A recent ICT Knowledgebase article provides a good overview of the current situation and steps needed for compliance. This can be summarised as:
- assess their intrusiveness
- determine how to obtain user consent for intrusive cookies.
For assessing intrusiveness we suggest a three-tier approach of moderately intrusive, mildly intrusive and exempt. Examples of each could include:
Moderately intrusive: Embedded third-party content such as YouTube/Vimeo videos; social media plug-ins such as Facebook ‘Like’ buttons; campaign management including A/B split-testing of content. See note below about analytics.
From a user experience perspective (i.e. least disruptive) the preferred method of compliance would be simply ‘implied consent’. This may be acceptable for specific actions such as ‘remember my preference’ checkboxes but not in the general case because “evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent” .
- the footer (tertiary navigation)
- areas of your site where cookies are used
- a news article/press release acknowledging the legislation with perhaps some background information on what cookies are.
In addition to a cookie information page, you should seek to inform the user at specific points when a cookie identified as ‘intrusive’ is being set. In many cases this could be achieved through suitable labels/copy stating that a cookie will be set when the action is performed (and linking to your cookie information page as noted above for more information).
For any cookies identified as ‘moderately intrusive’ you should review the associated functionality to see if it’s really necessary. (Such consideration is intended to be the principle target of the legislation). If you do consider these necessary you should ask users for opt-in consent before setting any associated cookies. This could be achieved using ‘off-the-shelf’ plugins such as Jpecr or custom development like BT (see bottom right of page), while considering the technical and user experience implications of any approach.
A note on analytics:
All good websites track their usage through analytics that requires cookies. Although not ‘strictly necessary’ for the site to function, the value of analytics data would be compromised if the sample size was reduced by requiring user consent. Thankfully the ICO have acknowledged that enforcement of cookie legislation for analytics is not a priority. We would however still recommend full transparency by explaining the use of analytics cookies in your cookie information page.
Should you require any assistance in implementing any changes please don’t hesitate to get in contact.