As a small business involved in ecommerce and online marketing I’ve spent a lot of time looking into the cookie law to understand what we need to do to successfully comply with the law and, unfortunately, there is no clear answer, only case law will make it more manageable to understand, what is or is not allowed or, alternatively, the people whom will police the law (the ICO) put a stake in the ground and set a level playing field for everyone to work to.
The Cookie Law
First things first, so we don’t get confused further! the cookie law as it is generally referred to was amended from it’s previous incarnation and now reads, with the amendments (at date of publication: May 2012)
THE PRIVACY AND ELECTRONIC COMMUNICATIONS (EC DIRECTIVE) (AMENDMENT) REGULATIONS 2011 Regulation 6
6. Confidentiality of communications
(1) Subject to paragraph (4), a person shall not store or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(a) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information-
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service required by the subscriber or user.
This law came into effect in the UK on 26th May 2011 although the ICO, the body that police the law gave a year’s grace for companies to become compliant thus after 26th May 2012 they will start to actively respond to complaints regarding the new law.
Am I exempt from the Cookie Law?
Exemptions from the right to refuse placing information on your device:
The Regulations specify that service providers should not have to provide any information and obtain consent where that device is to be used:
‘where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user’.
In defining an ‘information society service’ the Electronic Commerce (EC Directive) Regulations 2002 refer to ‘any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’.
Given the above it seems to boil down to what parts of your web site and information you store on their device are part of the service they have asked for and if so is it strictly necessary?
This can get really difficult to define; for a normal web site what constitutes a request? If you assume that clicking from a search engine onto your website is a request what happens if it’s not i.e. the information the search engine provides fails to detail what you provide whose fault is this!
Informed Consent
The Law makers have stated that informed consent is what they are aiming for, this means providing enough information to the visitor to enable them to make a decision on whether to accept the information or not.
You can view this detail from a speech made by the Head of Telecoms Regulation and E-Privacy at the Department for Culture, Media and Sports. here: Cookie Law Vid
I’ve seen lots of arguments over when consent should be obtained, the ICO believe best practice is to obtain consent up front, this appears to be interpreted that you need clear sign posting to getting consent at initial contact and before the user continues on their journey on your site. Interestingly in the video above the Head of Telecoms Regulation and E-Privacy references consent to be the same as that for the data protection act which relies on the web sites privacy policy to impart the information.
A point to note: You should only use further information sites that do not drop cookies otherwise the user will not be able to read more without actually having to compromise their privacy to get an informed decision as the information will not be available without having to accept more information onto their device.
Cookie Gotchas
How do you identify a real “user”? How do you distinguish other bots and spiders from users? Those who blindly require all users to ‘tick a box or see no website’ could find themselves deindexed from various search engines as the will have no content on their page.
How do you identify a different user of the same device? The majority of browsers nowadays have separate caches for users however exceptions exist certainly with home PCs which are set up tin the corner of the house and anyone uses so you cannot guarantee the users is always the same.
This is a real gotcha! If the user has previously visited your site and accepted cookies the old cookies remain on their device until manually deleted. The law states that the information cannot be read without consent so how does anyone prove whether they have been to your site before as you are not allowed to access their device until you get consent!
Using Javascript solutions will not resolve the problem
The problem with javascript solutions is that a lot of people do not allow it for example NoScript is a common FireFox extension installed and I think there are options in other browsers. The law does not differentiate, you need permission, just because they have disabled javascript will not excuse you!
Good luck, I’m off to check my insurance to see if I’m covered for investigations under this law!
It’s about Privacy
Don’t get hung up on the technical side of it (i.e. Cookies) it is not only about cookies it is about not placing information on a users device that can reduce a person’s privacy online.
If you are a normal Internet web site providing information and products you should less worried about the law than if you actively track users across the Internet and use re-marketing techniques.
A good start is to understand what information you place on a device and why. This is not only you directly but any third party you use from your web site, the most cited example for this is Google Analytics however as this is just analytics then you can be a little less worried.
If you use Google Adsense however you need to be worried as this uses all the tracking, retargeting and re-marketing techniques this law was designed to curtail. You can however adjust your business settings to prevent tracking as can the user of the device.
If you use a Content Management System (CMS) such as WordPress you are reasonably safe as it is only when someone registers will higher level privacy information be placed on the device, this can be covered off during the sign up process.
The gotcha in the CMS systems is with regard to plugins, or apps designed to expand the basic functionality of the CMS system, during an audit of one of our sites we found a plug-in that placed a cookie on the users device automatically (they even called it tracking cookie!) it was a image slider and this was not mentioned in their blurb about the plug-in at all hence the real need for an audit!
It’s fundamentally flawed
Technically the law states you cannot store anything on a users device without consent unless ‘strictly necessary’ if this is interpreted at face value you should not download any part of your web site until you have obtained permission from the user of the device.
This is not only cookies it’s images, html files, css files, javascript files basically anything that constitutes a web site as, until you obtain consent, you have no right under this law to store information on their device. This is as, technically, to obtain consent none of these are necessary.
With the move to IP6 version addressing on the Internet it will become extremely difficult to not identify the device being used as each will have it’s own id thus users will need to understand how their data is processed within a business to become fully informed.
Will I get Prosecuted if I break the Cookie Law?
Quite possibly is the simple answer, however as the ICO have stated it will depend upon the severity of the transgression and your intent as to what will happen to you. They have stated that things such as analytics are caught however given the level of private information contained within the data you are unlikely to be severely punished.
Further Issues:
Does Rome I or II come into play, have other European countries passed similar laws that you would have to comply with. If you cater for traffic from other European countries then you need to ensure you comply to their cookie laws when they implement them.
Will continually asking for permission constitute harassment? Maybe not but it’ll sure annoy your customers especially when web sites not based in Europe do not have to worry about the law
To Sum up
This is a new law and case law does not exist yet to define what ‘strictly necessary’ means with respect to this law, their view as with anyone else’s view including the ICO/Lawyers/Mine/yours is arbitrary at the moment. Only when the law is tested will businesses truly understand what is required. The trick is to not be the person who has to test it!
From our point of view we have carried out an audit of our cookies and will be updating our privacy policy to reflect this, we’ve adjusted our Google Adsense use and have a technological solution that will put the cookie consent question on every page for every new user however at the moment this relies on javascript so is not fully compliant. We are holding off using this at the moment as it will impact the customer experience especially as the level of knowledge about this law in the user base is very low.
Although we have taken legal advice for our situation and are developing our plans as appropriate none of the information here should be construed as legal advice as it is not and we are not lawyers!
Further References and reading;
http://www.glovers.co.uk/news.aspx?id=422&Page=2
http://digital.cabinetoffice.gov.uk/author/dafyddbach/
http://digital.cabinetoffice.gov.uk/2012/01/12/cookies-on-the-beta/
http://www.consumerfocus.org.uk/cookies