Giving you a choice about cookies

cookiemonsterA year ago a law – known as Directive 2009/136/EC – came into effect throughout the European Union on the use of cookies on websites, requiring a website owner to seek visitors’ consent to cookies being saved to their computers when they visit a website (more on cookies).

Implementing the law in the UK was delayed for a year to give businesses time to become compliant. The Information Commissioner’s Office – responsible for policing the implementation of the UK-specific version of the EU law – has detailed information about the so called ‘cookie law’ and related topics.

The year of grace in the UK expires today, May 26, from which moment websites in the UK are supposed to be telling visitors about how their sites are using cookies, and giving visitors a means to indicate their agreement or not.

While I do believe this law was set up with all the best intentions, its implementation seems to have lacked a clear plan of execution. So many EU members states, so many different needs.  In the UK, there’s fear, uncertainty and doubt out there about cookies generally and this law in particular. Indeed, some estimate that few UK websites have yet to even start thinking about the cookie law and becoming compliant, something the ICO say they’re addressing through communication and awareness-raising.

Add to this a last-minute change in the UK requirements made by the ICO just a few days ago, and its no wonder the FUD looms large for many people.

Here, concisely, is what you need to know about the UK cookie law:

  1. If you’re in the UK and have a website that sets a cookie on a visitor’s computer – which will include a mobile device like a smartphone – you must comply with the law to let people know about cookies. That means a method to communicate that when visitors arrive on your site.
  2. Given the ICO’s last-minute change where communicating information about your website’s cookie use no longer requires an explicit approval by a visitor – the ICO is happy with what it’s calling ‘implied consent’ – communicating your site’s cookie use is sufficient to comply with the law. However, the ICO qualifies its advice in the latest version of its guidance document in some detail, thus:
    • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
    • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
    • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
    • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

So, in essence, the very least you must do is tell your visitors about your cookies, how they’re being used and what that means for the visitor.

Logical questions now for many people – I had them myself – is how do you do this? What would you say? Are there examples of wording you can use? What happens if someone objects to cookies on your website? And what about blogs – do they need to comply with the cookie law?

There are many good sources offering answers or help to most of these questions, especially:

As for blogs, think about it – blogs are websites. So if your blog sets cookies – and it’s almost certain that it will do, eg, if you use Google Analytics, if you enable visitors to log in to comment, or if you have buttons to tweet, like or +1 – then you, too, need to be compliant.

If you have a WordPress blog, as I do, there are a number of plugins that automates the process to present the visitor with a message about cookies on your blog.

One I discovered a few weeks ago is the EU Cookie Muncher plugin by Scott Evans that can help you make your blog compliant. Here’s how it works:

[…] First off we check the IP address of the visitor. If they appear to be outside of the EU then the plugin is not loaded. Next we scan your sites HTML for scripts and tools that do not comply with the directive, such as Google Analytics, twitter and Facebook social buttons. These scripts are removed from the page and a customisable notification is shown to the user inviting them to “accept cookies”. Once they accept cookies the preference is remembered for one year and your cookie setting scripts jump back to life.

I think it’s a nice solution, especially if it shows the popup only to those who need to see it, ie, people within the EU. So if you’re in the US, for instance, you shouldn’t see it at all. Unlike most WordPress plugin, it’s not free (you pay $12 for a single license). I plan to implement it on my blog as I believe it’s a good and simple way to be compliant with the cookie law. (I would have done that already except the version I have throws up a 500 server error every time I activate it. Hope to have that situation resolved before the end of the weekend.)

Given the last-minute changes in the law, as I mentioned earlier, developer Scott Evans says he’ll be updating the plugin this weekend to reflect those changes.

There are other such solutions, too, which are worth checking out.

My site uses few cookies as this screenshot via the View Cookies Firefox extension shows:

nhcomcookies26apr12

Here’s what those cookies are:

  • The ones with filenames starting with an underscore are Google Analytics cookies, relating to tech info about how many visitors, what they look at, etc.
  • Those with ‘wp’ in the filename are related to WordPress and, specifically in this case, my own use of my site related to my logging in as the administrator. You shouldn’t get those on your computer ;)
  • The one with ‘wptouch’ in the name is for the WP Touch plugin for WordPress that is set for visitors on mobile devices so they get a mobile version of the site on their device rather than a desktop version. (That’s a terrific example of a valuable cookie that helps you get the best experience here by ‘remembering’ your preference.)

I don’t have any paid advertising on my site so there are no ad tracking cookies whatsoever.

Does all this make you feel more confident about what happens with cookies when you visit this site? Please share your thoughts – I’d love to know. Also, tell me about your experiences in making your own site compliant. Thanks.

EU Cookie Law: The conundrum in numbers [Infographic]