Where did all these cookies come from?
Thursday, May 26, 2011
Well, nowhere really, they have always been there. It’s just that new legislation that came into effect on 26th May 2011 has forced sites to inform users before a cookie is served (to your browser, not to you with tea), and to acquire user consent for serving that cookie.
What are Cookies?
A cookie is a small file which asks your browser for permission to be placed on your computer's hard drive when you visit a website. Once permission is granted, the cookie is added and it helps websites and web applications to respond to you as an individual.
The website or application can then tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences such as your language, the products you’ve added to your shopping card, etc.
The vast majority of websites nowadays use cookies and several of them too, so any relevant regulation is bound to have a significant impact on how sites operate.
Previous Rules
The rules that regulated cookie usage were governed by a 2002 EU Directive that said that cookies should come with a "right to refuse".
The UK implementation of this directive said that the right to refuse could be given after the delivery of the cookie.
To comply, therefore, all that website owners had to do was to put some information about cookies used by their site in the privacy policy. The new law reverses this approach.
The New Rules on Cookies
The new directive that came into effect on 26th May 2011 makes explicit the need for a user's consent before serving cookies to that user's computer, unless the cookie is "strictly necessary" to provide a service "explicitly requested" by the user*.
Consequently, cookies necessary to fulfil the user's request do not need users' consent. A good example of this exception is the use of cookies to remember the contents of a shopping cart as the user browses a website.
However, other cookies such as those used to track usage statistics on a site, or those used to serve advertising, will require user consent before they are served to the user’s computer.
During the 18 months between the time the new directive was announced and its implementation, a debate raged about whether relying on browser settings with regard to the handling of cookies constituted sufficient consent, as suggested in the directive.
Shortly before the new legislation came into force, the UK government confirmed that one can’t rely on browser permissions for consent since most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie; and that not everyone who visits your site will do so using a browser.
So for now the government is advising organisations that use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.
That sounds complicated, and unenforceable; can I just ignore this advice then?
Simply put: probably not, certainly not in the long run
The government’s view is that there should be a phased approach to the implementation of these changes, with a sort of “grace period” for the first 12 months.
In light of this if the ICO have stated that were they to receive a complaint about a website, they would expect an organisation’s response to set out how they have considered the points of the new legislation and that they have a realistic plan to achieve compliance.
They emphasise that they would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
Thus, the key point here is that you cannot ignore these rules.
So what do I need to do now?
There has been no separation of public and private websites so far, so the rules apply universally. However, the implicit understanding is that, in the short term at least, this is going to be a concern mainly for government and large private websites.
So if you fit the profile the government, and we, advise you to now take the following steps:
- Check what type of cookies and similar technologies you use and how you use them (i.e. undertake a cookie audit)
- Assess how intrusive your use of cookies is
- Decide on what solution to obtain consent will be best in your circumstances
The cost, and affect on user experience, of complying with the new regulations will vary significantly, depending mainly on technology used, and the size and complexity of the site.
In any case the first step is a full cookie audit to:
- Identify which cookies are used by your site
- Advise on which cookies are necessary and might not need user consent
- Identify unnecessary cookies that can be removed
- Assess how intrusive your use of cookies is
- Rank cookies in order of importance and intrusiveness in order to prioritise required actions
This information is essential to enable you to decide what action is required in order to comply with the new legislation, and this something we can help you with.
Give us a call now to discuss your cookie audit needs.
*For more detailed information see the ICO’s advice on the new cookies regulations.
