EU cookie compliance

EU cookie compliance

From 26 May 2012, all websites operating in the UK will be required to inform their users about their use of cookies and obtain consent for doing so. This enforcement follows the end of a 12 month lead in period from the introduction of the Privacy and Electronic Communications Regulations on 26 May 2011.

A recent ICT Knowledgebase article provides a good overview of the current situation and steps needed for compliance.  This can be summarised as:

  1. audit the use of cookies on your site
  2. assess their intrusiveness
  3. determine how to obtain user consent for intrusive cookies.

For assessing intrusiveness we suggest a three-tier approach of moderately intrusive, mildly intrusive and exempt. Examples of each could include:

Moderately intrusive: Embedded third-party content such as YouTube/Vimeo videos; social media plug-ins such as Facebook ‘Like’ buttons; campaign management including A/B split-testing of content. See note below about analytics.

Mildly intrusive: Personalisation of content/interface such as ‘remember my country’ preferences and the results of Javascript detection.

Exempt: Cookies used to prevent multiple form submissions (including Drupal’s webform); session management cookies required to fulfil primary functionality such as shopping carts and donation forms.

From a user experience perspective (i.e. least disruptive) the preferred method of compliance would be simply ‘implied consent’.  This may be acceptable for specific actions such as ‘remember my preference’ checkboxes but not in the general case because “evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent” [1].

As a minimum, we recommend ensuring your site’s privacy policy clearly identifies the information stored about visitors and how this is used.  A good example of this is the ICO’s privacy page that includes further links such as how to opt out of Google Analytics tracking. To make this even more visible, a separate ‘cookie information’ page could be created specifically for this information.  This could then be linked to as necessary from:

  • the footer (tertiary navigation)
  • your privacy policy
  • areas of your site where cookies are used
  • a news article/press release acknowledging the legislation with perhaps some background information on what cookies are.

In addition to a cookie information page, you should seek to inform the user at specific points when a cookie identified as ‘intrusive’ is being set.  In many cases this could be achieved through suitable labels/copy stating that a cookie will be set when the action is performed (and linking to your cookie information page as noted above for more information).

For any cookies identified as ‘moderately intrusive’ you should review the associated functionality to see if it’s really necessary. (Such consideration is intended to be the principle target of the legislation).  If you do consider these necessary you should ask users for opt-in consent before setting any associated cookies.  This could be achieved using ‘off-the-shelf’ plugins such as Jpecr or custom development like BT (see bottom right of page), while considering the technical and user experience implications of any approach.

A note on analytics:
All good websites track their usage through analytics that requires cookies.  Although not ‘strictly necessary’ for the site to function, the value of analytics data would be compromised if the sample size was reduced by requiring user consent.  Thankfully the ICO have acknowledged that enforcement of cookie legislation for analytics is not a priority.  We would however still recommend full transparency by explaining the use of analytics cookies in your cookie information page.

Should you require any assistance in implementing any changes please don’t hesitate to get in contact.

[1] ICO's Guidance on the rules on use of cookies and similar technologies, version 2, p6