The EU cookie law: What you need to know
What is a cookie, how is the law changing and what do you need to be aware of?
You may have noticed a lot of news recently concerning how personal data is used by large internet publishers such as Google, Apple and Facebook, for either improving service or as a pervasive and targeted tool for advertising.
There has been a huge amount of publicity about this, but buried deep in this news is a far more potent change that is already law and comes into effect within the EU (yes, which includes the UK) on 25 May 2012 – the EU cookie law.
As there has been no clear directive by the government on how best to adhere to this new law, it is important to understand the fundamentals of the policy, what the effects are for your site and what you must do to comply. To make this easier, we have broken this down into a simple Q&A:
What is the new EU cookie law?
This European directive is being driven in the UK by The Information Commissioner’s Office or ICO. On the ICO website it clearly states:
Cookies or similar tracking methods must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
You can find out more from the ICO website.
What is a cookie?
A cookie is a piece of information in the form of a very small text file that is placed on a website user’s hard drive. The information the cookie contains is set by the website and it can be used by that website whenever the user visits.
There are a variety of different cookies. Here are a few:
Session cookie – also known as transient cookies. These are stored on the user’s computer until they leave the website, at which point they are deleted.
Stored cookie – Where the cookie is downloaded onto the hard drive and used to identify a visitor whenever they return. The lifetime of this cookie varies from website to website but 30, 60 and 90 day cookies are common.
Flash cookie – If you are viewing video or visit sites that use Adobe, there may be small files downloaded when you watch a video.
Why does a website need cookies?
The information stored in a cookie allows the website to identify you when you visit and present information accordingly. Below are some examples of cookie usage:
‘Remember me/ Keep me logged in’ – If a website has functionality available only to signed-in users it can be frustrating for them to log in every time they visit. In this situation a cookie allows the user to return to the website and be taken to their account immediately. Example: Facebook – can you imagine filling in your details every time you visit?
Preferences – Some websites allow you to set preferences on the look and feel, content you want to see and functionality you don’t need. A cookie may be used to ensure your preferences are remembered when you return (please note this is less common these days, where preferences are stored in the database rather than on your computer)
Shopping baskets and recently viewed products – An e-commerce website such as Amazon tries to make the shopping experience as easy as possible for users by storing the contents of your shopping basket and products you’ve recently viewed without you needing to be signed in so that as you browse the site you don’t lose everything you’ve done. These cookies are usually short-lived and may exist only while you’re on the website or for a few hours after you leave.
Analytics / website usage tracking – Many websites rely on analytical software to record how people arrived at the site, what they did while they were there and how and when they left. While this might sound a little ominous, the website owners are not able to identify individuals; there’s no way to know that Peter Simkins of West-Byfleet viewed How to Look Good Naked DVD boxset for example, only that an unidentified person did.
This information is used to improve a website and ensure the visitors are able to find what they need as quickly and easily as possible.
In truth, it is this type of cookie usage that has driven the push for an EU cookie law as it’s unfortunately open to abuse.
What type of cookies run on your site?
Though this may seem to be an obvious question with an obvious answer, the truth is that many site owners and publishers do not know. If they do know, they know the basics or make assumptions of what cookies are used.
The best way to determine the cookies your website creates for users is to carry out a full audit. Record cookies that are created, identify what they’re for and decide whether they’re critical to the functionality of your website. Be sure to include third party services that create cookies, such as Google AdSense, AdWords and Analytics – while you may not be responsible for creating these cookies, they are delivered via your website.
How to comply with the law
Firstly, we would like to stress that at the moment there are no official guidelines on how best to adhere to the new law – this has been left open for interpretation by individuals and their websites so the guidance provided below is based on the information currently available, is subject to change and should not be considered definitive.
Furthermore, it’s worth noting that there has not yet been confirmation as to what the penalties will be for failing to comply with the new law. Startups will bring you updates and news as and when we have them.
Asking for permission
This is essentially what everything boils down to – getting permission from the user before placing the cookie on their computer without misrepresenting its purpose or your intentions with the information that results from the cookie. So how can we ask for permission and what’s the impact likely to be?
If we use this as our guidelines there are a number of ways we can approach the problem depending on the number of cookies that your website uses. In the case of our website, Digital-clarity.com, we would be required to ask permission for Analytics tracking as soon as someone arrives at the website, so something like the solution below may be suitable:
This addresses a few problems
1. We have asked permission to add Analytics tracking cookies, explained how long they will exist for and that they cannot be used to identify the individual. We’ve provided the option to accept this cookie or reject it depending on how comfortable the user is with us collecting this data.
2. In the opening line we are linking ‘cookies’ to the corresponding Wikipedia page, should the visitor be unsure of what a cookie is.
3. To remember what the user has selected we must add a cookie (catch 22!) – but if they are not happy with this we give a final option to close the box.
Of course the issue with this is the box will appear on every page that the user visits – hardly ideal.
Now that’s probably not the most aesthetically pleasing way of solving the problem, but it gives you an idea of what is possible and this method should be suitable for one or two different cookies, but what if you need to ask permission for more – very likely if you run an e-commerce or service-based website.
In this example, we have managed to ask for permission, explain what each cookie/set of cookies is for and given the user the ability to choose between them or choose none of them – meeting all requirements the EU cookie law sets out.
Take note of the wording used in both examples above – you’re asking the user for something so it’s important to be nice about it and make it clear they have a choice. A formal tone of voice with little explanation of what they are able to choose is likely to put people off.
Disclaimer: We have no knowledge of which software Amazon.co.uk uses, which partners it works with or which cookies it may use – this should act only as a visual example and is not specific to Amazon.co.uk
Do I have to explain each cookie?
While you must provide information on all cookies you wish to create it is not necessary to do so next to a request of permission – linking to a privacy notice that includes the information is also acceptable. However, we do not believe this to be as effective and by hiding the information on another page you are making the visitor work – remember you want something from them not the other way around. It’s much easier to click ‘No’ then go and search for an explanation on another page.
The ICO has suggested that cookies vital to the correct operation of your website may not need prior permission before being added to a user’s computer, however this is not confirmed. Those that may fall under this category are shopping basket cookies, where the visitor must be able to store their items in a basket as they navigate through the website.
How big an impact will this have?
It’s fair to say that when given the choice many people would rather not allow you to collect data on their activities and so we must inevitably accept that there will be reduction in the amount of data available through your analytics package and all other third party tools. The ICO itself implemented a similar permission-based technique as explored in the above screenshots and the result was a 90% drop in visitors being tracked by Google Analytics – that’s nine in 10 who declined the cookie.
If you run a website that provides a service or sells products, the impact of this is potentially massive. As marketers as well as business owners, we rely on this data to make educated decisions on how to improve the website and to refine the conversion funnel to grow sales. With a 90% reduction in available data these decisions will be far from informed.
We must therefore make the permission process as effective as possible to drive the 10% of opt-ins up as high as we can.
What can I do in the short term?
Carry out an audit to identify all of the cookies that may be added to the computer of a visitor to your website, whether they are created by you or a third party such as an ad network. Where possible, you should stop these being created or limit their creation to only when they’re strictly necessary.
Where a cookie is required to allow you to achieve your business goals you must ask permission to add them, even cookies vital to the operation of your website – at least until the ICO can bring some clarification on the matter.
We would also recommend keeping up to date with the ICO and any announcements it makes which may offer more official guidance on the subject. You can find them at http://www.ico.gov.uk/.
To summarise, at the moment there’s no clear directive on the best way to comply with the new law so everyone’s in the dark, to a degree. It’s worth keeping an eye on the big online retailers and website publishers to see what they are doing. Meanwhile, stay tuned to Startups for updates and announcements as and when they happen.
Written by Reggie James and Tom Collinson of Digital Clarity, a provider of SEO services as well as search, social and analytics solutions.