Digesting the EU Cookie Legislation

Digesting the EU Cookie Legislation

5th April 2012

Perhaps it’s been the way in which the new legislation has been communicated, but there certainly seems to be an air of confusion. At SEOgadget we’ve been doing quite a lot of work recently to better understand the directive ourselves, and also to work out how best to advise clients on the most appropriate action to take. Rather than writing a definitive ‘how to comply’ type post, I thought it would be pretty interesting to put down some thoughts on the matter, and discuss some of the more confusing aspects of the legislation.

The challenge here is that we’re advising on a legal document, and whilst we understand cookies and the part they play in websites, we’re definitely not qualified lawyers. If your clients are seriously worried about the possibility of picking up a fine it’s probably best that they seek proper legal advice. However, the chances of receiving a fine as a first resort look pretty slim; the most likely form of punishment (if any) is a warning stating that your website does not comply, complete with details of where you’re going wrong. That being said, it looks like this is here to stay so it’s well worth at the very least gaining a good understanding of how this could affect yours or your clients sites.

A Brief Intro…

So, what the heck is all of this about? The new legislation has come about because the EU wants to ensure that internet users are made aware of how websites are storing information, and that they also have the option to opt out should they wish to do so. It does not ban the use of cookies at all; but it does put the emphasis heavily on websites to make sure that they communicate with their users and that they are transparent with their use of cookies.

It’s also worth noting that although the legislation refers to ‘cookies’, it includes anything that stores and tracks user activity. To think about it more simply it’s probably best to break it down into three areas; giving your users full information, ensuring that users give their consent to let you set cookies, and understanding what cookies can be excluded from the need to gain consent.

User Consent

Probably the biggest problem facing websites is the issue of asking for user consent. If you’re not too worried about the implications of doing this, asking for consent to set cookies will mean that you’ll comply pretty much straight away (nearly!). But; if you care about your website then you should definitely be concerned about the implications. Think about the potential here for a second – if everyone opts out and refuses to let you use cookies, what happens to your analytics data, what about the user experience, what about affiliate tracking? You can start to see the problem websites face…

Even if you do decide that this is the right thing for you to do, you’ll definitely be looking at some potentially hefty development costs. I doubt this option from www.bt.com was cheap:

 cookie consent


So what can be excluded and what can’t? The official line from the legislation states that cookies deemed ‘strictly necessary’ can be excluded from the need to ask for consent. In this case, ‘strictly necessary’ means necessary from the user’s perspective and not the service provider. The classic example that’s being thrown around is the use of a cookie to place and keep products in a shopping basket; the user needs that cookie to complete his or her journey through your website.

But what about analytics cookies; whilst absolutely essential from the website’s perspective – can they really be seen as ‘strictly essential’ from the user’s point of view? Does the fact that analytics provide you with the information from which you can improve your service count for anything? The problem here is that there seems to be a lack of black and white instructions, almost leaving service providers to interpret. It seems that even the UK government’s digital cabinet are getting confused (nice spot Hobo!):

 “Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda.

The consensus was, especially in the case of first-party analytics cookies, these types of cookies are “minimally intrusive” (in line with the ICO guidance) and that the bulk of our efforts to rationalise our use of cookies should be focused on cookies classified as “moderately intrusive”.”

What can you start to do?

Right or wrong, the legislation is officially going to be enforced as of the 26th May 2012, meaning websites in the UK have a little under two months left to start preparing. Whilst not enough time for the majority of sites to become compliant or even work out how to do so, there are definitely some things that you can do to start heading in the right direction. These steps may not get your websites to fully comply, but they will at least show some good intent:

Step One – Run an Audit

The very first step is to find out what cookies your website is setting, and what purpose they fulfil. Running a cookie audit should be a relatively simple process, and whilst there are some attempts at ‘cookie crawling’ software out there, the best way I found to do it was simply navigating round the website collecting cookies via your browser – in exactly the same way that your website sets cookies to track your users. Once you’ve got a list of cookies that your website’s setting you’ll need to identify the following for each one:

-Who actually sets the cookie – First Party or Third Party?

-When does the cookie expire – is it a session or persistent cookie?

-The purpose of each cookie

-How intrusive is each cookie – moderately or minimally intrusive?

-Is the cookie ‘strictly necessary’?

Armed with the information above you should be able to build an overview of how your site makes use of cookies, and how they affect your user experience. Even if you decide to do nothing else, then at least you’ll have a better understanding of what’s going on. Should you want to take things further you’ll now be in a better place to make some informed decisions, or start coming up with a plan on how best to comply.

Step Two – Update Your Privacy Policy

If you’ve put the work in to run a cookie audit then this next step is really easy. As mentioned right at the start, one of the major parts of the legislation is an emphasis on websites to provide information on what cookies they set and the function that each cookie serves. The easiest way to do this is to add a ‘cookie’ section to your privacy policy. Quite a few websites in the UK already do this, a good example here being the BBC:

bbc cookie policy

Interestingly enough, Econsultancy came out recently explaining the steps they’ve taken so far. If you read the post you’ll notice that the route they’ve taken has been based around providing users with a more prominent option to view their ‘cookie policy’. So far, this is definitely the most common action taken by large UK websites and one that shouldn’t be too hard to implement.

Step Three – Tackling User Consent

If you’ve worked out what cookies your site sets, planned how best to provide information to your users, and figured out what cookies can be excluded by being deemed as ‘strictly necessary’, the next hurdle is the issue of user consent. If your site is still using cookies that can’t be deemed as ‘strictly necessary’, in order to comply with the legislation you’re unfortunately going to have to think about gaining consent for setting cookies.

The risks of getting this wrong are pretty scary to say the least. If your users opt out then you could risk having a website with limited functionality. By freaking people out with a formal message you also stand the risk of sending your hard earned traffic into the arms of a non-compliant competitor. Not good. Until big UK websites start asking for consent and average Joe gets used to selecting the ‘yes’ box, it’s very hard to recommend a decent option. Until this happens we’re likely to witness a big game of chicken, with everyone waiting for their competitors to take the first move.

As far as a practical recommendation goes, the best thing to do is to start thinking about how you might go about asking for user consent, and possibly A/B testing a few options to see what the data says. Whatever happens, it’s definitely going to be an interesting couple of months and it’ll certainly be very interesting to see how users react when more sites implement their changes.

With the 26th May drawing closer there’s plenty of opinion flying around as to whether or not this is fair. What do I think? I actually agree with the principal of helping people understand what role cookies play in the functionality of websites, and how cookies track and store information from user activity. Giving users more information on cookie usage? Cool. Educating them on how to disable /remove cookies in their browser? Sure. Force potentially expensive updates on UK websites at a time when business is tough enough as it is? Not so cool.

*update from the ICO*

Even though I only wrote this post a couple of days ago, it already warrants an update. Thankfully the post above is still relevant but I thought the information below should be added:

Last night I attended the WAW meetup in London which featured a session from David Evans from the ICO giving a pretty open talk about their approach to regulating the legislation. Unfortunately I didn’t come away with the missing piece to the puzzle and it definitely seems that they’re still working out how to deal with this themselves. To summarise the attitude he put across in the presentation; it’s definitely a relaxed one, where immediately dishing out big fines on the 27th May is just “not going to happen”.

Some of the interesting points for me was that he categorically stated Analytics cookies are NOT exempt. However, he then went on to say that they “have better things to do than finding out who dropped an analytics cookie on his mum’s computer”. Yup – still confused! All round it would seem that they’re much more interested in intrusive cookie use, and informing the public about how and why things such as advertising follow users around the web. His advice was to try and be as informative as possible, and updating your privacy policy is a very important step to take. One other point was that they’re definitely going to be focusing on finding websites that ‘can’t be bothered’, especially established sites that should know better. Showing that you’re doing something (updating your privacy policy) is an important step.

He also mentioned that they’re investigating ways in which implied consent could be a good fit for some websites, rather than a one size fits all approach to asking for consent. All in all, more contradictions but there certainly appears to be an understanding that this is not easy to implement, with favour going towards websites that are being seen to do ‘something’.

At the end of the day, last nights presentation was just one man’s word. How they actually enforce this will only become clear after the 26th May. Reading between the lines; the best advice is to start running a cookie audit and updating your privacy policy accordingly.


Written By
Jon is an SEO Consultant at SEOgadget, a digital marketing agency specialising in conversion rate optimisation, large scale SEO, keyword research, technical strategy and link building in high competition industries.
A Few Things I Learnt From Freelancing
Latest Post from Jon
Uncategorized A Few Things I Learnt From Freelancing
26th September 2012
  • This field is for validation purposes and should be left unchanged.