Cookie law: the gnarly truth

To act in accordance with new EU legislation, websites must now gain consent for the use of cookies. Mark Steven, head of client services at CIVIC, looks at the new law and explains what to do to bring your site in line

The law requiring websites to gain explicit consent before storing cookies on users’ computers was passed in May 2011 but the ICO granted firms a year to comply before prosecuting any cases.

Put simply, the law requires you to gain consent before you start dropping cookies on your users' devices. There are one or two exemptions but they're quite narrow, so don't go thinking you're off the hook.

Apart from the odd lonely voice reactions from the industry have been entirely negative. Many see the law as fundamentally flawed, some hold out hope for a u-turn on the legislation and others vainly hope for a universal solution from browser vendors.

The bad news is that it's really happening: there will be no u-turn, there are no silver bullets and yes, unless you can avoid 'non-essential' cookies altogother, it's going to affect your website.

Why legislate?

But the law isn't altogether wrong-headed. In fact, while it poses some compliance headaches it's not a bad thing.

Big providers of web services such as Facebook and Google liberally use cookies to make their services work, track user behaviour, sell us things and personalise our browsing experience. They keep telling us that data is anonymised, that they only have our best interests at heart, and that they exist to make the world a better place.

Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online – not that it chooses to exercise that power, and laws exist to discourage it from doing so.

The legislation was brought in to begin to inhibit the reach of corporate interests into private lives. By and large that's to be applauded.

The gnarly truth

The self-regulatory, industry-wide model favoured by the Digital Advertising Alliance and the Internet Advertsing Bureau allows users to opt out of cookies set by behavioural advertising firms. The trouble is, it's nonsense.

It's opt-out, not opt-in. The law couldn't be more explicit on this point. It doesn't help webmasters who remain responsible for all the cookies distributed via their websites. And it's fragile: clear your cookies and your advertising preferences are lost.

So if you're cursed with the nagging feeling that you must abide by the laws of the land, you can't sit back and hope the DAA have got your back. There are a few steps you'll need to go through to bring your website into line:

  1. Audit your cookies and present clear (plain English!) information about them on your privacy policy.
  2. Include a mechanism for obtaining consent, before any cookies are stored (with one or two exceptions for things like load balancers and shopping carts).
  3. Make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.

Cookie hell

While most websites will be able to comply with a few simple tweaks to their code and the application of a consent solution, some third party apps will be badly affected.

Google Analytics is estimated to run on 90 per cent of websites. As an entirely cookie-based analytics solution it is not compliant with the legislation without the provision of explicit consent by website users. When the ICO tested this on their own site, only 10 per cent of users actually opted into the service.

Websites dependent on sales from advertising will be even harder hit. At the moment scripts from some ad networks deposit cookies in order to personalise ads on websites that users visit later. It's difficult to see how this functionality will survive when explicit consent is required in order to make it work.

Consent solutions

The ICO famously implemented an ugly banner consent solution on their site. Others are worse still. The prospect of a slightly more grim user experience for the next few years is now very real – with every other site sporting a different consent solution.

At CIVIC we've been collaborating with partners in government to create Cookie Control – a free, cross-platform jQuery solution. The aim for us has been to make something as unobtrusive as possible, while providing whatever level of compliance you need.

Three degrees

For strict legal compliance, you really mustn't drop any non-essential cookies, including those used for analytics. But the ICO has said that it's looking for some positive steps and I think we can expect the agency to be helpful rather than adversarial in the first few months of enforcement. So choose a level of compliance that you can manage to get your head round now, with a view to doing more when you can:

  1. Baby Steps: Do a cookie audit and update your privacy policy with friendly information about your cookies.
  2. The fifty per cent: Adopt clear iconography like the Cookie marque developed for Cookie Control, advising that cookies are used on your site and linking to your privacy policy.
  3. Compliance freak: Do all the above and tweak your scripts so non-essential cookies aren't dropped without testing for explicit consent from Cookie Control.

The future

The only really decent solution for managing cookies and complying with the legislation is via the browser. Arguably the legislation would have been a whole lot better if it had placed a duty on browser vendors to implement site-level cookie management while forcing corporate networks with older browsers to upgrade. Such an approach would have ensured that web masters didn't have to deal with the issue and compromise their user-experience in order to comply. And it would have had the pleasant side effect of killing off Internet Explorer versions 6, 7 and 8.

If you can't wait for this day to dawn, won't compromise on user experience and want to stay on the right side of the law you have only one option; build your sites without using non-essential cookies. Ditch Google Analytics and most of the ad networks, and find other ways of doing the same old thing.