is the use of Facbook ‘like’ buttons – if the user is logged into Fb just laoding the page is enough for Fb to know where you have been (cplease correct me if I’m mistaken) This is behavioural tracking of a form the user cannot reasonably expected to be aware of, and so exactly the kind of thing the EU directive, and the ICO, want to crack down on. So in my mind, a site using like buttons should have a consent widget to be on the safe side..

    • http://twitter.com/dubbs2009 Jon Wallace

      Facebook Like and Twitter Tweet and indeed Google +1 sharing buttons all
      use IFRAMES on the parent site – they drop many cookies and do track
      the users movements and behaviors yep – I personally feel this is the
      main area where consent MUST be sought – Facebook and the like are not
      culpable if you serve a FB LIKE button on your site – it is your
      responsibility to get user consent to allow this to work and therefore
      the third party cookies to be used by Facebook

    • http://boagworld.com/ Paul Boag

      I will give you that. I have some concern about this as well. It depends what users giving permission actually means in practice. We will have to wait and see.
      Cheers,
      Paul

      Paul Boag [ Web Guy, Writer, Speaker and Polymath ]
      W: boagworld.com (http://boagworld.com)
      T: @boagworld (http://twitter.com/boagworld)
      M: 07760 123 120

  • http://twitter.com/dubbs2009 Jon Wallace

    Facebook Like and Twitter Tweet and indeed Google +1 sharing buttons all use IFRAMES on the parent site – they drop many cookies and do track the users movements and behaviors yep – I personally feel this is the main area where consent MUST be sought – Facebook and the like are not culpable if you serve a FB LIKE button on your site – it is your responsibility to get user consent to allow this to work and therefore the third party cookies to be used by Facebook.

    • http://twitter.com/minabird V O’Neill

      http://CookieQ.com platform manages 1st party cookies and 3rd party content like FB & Twitter.

  • http://twitter.com/adriant Adrian Tribe

    When even ICO staff are saying stuff like this:

    http://econsultancy.com/uk/blog/9610-q-a-the-ico-s-dave-evans-on-eu-cookie-law-compliance

    then I see no need to adopt headless chicken mode on this issue.

  • http://www.buswebs.co.uk/ Karl Craig-West

    Brilliant advice. I’ve been suggesting a ‘wait and see’ approach with my clients. The reason for this is so that the panic-mongering can pass and we can get down to the common-sense approach that we all need.

    How long will it take for special ‘consultants’ to pop up selling website cookie compliance services?

    • drgs100

      It’s already happening. One of our colleagues was quoted £500 – £1,000 to make a site ‘cookie compliant’. They brought the site to us and we just commented out the offending code. 

  • http://www.buswebs.co.uk/ Karl Craig-West

    Thinking about it, have I just given away a great business idea?

  • http://www.buswebs.co.uk/ Karl Craig-West

    Thinking about it, have I just given away a great business idea?

  • http://www.facebook.com/profile.php?id=100000119151906 Paul Kent

    Was getting worried when I saw the headline. I’ve just bought a packet of Maryland Chocolate Chip Cookies – am I in trouble? ;-)

  • cpupal

    I have started to comply with this cookie law. Add your widget and update your privacy policy.
    Take a look http://www.cpupal.co.uk 
    Ensure you add the widgets in the correct place otherwise your JS will be disabled on your website.

  • http://twitter.com/WolfSoftware Wolf Software

    We have created a complete suite of solutions both free and commercial for people who want to gain compliance via an active consent mechanism.

    http://demos.dev.wolf-software.com

  • http://www.facebook.com/lordofwark Peter Scargill

    Excellent writeup  – I’ll add this to our forum wherein we’ve collected the latest  news on the subject and hope to get a discussion going to ensure the UK government STAYS relaxed about this..

    http://forum.fsb.org.uk/showthread.php?903-Important-EU-Rules-on-COOKIES&p=1867#post1867

  • http://twitter.com/gdpwatson Gareth Watson

    Can someone provide some clarification on this for me. It has been said that it is up to us as website developers (not website owners) to provide information to our clients relating to what cookies are used on their websites. However is it up to us the provide this info to our clients and to advise them to include it on their website or should we go ahead and add this directly to the website as a matter of course? On the matter, I have always said that it is the responsibility of the client to provide their own privacy policy and to seek guidance from their own solicitors. Is this the correct approach to take? I am curious as to what others do or have done.

    • http://www.facebook.com/whitlawburncrc Whitlawburn Crc

       I am also wondering about privacy policies for the charity I work for, we currently have one (made using a template) we cant afford to hire lawers to write our privacy policy for us, so is using a template still OK?

    • Luke Wilson

      As a web developer, I’m using a privacy policy from 
      http://www.openglobal.co.uk/articles/2-uncategorised/120-privacy-policy.html who state that it can be used and modified under 
      GNU/GPL licence for a link back to them. I have modified it to suit the websites I create and will enforce it on all designs I do. It’s the best I can do to make sure we all stay compliant.

  • Sergiy Lavryk

    Hm… What about Local/Session Storage, introduced in HTML5? Also violate this law?

    • http://twitter.com/aliaspooryorik John Whish

      To quite from the ICO documentation: “The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects…”

  • http://www.facebook.com/whitlawburncrc Whitlawburn Crc

    I am totally confuised about all this, i work for a small community non profit here in the UK, we don’t have a user registration/login system (except staff), we use a CMS (xoops) and I have found 2 cookies that the CMS creates even for non logged in users but I have no idea what they do. We also use share buttons and disqus comments & fb like buttons do we really need to list every single cookie and what it does? surely this could take ages?

  • David Mackland

    Don’t Panic Mr Mainwaring.

    Data Protection Act

    Cases received: 33,234

    Cases closed: 32,714

    Prosecutions: 9

    Enforcement notices: 15

    Freedom of Information Act

    Cases received: 3,734

    Cases closed: 4,196

    Regulatory and enforcement actions: 3

    http://www.ico.gov.uk/about_us/our_organisation/key_facts.aspx 

    Needless to say – showing some form of approach will show the ICO that your working towards compliance.  Having a prominent Cookie policy should be taken as read.

    • silktide

      So all we need is a link to terms and conditions? What about all this “informed consent” the ICO talked about in their guidelines? How can you be sure visitors have read them?

  • http://bestpluginsforwp.com/ Adam James

    I’ve been searching for some more clarification on this, it seems that the documentation and the law itself is stupidly vague.

    This is by far the most insightful article I’ve found, and it’s put me at ease a bit so thanks for posting this!

  • http://twitter.com/dubbs2009 Jon Wallace

    How are people planning on making Video Players EU cookie law compliant? Things like YouTube can be embedded with the enhanced privacy mode – support.google.com/youtube/bin/answer.py?&answer=171780&expand=PrivacyEnhancedMode#privacy , but Vimeo seems not to have a cookie less implementation, neither JW Player or things like KickApps video player… Are people going to auto hide these before a user gives Video cookies consent??? Thoughts?

  • http://twitter.com/dubbs2009 Jon Wallace

    Interesting reading from over at .net mag – http://www.netmagazine.com/features/beginners-guide-new-cookie-law // they suggest compliance is mandatory…

  • http://twitter.com/dubbs2009 Jon Wallace

    The BBC have just rolled out their Cookie Law solution… Interesting read here – http://www.bbc.co.uk/privacy/c…  // seems more of an opt out than opt in to me?

  • http://twitter.com/AntikytheraSys Antikythera Systems

    I have been following this for several years. Simply listing cookies used does not make you compliant, unless you only use session based cookies you will need to get consent from the user before starting the process. Examples can be seen on the BT website (www.bt.com) and the ICO’s own website.

    As for Google Analytics, Google failed to respond to anything in regards to this, looking at the current news Google and the EU just don’t get on though lol. So I think a cookie less version of the the analytics is not really planned.

    I’ve created my own analytics service which I offer for free on http://analytics.antikytherasystems.biz which I use for my clients to ensure they comply with the legislation.

  • http://twitter.com/aliaspooryorik John Whish

    The ICO have issued updated guidelines at: 
    http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

    There is also a video (which requires a cookie!) on the page if you don’t want to wade through the documentation 

  • bgrggfe

    In this week’s issue of Grazia luxury brand Louis Vuitton exclusively reveal their glamorous spring/summer’12 Louis vuitton Sunglasses range by showing them on a new generation of ‘It’ girls and boys. It’s a veritable who’s who of the hippest people on planet earth right now, and if you like to stay in the know  you should consider that an extra good reason to hotfoot it to Louis vuitton Outlet – TODAY

  • bgrggfe

    Imean Shaheed was working last Sunday when federal agents rushed into the Patapsco Flea Market, announced over the loudspeaker that the bazaar was closed for business and shut down vendors selling  Cheap Louis Vuitton Handbags and Tiffany & Co. jewelry.”It was like the movies,” the 20-year-old Shaheed said Saturday after the Cherry Hill flea market re-opened. Some booths were empty, but the parking lot was full and customers flocked to vendors such as Shaheed who were open for business via Louis Vuitton Outlet Store.

  • bgrggfe

    Imean Shaheed was working last Sunday when federal agents rushed into the Patapsco Flea Market, announced over the loudspeaker that the bazaar was closed for business and shut down vendors selling  Cheap Louis Vuitton Handbags and Tiffany & Co. jewelry.”It was like the movies,” the 20-year-old Shaheed said Saturday after the Cherry Hill flea market re-opened. Some booths were empty, but the parking lot was full and customers flocked to vendors such as Shaheed who were open for business via Louis Vuitton Outlet Store.

  • bgrggfe

    Many People like the Cheap Louis Vuitton Bags very much and would consider that the Louis Vuitton Company come from In italy , in fact it is born from paris in France.So you unlidely see real Louis Vuitton Bags For Sale in other city except france. But please don’t worry about that ,if you want to buy a cheap louis vuitton items ,you could search the Louis Vuitton Online in the internet,you can get the cheap louis vuitton handbags anywhere.

  • bgrggfe

    Do you know who is the prolocutor star of Louis Vuitton Handbags Online  now? It is the Sofia Coppola, she is well-know with the director of movies. Of course she like the LV very much ,especial the Louis Vuitton Wallet,but she never buy something from the Louis Vuitton outlet store, because she always get freely and show the newest louis vuitton items .

  • bgrggfe

    Worldwide more than $100 billion worth of counterfeit products, from Louis Vuitton Replica Handbags to Rolex watches, are sold every year. I have developed a great idea, which will allow shoppers to check the authenticity of the product by using their smartphone before they buy the Louis Vuitton Replica. It will add only a fraction of the cost of the product for the manufacturer, who will be more than happy to pay this little extra cost to protect their brand and increase their sales. However, I do not yet have a working prototype, which requires significant investment. I do not know how and who to approach for venture capital funding. I am so confident about the success of this idea that I feel like selling my house and investing in this technology. Your advice will be very much appreciated.

  • bgrggfe

    The Louis Vuitton Handbags are sold with higher price in china that other countries, because china has the very high inprot taxes of handbags,so many chinese always 
    want to buy a Cheap Louis Vuitton Handbags and they will go aboard and buy cheap items from Louis Vuitton Outlet ,buy the others who can’t go aborad will find a Louis Vuitton Online out.

  • bgrggfe

    The City Council is examining a request to open a Louis Vuitton Handbags and retail shop at 11502 Middlebelt in the Livonia Crossroads shopping center on the southeast corner of Plymouth and Middlebelt roads.The council heard at a study session on Monday from Taylor Bond, president of Children’s Orchard, who wants to open a 7,500-square-foot Louis Vuitton Handbags Sale store at the site of the former Family Buggy restaurant, which was closed several years ago.

  • bgrggfe

    According to the survey, France has about 2.6 million millionaires,that is most in European countries .After the Outlander win the presidential election , Maybe the rich will fear the outbreak of the exodus. In fact, many multinational corporations before the election, one after another continued to headquarters out of Paris, the transfer tax rate is relatively low, Luxembourg, Hong Kong, even the United Kingdom. ”
    Well-known French brand Louis Vuitton Handbags On Sale boutique group LVMH , also reported to consider To the headquarters moved to London from Paris, it is necessary to avoid heavy taxes, and increased high tax rates make LV headquarters in Paris, it is difficult to find the Senior Management .

Headscape

Boagworld