Written by Sean McManus on 12 July 2012
When a government department asked website visitors to opt in to receive an analytics cookie, most visitors said: “Thanks, but no thanks.” The site’s measured traffic fell by 90%. What scared most web designers is that they would soon suffer the same fate.
The department was the Information Commissioner’s Office (ICO), and it had introduced the opt-in to comply with the new “cookie law” (the Privacy and Electronic Communications (EC Directive) Regulations 2003), which it is responsible for enforcing. The aim of the law is to stop people being profiled online without their knowledge, and it requires websites to seek permission before setting cookies. Cookies are simple text files stored on a user’s device so a website can recognise them, and they are used particularly for advertising and analytics. Web designers panicked that they would have to get visitors to opt in before they could set any cookies, but the ICO’s own experience showed how devastating that could be.
For simplicity’s sake, ICO just talks about cookies, but uses the term to mean any form of local storage. Under the new law, websites using cookies must:
- Tell visitors the cookies are there;
- Explain what the cookies are doing; and
- Obtain visitors’ consent to store a cookie on their devices.
There is (and always has been) an exception where a cookie is strictly necessary to perform an action a user has requested, such as a shopping cart. But analytics and advertising cookies don’t fall under that exception, however vital they might be to the website owner.
The ICO recommends websites take a three-step approach: first, audit your site to work out what cookies it uses; then assess how intrusive those cookies are; and finally decide on a solution to obtain consent where you need it.
Search and social media agency DBD Media offers a cookie audit service. Axelle Ros, Conversion Analytics Consultant, says: “Most sites use a variety of cookies, and it is not unusual to find a website with over 500 cookies. We found throughout our audits that cookies required by web design features (such as session cookies or online shopping carts) represent at most one out of 10 cookies across an entire website. We’ve seen a few instances of obsolete cookies. These are generally caused by tag-based tools which have been trialled or tested on the website and later discontinued without removing the tags.”
So what’s the bare minimum you can do to comply? “That’s up for a lot of debate,” says Chris Saunders, a solicitor at legal firm Mundays. “I can’t tell you what the minimum is. I can tell you what the belt and braces approach is, which is to fully inform your end user about all the cookies you’re using, and about how they’re going to be used, and to ensure that no cookies are placed on the computer before you obtain their active consent.”
What happens if you don’t comply? “There are a range of sanctions which include orders forcing a company to do something, or refrain from doing something and fines up to £500,000,” says Edward Coxall, Partner at Mayo Wynne Baxter solicitors. “Yet the ICO does have discretion and has indicated that no enforcement action will be taken as long as companies can demonstrate they are taking steps to comply, starting with an audit of the cookies they actually use.”
“I don’t think the consequences are that severe,” says Kathryn Wynn, a senior associate at legal firm Pinsent Masons. She adds that cookies are unlikely to cause the substantial harm required to justify a fine. “The risk is that you get investigated by the ICO and then have to quickly change what you’re doing. The ICO has said it is going to target enforcement, so if your organisation is not a household name and you’re not using intrusive cookies, the risk of enforcement is low.”
Chris Saunders adds: “Whether someone complains about you is the big issue. I don’t think the ICO will go out looking for people to impose this regulation on, but I think they will be hard on people who are blatantly ignoring it.”
To get started with compliance, download the ICO’s 31-page cookies guidance.
About the author: Sean McManus is the author of the bestselling book Web Design in Easy Steps.