New EU rules have fundamentally changed the way in which businesses deal with customers online – and virtually every firm with a website is affected.
The so-called EU cookie directive was designed to give an extra layer of privacy to internet users, and to safeguard their right to determine how their information is used. It was passed in 2009, and national governments had until 25 May 2011 to implement it. The Information Commissioner’s Office (ICO), the government agency responsible for enforcement of the law, indicated that it would give businesses twelve months to comply with the changes – and as a result, it is only now that many small firms are beginning to take notice. What is significant is that non-compliance may force companies to pay fees that could result in business overdrafts and cash flow issues.
What is a cookie?
What does the directive mean?
The cookie directive requires that users must give their consent before cookies can be ‘set’ (that is, stored) on their computer. It was initially thought that this would require users to explicitly opt in to cookie use – and, given the combination of understandable privacy concerns and a general lack of consumer knowledge about cookies, it was thought that this could have a disastrous impact on websites’ ability to operate.
In a last-minute change, however, the ICO indicated that so-called ‘implied consent’ would be sufficient. This means that, provided that a website owner can be confident that the user understands what is happening, cookies can be set on an ‘opt out’ basis.
What do I need to do now?
A number of cookie types may be exempt from the requirement to gain consent. These include cookies used for purposes like keeping track of shopping trolley contents, or so-called ‘first party’ analytics cookies – that is, cookies set for analytics purposes by the website in the URL bar, rather than by a third party domain. Even in these cases, though, the ICO suggests that websites should provide clear information about cookie use, along with a simple opt-out mechanism.
How are others dealing with the change?
Organisations are adopting a range of tactics to help them comply with the changes.
The Information Commissioner’s Office seems like an obvious first port of call for help on compliance. Their own website has a new header explaining that it would “like to place cookies on your computer”, along with an opt-in checkbox.
The BBC has adopted a similar approach, with a new header explaining the changes. Cookies are set unless the user opts out – but the BBC website also includes a simple preference panel to enable users to manage their cookie use.
The Guardian website makes use of the implied consent rules – but it also provides an impressive overlay graphic that shows users exactly where cookies are being used on each page, thus ensuring they have a firm enough understanding to be determined to have given informed consent.
Facebook, meanwhile, include a small link in their footer. Their policy page explains how cookies are used, and suggests that users may be able to turn them off in their browser settings.
Further guidance on cookie use is available from the ICO website.