EU cookie law compliance guide – and five examples

New EU rules have fundamentally changed the way in which businesses deal with customers online – and virtually every firm with a website is affected.  

The so-called EU cookie directive was designed to give an extra layer of privacy to internet users, and to safeguard their right to determine how their information is used. It was passed in 2009, and national governments had until 25 May 2011 to implement it. The Information Commissioner’s Office (ICO), the government agency responsible for enforcement of the law, indicated that it would give businesses twelve months to comply with the changes – and as a result, it is only now that many small firms are beginning to take notice. What is significant is that non-compliance may force companies to pay fees that could result in business overdrafts and cash flow issues.

What is a cookie?

The new rules concern the use of cookies and similar technologies. Cookies are tiny files that are stored on a user’s computer. They can be used for a variety of reasons – for example in order to identify a returning user, or to enable a website to remember the contents of a shopping basket. They are one of the key tools on which the modern internet relies.

What does the directive mean?

The cookie directive requires that users must give their consent before cookies can be ‘set’ (that is, stored) on their computer. It was initially thought that this would require users to explicitly opt in to cookie use – and, given the combination of understandable privacy concerns and a general lack of consumer knowledge about cookies, it was thought that this could have a disastrous impact on websites’ ability to operate.

In a last-minute change, however, the ICO indicated that so-called ‘implied consent’ would be sufficient. This means that, provided that a website owner can be confident that the user understands what is happening, cookies can be set on an ‘opt out’ basis.

What do I need to do now?

If your business has a website, you need to take action to ensure you are complying with the changes. The ICO recommends that every business conduct a ‘cookie audit’, wherein you assess your current use of cookies. Where are cookies being used on your site? How intrusive are they? Do you need to obtain consent?

A number of cookie types may be exempt from the requirement to gain consent. These include cookies used for purposes like keeping track of shopping trolley contents, or so-called ‘first party’ analytics cookies – that is, cookies set for analytics purposes by the website in the URL bar, rather than by a third party domain. Even in these cases, though, the ICO suggests that websites should provide clear information about cookie use, along with a simple opt-out mechanism.

Regardless of the type of cookie being used, you should ensure that there is a page on your site giving simple, easily comprehensible information. The ICO has explicitly said that it is not enough to expect users to read through an entire privacy policy. Instead, cookie information must be given extra prominence, and should be easily visible from your homepage.

How are others dealing with the change?

Organisations are adopting a range of tactics to help them comply with the changes.

The Information Commissioner’s Office seems like an obvious first port of call for help on compliance. Their own website has a new header explaining that it would “like to place cookies on your computer”, along with an opt-in checkbox.

The BBC has adopted a similar approach, with a new header explaining the changes. Cookies are set unless the user opts out – but the BBC website also includes a simple preference panel to enable users to manage their cookie use.

The Guardian website makes use of the implied consent rules – but it also provides an impressive overlay graphic that shows users exactly where cookies are being used on each page, thus ensuring they have a firm enough understanding to be determined to have given informed consent.

Halifax have simply included a small link to their cookie policy in their existing header bar. There is no mention of implied consent anywhere other than in the policy itself.

Facebook, meanwhile, include a small link in their footer. Their policy page explains how cookies are used, and suggests that users may be able to turn them off in their browser settings.

Further guidance on cookie use is available from the ICO website.