Making sense of the Cookie Law!

In 2011 a new European e-Privacy directive came into law dictating how websites can use “cookies” to track what a user does on the Internet. In essence it affects every website owner in Europe, but the lack of action by almost every major website to comply with the directive, and ambiguity in the law itself is leading to mass confusion and even profiteering by some companies offering overpriced “cookie audits”.

To help bring some clarification to the “cookie law”, here’s The Design Mechanics’ guide to what the law means to you.

1. OK – what are cookies anyway?

Cookies are small text files that a browser saves to your computer when you visit a website. Every time you visit Google, Amazon and every major commercial website, new cookies will be added to your computer so that website can remember you. In the majority, they are completely harmless and downright useful. How does a shopping site remember what you have put into your basket before you reach the checkout? How come you don’t have to log-in to Facebook every time you visit it? Because the website remembers you by storing information in a cookie.

Although cookies can’t contain viruses, it’s this remembering your behaviour on the Internet that has caused unease with some Internet users. Have you ever searched for something on Google, only to then start seeing adverts for that what you were searching for on other websites? This isn’t a coincidence, it’s because cookies are remembering your activity – usually without you being aware.

2. What is the new “cookie law” I keep hearing about?

The “cookie law” is part of the European e-Privacy directive and became law in this country in May 2011, however the UK government deferred the law by one year saying that they needed to find a “business-friendly” solution to implementing it. As of yet, this “business-friendly” solution has not appeared leaving ambiguity in both the web-design and business communities.

The law says that a website should explicitly obtain the permission of a visitor to save any cookie on their computer that isn’t “strictly necessary for a service requested by a user”. So for instance, a website that needs to use a cookie to remember what’s in your virtual shopping basket while you navigate around an e-commerce site doesn’t need to gain your permission. A website that remembers if you are logged-in or not, tracks your behaviour or plugs into social networking sites needs to tell you it is doing this and ask you to confirm it is OK – most likely by presenting you with a pop-up that you need to confirm when visiting a website, or a landing page that asks you to give your permission before entering.

Ironically, for a website to then remember if you have given your permission or not, it would have to use a cookie – meaning if you do not give your permission then the site has no way of saving this information and would have to ask you every time you visited!

3. Does my website use cookies?

If you ordered a standard website from The Design Mechanics, then it is very unlikely that it will use cookies. The only case where we may have used cookies is if you have asked for Google Analytics to be installed which tracks users to your site, a Facebook or social media plug-in, or an e-commerce site which only uses cookies for remembering a user’s ordering data, and so does not fall under the cookie law.

If you didn’t order your website from us then you need to talk to your web design company to be completely certain.

4. I’ve received a letter / email saying that my website may be breaking the law – what should I do?

Most likely it will be a web design company or consultancy “fishing” for business by using scare tactics or profiteering by trying to sell you a “cookie audit”. At the worst it may be a scam by a company looking to get access to your server – remember, never hand over your website, email or FTP details to a third party company that you do not know and trust explicitly.

As of yet, no action has been taken against website owners so any “official” letters purporting to be from the police, Nominet, the government or your Internet service provider saying your website is breaking the law is almost certainly a scam or hoax.

5. So how do I comply with the law – should I even bother?

If your website does use cookies that are not explicitly necessary for your website to operate (such as to track behaviour, make money from online advertising etc), then to comply with the law you need to gain visitors’ permission to use cookie technology. How you gain this permission is open to some interpretation, but it cannot be “implied permission” – so a user has to actually click on something saying “yes – you may save a cookie on my computer” before they can use your site or cookies can be enabled.

An example of this can be seen on the government’s own Information Commissioner’s Office here: ico.org.uk – not really what people want to put on their websites! Unfortunately, this has been introduced as a blanket-law against all non-essential cookies, so even harmless cookies such as used in Google Analytics to monitor how many people visit your website, or a website remembering your preferences from visit to visit have also been outlawed without explicit permission.

It is unlikely that this law will simply disappear but many people think that in its current form it is unworkable. The government’s own admission that a more business-friendly solution needed to be found has only added to the uncertainty. Combined with the fact that, as yet, the only people to have complied with the law are the ICO’s office and people selling cookie audits it is safe to assume that if you are a normal business, and your website is just an online “brochure” of your services then this directive is not aimed at you. It is aimed at websites that collect, in bulk, information on where people go on the Internet and use this to target adverts and services at them based on their online behaviour.

David Evans, group manager of the Information Commissioner’s Office has already said that they don’t initially intend to go after companies whose websites don’t comply with the law, but rather will investigate companies that they have received complaints against. However, when the first high-profile cases are brought against Google, Facebook, Amazon and the like to try and make them comply with the law – then it’s worth sitting up and listening to the outcome and evaluating if that affects your business.