On May 26th 2011 a new EU cookie law came into effect. The new law states that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store most cookies on users’ computers.
The Information Commissioner’s office has given organisations and businesses up to 12 months to ‘get their house in order’ before enforcement of this law begins.
What are cookies?
Cookies are little files that almost all websites use as a kind of memory. They are stored in your browser and enable a site to remember little bits of information between pages or visits. This is often used to store a user’s preferences.
Who is in charge of this?
The DCMS (Department for Culture, Media and Sport) are legislators they write and pass laws.
The ICO (Information Commissioner’s Office) are regulators they police and enforce the laws. ICO is obliged to investigate any complaints it gets about the use of non-compliant cookies.
Are all cookies affected?
According to the legislation the vast majority are - all cookies that are not "strictly necessary for a service requested by a user". The law allows an exception for "strictly necessary" cookies, such as those used to remember when something has been added to a shopping basket. These cookies would be expected by the user implicitly for the action they requested to be carried out. Another example would be login.
How do I comply with the new law?
The ICO has issued some guidance on how to comply (http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf). This can be summed up as:
- Find out what cookies you are using on your site.
- Work out which cookies you need to obtain consent for (there are some exceptions)
- Build a process of obtaining consent into your website.
The ICO have implemented a bar at the top of their website (http://www.ico.gov.uk) which allows people to consent to cookie use.
Can I still use google analytics?
Google analytics uses cookies to track user behaviour and therefore before its use you need to obtain users consent. There are systems that have been developed to obtain consent before google analytics is used on a site (http://cookies.dev.wolf-software.com/).
However when ICO changed their website in order for it to conform to the requirements it resulted in a 90% drop in analytic data gathered!
Google have only made one comment so far on their Web Analytics tv http://www.youtube.com/watch?v=4sa7eWQy5r4&feature=player_embedded
Basically they said they are working with European governments to come up with a solution.
Until May 2012…
Until May 2012 ICO will be satisfied if your business is preparing for a change in the law on website cookie usage. In order to comply you would need to:
- Conduct an audit of Cookie usage on your website. Detail how each cookie is being used by the website and when it expires. Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.
- Make sure you have a website privacy/cookie statement, which include details of cookie usage.
- Make sure your privacy/cookie statement explains in plain English what a cookie actually is.
- Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.
After May 2012
After May 2012 ICO will start enforcing the law. Nobody really knows what this means yet.
Essentially the next step is to wait until there is a further announcement by the UK government. It will worth keeping an eye on government website such as www.direct.gov.uk or organisations such as the www.bbc.co.uk to see how they react.
Comments