Digesting the EU Cookie Legislation
Perhaps it’s been the way in which the new legislation has been communicated, but there certainly seems to be an air of confusion. At SEOgadget we’ve been doing quite a lot of work recently to better understand the directive ourselves, and also to work out how best to advise clients on the most appropriate action to take. Rather than writing a definitive ‘how to comply’ type post, I thought it would be pretty interesting to put down some thoughts on the matter, and discuss some of the more confusing aspects of the legislation.
The challenge here is that we’re advising on a legal document, and whilst we understand cookies and the part they play in websites, we’re definitely not qualified lawyers. If your clients are seriously worried about the possibility of picking up a fine it’s probably best that they seek proper legal advice. However, the chances of receiving a fine as a first resort look pretty slim; the most likely form of punishment (if any) is a warning stating that your website does not comply, complete with details of where you’re going wrong. That being said, it looks like this is here to stay so it’s well worth at the very least gaining a good understanding of how this could affect yours or your clients sites.
A Brief Intro…
It’s also worth noting that although the legislation refers to ‘cookies’, it includes anything that stores and tracks user activity. To think about it more simply it’s probably best to break it down into three areas; giving your users full information, ensuring that users give their consent to let you set cookies, and understanding what cookies can be excluded from the need to gain consent.
Even if you do decide that this is the right thing for you to do, you’ll definitely be looking at some potentially hefty development costs. I doubt this option from www.bt.com was cheap:
So what can be excluded and what can’t? The official line from the legislation states that cookies deemed ‘strictly necessary’ can be excluded from the need to ask for consent. In this case, ‘strictly necessary’ means necessary from the user’s perspective and not the service provider. The classic example that’s being thrown around is the use of a cookie to place and keep products in a shopping basket; the user needs that cookie to complete his or her journey through your website.
But what about analytics cookies; whilst absolutely essential from the website’s perspective – can they really be seen as ‘strictly essential’ from the user’s point of view? Does the fact that analytics provide you with the information from which you can improve your service count for anything? The problem here is that there seems to be a lack of black and white instructions, almost leaving service providers to interpret. It seems that even the UK government’s digital cabinet are getting confused (nice spot Hobo!):
“Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda.
What can you start to do?
Right or wrong, the legislation is officially going to be enforced as of the 26th May 2012, meaning websites in the UK have a little under two months left to start preparing. Whilst not enough time for the majority of sites to become compliant or even work out how to do so, there are definitely some things that you can do to start heading in the right direction. These steps may not get your websites to fully comply, but they will at least show some good intent:
Step One – Run an Audit
The very first step is to find out what cookies your website is setting, and what purpose they fulfil. Running a cookie audit should be a relatively simple process, and whilst there are some attempts at ‘cookie crawling’ software out there, the best way I found to do it was simply navigating round the website collecting cookies via your browser – in exactly the same way that your website sets cookies to track your users. Once you’ve got a list of cookies that your website’s setting you’ll need to identify the following for each one:
-Who actually sets the cookie – First Party or Third Party?
-When does the cookie expire – is it a session or persistent cookie?
-The purpose of each cookie
-How intrusive is each cookie – moderately or minimally intrusive?
-Is the cookie ‘strictly necessary’?
Step Three – Tackling User Consent
If you’ve worked out what cookies your site sets, planned how best to provide information to your users, and figured out what cookies can be excluded by being deemed as ‘strictly necessary’, the next hurdle is the issue of user consent. If your site is still using cookies that can’t be deemed as ‘strictly necessary’, in order to comply with the legislation you’re unfortunately going to have to think about gaining consent for setting cookies.
The risks of getting this wrong are pretty scary to say the least. If your users opt out then you could risk having a website with limited functionality. By freaking people out with a formal message you also stand the risk of sending your hard earned traffic into the arms of a non-compliant competitor. Not good. Until big UK websites start asking for consent and average Joe gets used to selecting the ‘yes’ box, it’s very hard to recommend a decent option. Until this happens we’re likely to witness a big game of chicken, with everyone waiting for their competitors to take the first move.
As far as a practical recommendation goes, the best thing to do is to start thinking about how you might go about asking for user consent, and possibly A/B testing a few options to see what the data says. Whatever happens, it’s definitely going to be an interesting couple of months and it’ll certainly be very interesting to see how users react when more sites implement their changes.
With the 26th May drawing closer there’s plenty of opinion flying around as to whether or not this is fair. What do I think? I actually agree with the principal of helping people understand what role cookies play in the functionality of websites, and how cookies track and store information from user activity. Giving users more information on cookie usage? Cool. Educating them on how to disable /remove cookies in their browser? Sure. Force potentially expensive updates on UK websites at a time when business is tough enough as it is? Not so cool.
*update from the ICO*
Even though I only wrote this post a couple of days ago, it already warrants an update. Thankfully the post above is still relevant but I thought the information below should be added:
Last night I attended the WAW meetup in London which featured a session from David Evans from the ICO giving a pretty open talk about their approach to regulating the legislation. Unfortunately I didn’t come away with the missing piece to the puzzle and it definitely seems that they’re still working out how to deal with this themselves. To summarise the attitude he put across in the presentation; it’s definitely a relaxed one, where immediately dishing out big fines on the 27th May is just “not going to happen”.
He also mentioned that they’re investigating ways in which implied consent could be a good fit for some websites, rather than a one size fits all approach to asking for consent. All in all, more contradictions but there certainly appears to be an understanding that this is not easy to implement, with favour going towards websites that are being seen to do ‘something’.