A beginner's guide to the new cookie law

This article appears in the current July 2012 issue (#229) of .net magazine – the world's best-selling magazine for web designers and developers.

EU legislation on the use of cookies changes this Saturday. As a designer or developer, you probably became aware of this issue a while ago, as we did some 18 months back. Our first responses were along the lines of:

• “WTF? Who passed this law?”
• “What do we tell our clients?”
• “What on earth are we going to do?”

Sections of the web community have reacted in various ways. Some are in denial, a lot are angry and confused – and some ‘privacy warriors’ are happy. What is certain is that most of your clients have been blissfully ignorant about cookies, the legislation and how it affects their business on the web.

But as 26 May dawns and the media seizes on the spectre of a ‘cookie time bomb’, ‘cookie crunch’ and ‘the end of the web as we know it’, that will change – fast. Your clients will be panicky. They’ll expect that you’ll understand the change and how it affects their business – and have a plan to get them out of this hole.

We at The Cookie Collective have studied the ins and out of the law, so here I'll help you grasp the implications and set out some steps to getting legal.

What is the ‘cookie law’?

What people refer to as the ‘cookie law’ is a new piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information on a computer or other web-connected device, like a smartphone or tablet. It has been designed to protect online privacy by making consumers aware of how information about them is collected by websites, and enabling them to choose whether or not they want it to happen.

It started as an EU directive adopted by all EU nations on 26 May 2011. At the same time, the UK updated its Privacy and Electronic Communications Regulations, bringing the directive into law.

The UK is effectively leading the way, but every EU member state has done or is doing the same thing. Each has its own approach and interpretation, yet the basic requirements of the directive remain.

Requirements and responsibilities

Many people will be unaware that the law is already in effect in the UK. However, the UK’s regulator, The Information Commissioner’s Office (ICO), gave everybody a one year ‘grace period’ before enforcing it. That grace period will expire on 26 May 2012.

This sounds scary, but nobody will be serving legal papers at 12.01am on 26 May over cookie compliance. In many ways the cookie law is a natural extension of privacy practices websites already use.

Some agencies and developers have taken the stance that as they don’t own a site they build or support, they aren’t responsible for compliance. But buried in the ICO guidance is the following text:

“Companies who design and develop websites or other technologies for other people, must also carefully consider the requirements of these Regulations and make sure the systems they design allow their clients to comply with the law. The Information Commissioner would expect that any development of new software, or upgrades to existing software, would take into account the need to ensure products are compliant with these rules and broader data protection requirements.”

This seems to imply a situation in which agencies share responsibility, in so much as the owner has the requirement to use a developer who understands and can help them comply effectively. The first step on this shared road to compliance is an audit.

The good, the bad and the undead

Cookies are ubiquitous and come in many guises, often shrouded by impenetrable names, which is why you need an audit to identify them and understand what activities they perform. Some of these are vital to making a website work, but others track what users do online and pass that data to third-parties. It’s mainly this latter cookie type that has caused the shift in cookie compliance. There are two key factors to consider:

First, is a cookie first- or third-party (set by a web service you may not be aware of)? First-party cookies are generally ‘good’ – helpful and fairly low risk. It’s third-party cookies that pose the most compliance issues. Examples of ‘bad’ cookies are those used in behavioural advertising, where they identify what you click on and tell advertising websites to display that type of product or service wherever you go afterwards. From 26 May, website owners must disclose or seek permission to use this type of cookie.

Second, the issue with cookies is persistence. When you examine a cookie in an audit, they contain instructions about how long they remain on your machine. Some contain instructions to delete themselves when you leave the website. Some may persist for months or even years. Moreover, some cookies are designed so that even if you use your browser to delete the cookies on your machine, they resurrect themselves the next time you connect to the web.

These so-called ‘zombie’ cookies were considered to be legally questionable before the law came into force and are certainly now seen to be outside the acceptable framework of cookie types.

Here’s a simple breakdown of how to go about categorising cookies:

• Zero compliance risk or ‘strictly necessary’ cookies Always first-party and not persistent. These include functional navigation and user session cookies for shopping baskets.
• Low compliance risk Always first-party and may be persistent. These cookies include accessibility options for visually impaired users and, arguably, analytics cookies.
• Medium compliance risk Usually first-party and persistent. These might be used to store personally identifiable information, or limited cross-site tracking, in order to present content based on previous visits. Another good example is the Facebook Like button.
• High compliance risk Third-party and persistent. These are mainly used to track and record visitor interests without prior consent, and aggregate this data for use by third-parties, normally advertisers. This also includes cookies set through the provision of embedded content which is not ad-related, such as Google Maps and YouTube videos.

Routes to compliance

So, your responsibility is to help your client take a view on what is the most appropriate action for their website. Lots of people are offering audits as people wake up to the cookie issue, but don’t forget that an audit is the first step to compliance, not the last. You still need a solution to whatever the audit throws up.

Once you have audited, analysed and categorised, there are two routes to take:

• Explicit opt-in/opt-out If your site is heavy with third-party advertising and social media connectors, the safest bet is to seek explicit opt-in from visitors via some kind of intervention, such as a ‘This site uses cookies: allow’ notice on your homepage. Bear in mind that if your adverts come from a variety of ad serving networks and regularly change, you’ll need to update your disclosure statement to reflect any new cookies. You might find analytics numbers dropping. This doesn’t mean people aren’t visiting your site, but if they opt out they won’t be included in your Google Analytics.

• Implied consent via notice If your site doesn’t feature advertising and uses cookies for functional purposes (accessibility, Facebook Like buttons and Google Analytics), then you may be fully compliant if you have a cookie notice displayed clearly on your website referencing details on your privacy page. You will need to make sure this notice remains up to date when new features are added.

Conclusion

It’s vital to comply with regulations, but there’s flexibility built into the UK cookie law enabling various responses to a range of compliance risks. Take practical steps to comply and the chances are you’ll be compliant; it’s that simple. Doing nothing is the worst thing you can do right now.