On 26th May 2011 the Information Commissioner’s Office (ICO) brought in to affect new laws that required websites in the UK and EU to not store cookies on a user’s computer without first asking permission.
The ICO gave UK businesses 12 months to “get their house in order”, but 95% of UK companies have yet to comply, according to a study by consultancy firm KPMG.
Is your website ready for 26th May 2012?
What are cookies?
Cookies are small text files containing information that a website stores on your computer when you visit. As the name suggests, they show a tiny cookie crumb-trail of where you have been on a website and how you have interacted with that website.
Do we need cookies?
How do the ICO want websites to change?
The ICO want website owners to now up-front tell a visitor about the cookies used on the site and to explicitly ask for the visitors permission to place cookies on their computer.
Here is a link to the full ICO guidelines for website owners.
Don’t browsers control cookies for us?
Yes they do. It is possible in any browser to set rules for cookies.
It would be great if browsers could find a way of handling the cookie law rather than every single website owner having to implement a change. The ICO claims still to be in dialogue with browser companies, hopefully to come up with a solution, but until that time it’s down to website owners to comply.
What’s behind the change?
Let’s hope confused web users will not err on what seems the side of caution and decide to decline cookies — or there’s a busy time ahead for Web Support Teams we predict!
The ICO guidance document tells the story of a survey of web users who when asked, either didn’t know what a cookie was, how they worked, or had very little understanding on the subject.
A recommendation was made that:
“Online businesses will need to evolve their data-collection and usage transparency in order to illustrate to consumers the benefits of opting-in”.
So there’s clearly a need for education on the subject of cookies, but what is probably at the heart of the reason for the ICO legislation change is the way that some 3rd party cookies can behave.
3rd Party Cookies
3rd Party cookies come from external scripts, plug-ins or advertising banners that a website might be using within it’s own sites pages. Those scripts, plug-ins and advertising banners all put their own cookies on a visitors machine, and although they don’t send back user information or give away any personal data, those cookies which have been downloaded can be recognised again later, by another website.
Is this starting to feel all too familiar to you?
Let’s say you do a Google search for a ‘doormat’, and then visit some sites that sell doormats, isn’t it amazing when a few days later you can be on a completely unrelated site yet the advertising banners are showing some of those doormats you were looking at the other day? What a co-incidence! Afraid not, it’s no co-incidence, it’s down to 3rd party cookies recognising earlier installed cookies on your computer. The advertising banner is attempting to sell you doormats based upon it’s knowledge (thanks to the earlier cookie being present on your computer) that you must have visited a site selling doormats recently.
It’s a common misconception that Google are selling our personal data to advertisers, they are not — that would be a breach of privacy law and in direct contravention of their own newly revised ‘terms’. 3rd party cookies tied in to advertising make it feel like we are being sold to by someone who knows our identity or personal information. Google do create a general profile on you as part of their advertising network based on your habits and interests, click the link to Google’s ad preferences to see how closely they have got you defined! Remember, they are not saying ‘this is what we know about you’, (based on date of birth, names or any supplied personal data that you may have filled in during the sign-up process to use a service from Google) they are saying ‘we feel you fall into this definition’ as an anonymous consumer profile, based on behaviour.
Scary stuff though, consumer profiling coupled with 3rd party cookies means that the combined accuracy really does feel like our identity is exposed.
A change in definition
Cookies are not computer programs, and as such haven’t before now been considered to be Malware or Spyware by anyone. It seems now however, that the ICO consider cookies to fall under the definition of ‘Online Covert Surveillance Mechanisms’.
Don’t bury your head in the sand
The legislation is coming in, it’s an opportunity for website owners to understand the subject a bit better for themselves. If you are a website owner:
- Try and run through your own websites and see what cookies they use.
- Try turning cookies off via the browser preferences panel and experience first hand whether your website works as intended without cookies.
- Find out about 3rd party cookies especially, do you use Google Analytics or any form of advertising mechanism? The ICO are still not clearly defining any exemptions, so keep checking back to their website or this article which we will keep updating.
Definitely don’t panic
The media have whipped up this story lately and done some scare-mongering, £500,000 fines for non-compliance etc but in all likelihood, you’d probably have had several warnings and requests to comply fully before being hit with that kind of a fine.
No-one is sure how this requirement is to be policed or how seriously any change towards complying with it is going to be taken by the online community.
A good gauge of web compliance is usually someone like the BBC, and although they have a great ‘cookies policy’ page that is very detailed and informative, so far they don’t seem to be asking any up front opt in permission from their visitors.
How to implement a solution
How many websites have you come across that ask you to opt in to accept cookies?
Is that perhaps a sign of how seriously the new legislation is being taken, or just how poorly prepared UK website owners are?
Quite a few popup solutions for websites are starting to appear, and Twentyfourten have decided to trial one for a few weeks called Cookie Control you will have already decided whether to click ‘I am happy with this’ in which case won’t see the message again (until you clear your cookies) or you ignored the message and just closed the pop-up for now.
We’d have liked a bit more say over colours and look and feel, radio buttons for which cookies you do or don’t want to accept might be nice, but it does come in a standard widget format along with WordPress plug-in and Drupal module flavours.
It’s worth pointing out too, that even with the functionality to only kick in the 3rd party Google Analytics cookies once the user has given permission, regular 1st party domain related cookies were placed on the visitors computer as soon as the page loaded.
That’s not ideal, but the ICO do say the users permission should be gained as soon as is possible, so probably okay and certainly there is an effort being made here to comply — the only way to really do it would be interrupt the page load and ask at that point, but that isn’t very graceful or unobtrusive.
If any of our clients would like to discuss UK cookie law compliance — just get in touch via the usual methods.
Please let us know below what you think about the UK Cookie Law or solutions to comply with it.