This is a guest post from Garry Byrne, managing director of digital agency Reading Room Ltd, follow Garry on Twitter.
With the ‘cookie law’ due to come into force proper in just a few weeks – the 26th May 2012 to be exact – web masters and owners around the country are still somewhat at a loss as to what they should be doing to make sure that, on the morning of the 27th, they don’t find an enforcement notice in their inbox.
So, what actually is required of us to ensure that we don’t fall foul to the cookie law?
Firstly, it’s important to get clear in our minds what we mean when we talk about the cookie law. We’re all getting hung up on cookies and it’s reasonable to assume that any cookie is basically bad – there’s a law about it, after all… right?
Wrong. There is no cookie law. The EU Directive which has driven a change to the law in the UK is actually about privacy, not cookies; indeed it doesn’t actually explicitly mention cookies at all in the legislation.
So why are we so hung up about cookies to the point that we’ve created the term ‘cookie law’? Simply because they are the most obvious and exploited manifestation of privacy invasion on the internet today. The very mechanism that has made them a mainstay of every web-based system for the last 15 years is perfect for allowing marketers and analysts to track your behaviour and browsing habits to find out more about you.
Cookies, you see, are fairly dumb – they will happily store any information they are instructed to for any length of time that a website you visit demands they do, and then they will just as happily – and automatically – present that information back to that same website whenever you visit it again.
This is great when the website you visit remembers what you added to your shopping basket last week and lets you get on with finishing up your shopping without adding it all again, but not so great when another website uses the same functionality to track your browsing and purchase habits for the purpose of reselling them.
To confound the issue, cookies are also very old – developed and supported since the earliest days of the internet when security and privacy was based largely on trust – and as such there is simply no real mechanism to control their use that does not break the fundamental principles of what they exist for.
This means that as people who want to track you have figured out how to share a cookie across multiple sites (which is why you see highly tailored adverts for websites on other sites you may never have visited before), they have been able to do so with relative impunity.
So, we hit the real issue here – privacy. The EU thinks that we should have an expectation of privacy that includes not being tracked and served tailored content until you explicitly ask for it. You may have differing views on this, but that’s not really for this post – The EU mandated it, the UK have passed a law about it, cookies are the obvious manifestation of privacy invasion on websites, and thus we have ‘the cookie law’.
So – your cookies. It’s accepted that we can’t just stop using them; they’re a core part of many a site’s ability to function correctly and we can’t just kill them off. If nothing else, there is no obvious way to replace them and the internet would effectively break.
That isn’t to say that you can declare that tracking your users’ behaviour is essential to your site, because it likely isn’t. Regardless of what ‘essential’ functionality your cookie provides, if it’s also tracking and storing private user information and you don’t have permission to do so, then you’re doing it wrong and need to deal with it.
Which leads to explicit consent. This is the ‘to the letter of the law’ approach, as seen on the ICO’s website itself; an obvious banner which won’t go away – or allow cookies to be set – until you explicitly accept that the site will set them. This is a blanket approach and the one everyone is fearful of, for several reasons:
1. It looks terrible. There is no way to make this look nice.
2. It is potentially hard to retrofit to a website – you have to edit your site code to remove the ability to set cookies until your user has explicitly allowed those cookies to be set, which can be a lot of effort.
3. Unless you completely review and amend your site, large chunks of your functionality could simply stop working, again until your users accept cookies.
Other explicit consent approach would be to ask for permission to set a cookie before setting it, but on a per-instance basis, so as you’re about to set it, rather than seeking blanket permission as soon as your page loads. This is likely much more appealing as it doesn’t require a massive banner on your site, but it’s also likely that your site is setting cookies right from first load anyway, and you still have the extensive problem of retrofitting this across your site functionality.
Basically, if you simply stick to the letter of the law, then you’ve got a lot of work ahead of you and there’s very little evidence or concrete guidance from anyone about exactly what you should be doing, how you can continue to function as a business or even if you really need to do it at all.
So what should you do? It’s not really feasible to ensure 100% compliance to the law right now, nor is it recommended to simply ignore it and hope for the best. You should be doing something, even if it’s only taking baby steps to final compliance.
There is good reason to take the slow but steady approach – one of the key initiatives that the ICO – unofficially – will support is that of implied consent, where there is a reasonable expectation from web users that cookies would be used. We’re not there yet, but through steady and consistent education and information, we will be.
Another thing to take into account is that the ICO are being very pragmatic about all of this – they will not be actively hunting down websites that do not adhere to the cookie law, rather acting on a case by case basis when complaints are received. Even if they do get in touch, they will be looking to see what steps are being taken towards compliance, rather than simply handing out fines – it’s acknowledged that this cannot happen overnight, so as long as you’re doing something and certainly that your cookie usage is not nefarious, that’s probably good enough for now.
What, thus, would I recommend you do? Assuming you’re not going to go down the full, explicit consent banner road, then you should at the very least undertake a cookie audit of your website, either off your own back (doing a quick sweep for some high level understanding is actually very achievable without any technical knowledge) or through a development partner. It’s important that you have a good idea of your actual cookie usage before you start worrying about how to deal with them – it could be that you don’t actually use any cookies at all, and likely that any you do use are either exempt or easily handled through proactive advisement rather than explicit consent.
If you do seek professional guidance, make sure that at the very least you’re getting a report of the types of cookie being set, and who is setting them – if you display adverts on your site, for example, they are third party cookies and the responsibility for dealing with them might not be yours to worry about. Any decent report should be able to provide some guidance on appropriate action and, in-depth enough, the technical and cost implications of those actions so you can start planning your remedial activity.
This is known as proactive advisement – the action of making an upfront declaration of your cookie usage and your intentions / plans for the future about them, and can be handled in a variety of ways that are much less invasive that needing to seek explicit consent.
It’s important to remember that actions such as these will not make you compliant. They are merely a stepping-stone whilst you officially work towards compliance, and likely – unofficially – wait for it all to calm down a bit and a realistic middle ground to emerge.
Importantly, you should make sure you’re doing something, if only so you can evidence your attempt to comply with the law if someone comes a-knocking. Be that a cookie audit, a complete overhaul of your website or simply the squirrelling away of cash for a potential legal battle, that choice is yours!
It’s also worth stating at this point that all views are my own, and do not necessarily reflect those of my employer.
Disclaimer: Please note that this is a summary of opinions regarding the new cookie law but does not amount to legal advice since the writer of this blog is not authorised to advise on the interpretation and the application of the new cookie law to particular circumstances or matters and any such comments made by the said writer of this blog will not constitute and must not be relied upon as legal advice.