Taking Care over Cookies

All posts in Guides, 6 min read, 11th May 2012
Simon R Jones
Simon R Jones
On May 26th 2012 the EU Cookie Law comes into force, requiring that all European-based organisations inform their users of cookies used on their websites and in some circumstances gain consent before doing so. However, the exact interpretation of how this is achieved is in much debate.

[Read an update on this story at EU Cookie Law – Keep Calm an Carry on]

On May 26th 2012 the EU Cookie Law comes into force, requiring that all European-based organisations inform their users of cookies used on their websites and in some circumstances gain consent before doing so. However, the exact interpretation of how this is achieved is in much debate. While this is something website owners need to take seriously, it’s not all bad news and in this post we try to summarise the current state of the law and what you need to do.

Where has this come from?

In May 2011 the UK introduced amendments to the Privacy and Electronic Communications Regulations (PECR) which came from EU law. The intention of this law is to protect user privacy and to raise awareness of how data is stored from websites on their computers. While there are a few different ways to store user data, cookies are by far the most prevalent.

Cookies are small pieces of data stored on your computer that help websites identify you as a user. Often they are used for storing preferences, tracking data across the website (such as a shopping cart) or identifying you as a logged-in user.

The reason this has become more important is the growth of third party cookies; these are cookies set from external sites such as analytics, social media and advertising companies. When used widely on many websites these cookies have the capability of tracking what you do across the web. Not something that’s very condusive to personal privacy.

The BBC recently reported there are an average of 14 cookies tracking your activity on most popular websites, 68% are from third-party services. This is why the EU have brought in the so-called EU cookie law, to give consumers the power of choice which they don’t really currently have. The problem is how to implement this.

What the law says

The UK law, PECR, is unsurpisingly not very well written and contains ambiguous references to how the EU cookie law should be implemented.

The Information Commissioner’s Office (ICO) who will be responsible for policing this law in the UK have released some helpful information. In December they released a PDF guide and they have a page on the PECR rules which will likely be updated in the coming months as the industry finds suitable solutions to this law.

In summary ICO state you need to:

  • Tell users that cookies are used on your site
  • Explain to the user what these cookies do
  • Ask the user for constent before you store a cookie on their computer/device

It is asking for consent that has caused the most controversy. Taken at face value, this would mean intrusive popups or warning messages at the top of a website asking the user to confirm their cookie preferences before they use your website. Although some sites are taking this approach, it’s not pretty and is far more likely to deter your users than actually inform them of their privacy rights.

Cookies that are required for the essential working of your website do not need prior consent, but you should still clearly communicate to your users what these cookies are. Anything else, technically needs consent.

Many people are also worried about analytics services, such as Google Analytics. If you ask users for consent before setting an analytics cookie, you effectively render that service useless. When ICO started to ask for consent for cookies on their own site they lost 90% of their analytics data.

Without analytics most business owners reasonably claim they will loose essential website information and will be unable to develop their website and respond to user needs. At present the guidelines are murky here, though the Government Digital Service wrote recently that analytics cookies are considered “minimally intrusive” and are unlikely to be the focus of any regulatory action.

So what can I do?

We recommend the following course of action:

  • Audit your cookies
  • Inform your users
  • Look at ways to gain consent for non-essential cookies

Although we should point out we’re not lawyers. The following is just advice, you need to weigh up the risks for your own business.

Audit your cookies

Conduct an audit of the cookies used on your website, and if you find any you don’t need remove them! If you have the Web Developer Toolbar for Firefox this is easily done via Cookies -> View Cookie Information to give you a clear breakdown of all cookies used on any web page you visit.

Inform your users

Once you know what cookies you have, you need to inform your users. You need a clearly linked page on your website, ideally near the top of the page (not hidden away in a privacy page). A good example of a link label would be “About Cookies” or “Cookies and Privacy”.

Cookies come in different flavours:

  • Session cookies – set by your website and have a short lifetime, usually used for site functionality
  • Persistant cookies – set by your website with a long lifetime, usually used for identifying users
  • Third-party cookies – set by an external website, usually for tracking purposes

For each cookie tell your users:

  • Its name
  • The type of cookie
  • Its lifetime (session, or if persistant how long they live for)
  • What it is used for

The UK.gov beta website has a good example of a well written cookie policy.

Gaining consent

For session cookies used on your website for essential functionality you don’t need to worry about consent. For cookies used for feature enhancements you could consider adding a message to the pages where these features are used. For example, if you’re remembering a previous search query to aid the usability of your website you could state a cookie will be used so the user is clear what data is being saved.

For third-party analytics cookies at present the general consensus is it’s OK, as long as you include information on these cookies on your About Cookies page.

This may not be the case for other third-party cookies such as those used by social networking sites (think of all the social bookmarking buttons) and advertising. However, there are other ways to link to social media websites than using the generic sharing buttons which don’t use cookies.

In general though, we’d recommend avoiding popup or modal windows to ask for consent from users before cookies are set. This technique is incredibly disruptive and is a blunt weapon that is more likely to drive your users away.

Instead, make it easy for your users to find out about cookies and add additional information on how cookies are used on pages where non-essential functionality exists that depends on cookies. And wherever possible, reduce your usage of cookies where they are’t really needed.