The Cookie Law - Tony Jones Web Design Wrexham.

Cookie Law 

You may have heard about the “Cookie Law” recently. This much-delayed legislation came into effect on 26th May 2012, and regulates the use of cookies on websites. This article explains what you need to know about the legislation, and what to do to ensure compliance. 

What is the “Cookie Law”? 

Cookies are small text files set on your computer at the request of a website, and are sent back to that website on subsequent visits until the cookies expire. Cookies are used to implement any feature that remembers you between visits. Examples include shopping carts and password-protected content. 

In 2009 the European Parliament passed directive, amending the previous E-Privacy Directive of 2003. Reflecting concerns about the use of tracking cookies (cookies whose sole purpose is to track which websites you are visiting in order to target advertising at you), the new directive requires websites to obtain visitors’ consent for non-essential cookies. 

European directives are not law in themselves; they instead require EU member states to amend their national laws to achieve the aims of the directive. Problems with the directive have meant that few member states have done so to date, with the United Kingdom being one of the few exceptions. 

The United Kingdom government passed The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 in response to the directive. The “Cookie Law” is the unofficial name for section 6 of the regulations, which covers the use of cookies. 

What are the problems? 

The law makes an exception only for cookies deemed ‘essential’. The Information Commissioner's Office published guidance stating that this includes cookies used for shopping carts, but not cookies used for collecting statistics (such as Google Analytics). In a recent interview, Dave Evans of the Information Commissioner's Office admitted that "exemptions for strictly necessary cookies were not drawn widely enough". 

The Information Commissioner's Office's website was one of the first to ask visitors for consent to use cookies. A request under the Freedom Of Information Act revealed that following the change visitor numbers reported by Google Analytics dropped by 90%, implying only 10% of visitors accepted cookies. 

These restrictions on cookies — cookies that web companies regarded as entirely reasonable and that are used on the majority of websites — meant that the law was universally ignored. As a result the United Kingdom government delayed the deadline for implementation by a year, until 26th May 2012. 

In the approach to the deadline, the Government Digital Service published an article stating that they regard Google Analytics as ‘essential’ and ‘minimally intrusive’, and hence exempt under the law. This has reduced, but not eliminated, the problems caused by the law. 

What do I need to do? 

Option 1: Do nothing 

While we explicitly cannot recommend ignoring the law — it is, after all, the law, and there are potential financial penalties for non-compliance — the vast majority of websites have not taken any action to comply with the law, including the majority of the government’s own websites. The general opinion amongst web companies is that the law will not be enforced in the face of widespread non-compliance. 

In a recent interview, Dave Evans of the Information Commissioner's Office stated “we know that not every website can just switch its website off on May 25 and implement changes” and that “all of our enforcement actions are likely to be in the form of negotiations”. 

Option 2: Gain implied consent 

The day before the new law came into force, the Information Commissioner's Office updated its guidance to state that implied consent is a valid form of consent in many cases. 

Some organisations, such as the BBC, have taken the approach of displaying a message stating that the site uses cookies, giving visitors the option to opt-out, and assuming consent if they do not do so. A cookie is used to remember if the visitor has already seen the message; the message is therefore displayed only on their first visit. 

This approach has the advantage of being minimally intrusive and shows that an attempt at compliance has been made. 

All our sites created following the legislation coming in effect display such a message. If you have an older website site and would like to display such a message, please contact us. 

Option 3: Gain explicit consent 

If you feel you need to gain explicit consent, you need to identify every feature of your website that uses cookies, and either remove each feature or gain consent for it. The following uses of cookies on websites are exempt: 

The webshop and password-protected pages 

These uses are explicitly exempted under the law 

Google Analytics 

As mentioned above, the Government Digital Service regards analytics as ‘essential’ and ‘minimally intrusive’, and hence exempt under the law. 

The following uses of cookies on websites require consent: 

YouTube, Dailymotion, and Hark embedded media players 

This media players set a cookie when the play button is clicked. You can therefore gain consent by adding a statement to the effect of “By clicking the play button, you consent to YouTube/Dailymotion/Hark setting a cookie in your web browser”. 

The Facebook Like Box component 

This component embeds a page on facebook.com. The embedded page sets several cookies. We do not not have control over these cookies, so you would need to remove the component to comply with the law. 

Sharing buttons (Like, +1, and AddThis) 

These bespoke features, which you may have asked us to add to your site, use code provided by the associated companies (Facebook, Google, and Clearspring Technologies respectively) which sets cookies. We do not not have control over these cookies so you would need to ask us to remove the buttons to comply with the law.