How to comply with the EU cookie law

In May 2011 the EU passed a law which requires websites to ask users’ permission before placing non essential cookies on their computer.

The UK government gave a year’s grace before enforcement began on May 26th 2012.

The Information Comissioners’ Office (ICO) is responsible for enforcement.  The ICO has produced a guide to help businesses comply.

What is a cookie?

Cookies are small files placed on your computer by websites.  These are sent back to the web server each time you request a page. They are used to remember information as you navigate around the site.  Cookies are often used for tracking which pages have been accessed. If you have an account with a website cookies may be used to identify you and keep you logged in.

Websites and applications often let you change settings.  These are stored in a cookie so the site can remember your preferences.

There are two types:

  • 1st party cookies are accessible by your website alone. These are generally used to make your website function correctly
  • 3rd party cookies are set by other websites

If you embed content from other websites such as advertising networks, YouTube videos, social media widgets etc.  then your website may be setting 3rd party cookies. These cookies are  invasive to privacy.  They allow the 3rd party to track visitors across multiple websites.

What does the law say?

  • You must gain consent from your visitors before placing a cookie on their computer
  • There is an exception to this rule for cookies which are essential to a service or function a visitor requests

Examples of essential cookies include those used to remember products placed in a basket and those used to remember which visitor is logged in.

This doesn’t mean that if you don’t comply to the letter you will be prosecuted.  The ICO has said they are likely to work with websites to help them achieve compliance rather than handing out fines.

The ICO has announced they are unlikely to prioritise action against websites which place 1st party cookies for the purposes of analytics.

Where do you begin?

You should understand the cookies your website will place on a user’s computer. We can assist you with this.

If you would like your website audited for cookies get in touch.

You may find that your website uses few or no essential cookies and could be fully compliant with a content management system upgrade and/or a few tweaks.

Minimum action

To show you’re taking note of the law you should begin by identifying 3rd party cookies and remove them.  In most cases you won’t need them.

Take YouTube embedded videos.  It will place cookies on a users’ computer but it also offers a cookie free version which can be enabled with little effort.

Once you’re free of 3rd party cookies you’ve removed the worst offenders.

You should remove 1st party cookies if its simple and they aren’t essential.  However, many websites use software or content management systems which cannot be changed easily.  In these cases you can place a note or disclaimer alongside actions which result in a cookie being set.

WordPress is a good example. The current version is cookie free – except for a single cookie which is set when submitting a comment. You may include a note explaining to the user that commenting will result in a cookie being set on their computer. You can see an example of this at the bottom of this article.

You should then update your Privacy Policy to include a list of cookies your website uses, along with a brief description of that they do, and why you need them.

The BBC outline their essential cookies in their Cookie Policy. This is a good example of how to keep users informed of the cookies being set.

Complete compliance

To achieve full compliance you should remove all cookies which are not essential to the function of your website.  An essential cookie relates to a service or feature, requested by the user, which cannot function without the use of cookies.

They key point here is that the user must request the feature.  You cannot argue that Analytics cannot work without a cookie when the user has not requested to be tracked in the first place.

If you cannot remove non-essential cookies then you should give the user the choice to enable or disable cookies. The BBC show exactly how it can be done. A banner is placed at the top of the page and no cookies are set until the  user has given explicit permission by clicking a button. You can see another good example from Nominet, the UK domain name registrar.

What about Google Analytics?

The ICO has indicated they will not be prioritising legal action for websites that use 1st party cookies for analytical purposes.  Many businesses are choosing to keep Google Analytics installed.

If you give users the option to enable or disable cookies your analytics data will be skewed. The ICO reported that 90% of it’s own users chose not to enable cookies, that’s 90% of visits going un-tracked in Google Analytics.

We offer a cookie free alternative to Google Analytics called Piwik.  Piwik tracks users without cookies but can be less accurate at tracking user sessions as a result.

Still confused?

If you’re still scratching your head over the whole situation, feel free to call us and we will talk you through your next move.