Do you need to worry about the cookie crisis?

Paul Boag

The European Union has introduced legislation over the use of cookies on website. Recent guidelines help clarify what this means for your site.

Back in March I wrote about the upcoming European Union legislation on the use of cookies. Since then there has been panic and scare mongering. There have been claims that we can no longer use analytic tools or cookies, without the use of intrusive popup permission boxes.

Even in my original post I pointed out that this was unlikely. However, we now have some clarification. The EU has released some guidelines on how the legislation will be implemented (PDF download).

As somebody recently pointed out on a mailing list I subscribe to, the guidelines aren’t going to win any ‘plain english’ awards. I therefore thought a summary of some key points might help.

First, lets look at what steps you need to take.

What you need to do

Fortunately there is little that you need to do. Begin by ascertaining what cookies (if any) you use on your website and what they do.

There are two things in particular to look out for. First, do you store information on individuals in cookies and if so what information. Second, is the cookie stored on your server or elsewhere. This second point is important because it is third party cookies which the legislation is designed to stop. Fortunately, unless you are using advertising on your site, you are probably safe.

Once you have done an audit of the cookies, inform the user about their use. How you should do this will vary depending on the type of cookies you use and information collected.

An example of how cookie notifications could be displayed

The guidelines suggest a number of ways consent can be given, none of which strike me as particularly onerous. In fact in many cases the guidelines seem to suggest that a simple link to a page containing cookie information would be enough.

What about analytics

For many the biggest concern this legislation brought was that it would prevent the use of analytics. This is not the case.

On the last page of the guidelines they directly address the question of analytics. They write:

Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

In short as long as you tell the user that you are using analytics then you are in no serious danger.

How is the legislation going to be enforced

Like all guidelines these are open to interpretation and this creates fear of not complying correctly. However, failure to comply is not going to lead to automatic prosecution.

According to the guidelines, the initial step is to inform you that you are in breach of the regulations. This can lead on to an enforcement notice which compels you to make changes. Only if you ignore all of this do you face a possible monatary fine.

The disclaimer

Obviously, I am not an expert in EU law and like the rest of you, I am trying to navigate my way through all of this. However from what I have read so far, this really isn’t turning into the doomsday scenario some have suggested.