UK Cookie Law — advice for website owners

April 24, 2012

Cookie law, ICO legislation - hand holding cookie caught in mousetrap

On 26th May 2011 the Inform­a­tion Commissioner’s Office (ICO) brought in to affect new laws that required web­sites in the UK and EU to not store cook­ies on a user’s com­puter without first ask­ing permission.

The ICO gave UK busi­nesses 12 months to “get their house in order”, but 95% of UK com­pan­ies have yet to com­ply, accord­ing to a study by con­sultancy firm KPMG.

Is your web­site ready for 26th May 2012?

What are cookies?

Cook­ies are small text files con­tain­ing inform­a­tion that a web­site stores on your com­puter when you visit. As the name sug­gests, they show a tiny cookie crumb-trail of where you have been on a web­site and how you have inter­ac­ted with that website.

Do we need cookies?

Abso­lutely, any site which requires you to log-in such as; social net­work sites, for­ums, banks etc. all need to use cook­ies to track who you are. Online retail­ers using shop­ping cart sys­tems need to use cook­ies, if you com­ment on sites message-boards or do any kind of web brows­ing, expect to be tracked by cookies.

Some cook­ies on web­sites are essen­tial, and a site won’t work as expec­ted without them. These cook­ies are set when you sub­mit a form, log-in or inter­act with a site by doing some­thing that goes bey­ond click­ing on simple links. Web­site own­ers can use cook­ies for ana­lytic pur­poses to get to know about vis­its to their web­site and vis­itor behaviour.

How do the ICO want web­sites to change?

The ICO want web­site own­ers to now up-front tell a vis­itor about the cook­ies used on the site and to expli­citly ask for the vis­it­ors per­mis­sion to place cook­ies on their computer.

Here is a link to the full ICO guidelines for web­site owners.

Don’t browsers con­trol cook­ies for us?

Yes they do. It is pos­sible in any browser to set rules for cook­ies.
It would be great if browsers could find a way of hand­ling the cookie law rather than every single web­site owner hav­ing to imple­ment a change. The ICO claims still to be in dia­logue with browser com­pan­ies, hope­fully to come up with a solu­tion, but until that time it’s down to web­site own­ers to comply.

What’s behind the change?

Let’s hope con­fused web users will not err on what seems the side of cau­tion and decide to decline cook­ies — or there’s a busy time ahead for Web Sup­port Teams we predict!

Con­sumer understanding

The ICO guid­ance doc­u­ment tells the story of a sur­vey of web users who when asked, either didn’t know what a cookie was, how they worked, or had very little under­stand­ing on the subject.

A recom­mend­a­tion was made that:
“Online busi­nesses will need to evolve their data-collection and usage trans­par­ency in order to illus­trate to con­sumers the bene­fits of opting-in”.

So there’s clearly a need for edu­ca­tion on the sub­ject of cook­ies, but what is prob­ably at the heart of the reason for the ICO legis­la­tion change is the way that some 3rd party cook­ies can behave.

3rd Party Cookies

3rd Party cook­ies come from external scripts, plug-ins or advert­ising ban­ners that a web­site might be using within it’s own sites pages. Those scripts, plug-ins and advert­ising ban­ners all put their own cook­ies on a vis­it­ors machine, and although they don’t send back user inform­a­tion or give away any per­sonal data, those cook­ies which have been down­loaded can be recog­nised again later, by another website.

Is this start­ing to feel all too famil­iar to you?

Let’s say you do a Google search for a ‘doormat’, and then visit some sites that sell doormats, isn’t it amaz­ing when a few days later you can be on a com­pletely unre­lated site yet the advert­ising ban­ners are show­ing some of those doormats you were look­ing at the other day? What a co-incidence! Afraid not, it’s no co-incidence, it’s down to 3rd party cook­ies recog­nising earlier installed cook­ies on your com­puter. The advert­ising ban­ner is attempt­ing to sell you doormats based upon it’s know­ledge (thanks to the earlier cookie being present on your com­puter) that you must have vis­ited a site selling doormats recently.

It’s a com­mon mis­con­cep­tion that Google are selling our per­sonal data to advert­isers, they are not — that would be a breach of pri­vacy law and in dir­ect con­tra­ven­tion of their own newly revised ‘terms’. 3rd party cook­ies tied in to advert­ising make it feel like we are being sold to by someone who knows our iden­tity or per­sonal inform­a­tion. Google do cre­ate a gen­eral pro­file on you as part of their advert­ising net­work based on your habits and interests, click the link to Google’s ad pref­er­ences to see how closely they have got you defined! Remem­ber, they are not say­ing ‘this is what we know about you’, (based on date of birth, names or any sup­plied per­sonal data that you may have filled in dur­ing the sign-up pro­cess to use a ser­vice from Google) they are say­ing ‘we feel you fall into this defin­i­tion’ as an anonym­ous con­sumer pro­file, based on behaviour.

Scary stuff though, con­sumer pro­fil­ing coupled with 3rd party cook­ies means that the com­bined accur­acy really does feel like our iden­tity is exposed.

A change in definition

Cook­ies are not com­puter pro­grams, and as such haven’t before now been con­sidered to be Mal­ware or Spy­ware by any­one. It seems now how­ever, that the ICO con­sider cook­ies to fall under the defin­i­tion of ‘Online Cov­ert Sur­veil­lance Mech­an­isms’.

Link to ICO page describ­ing cook­ies.

Advice

Don’t bury your head in the sand

The legis­la­tion is com­ing in, it’s an oppor­tun­ity for web­site own­ers to under­stand the sub­ject a bit bet­ter for them­selves. If you are a web­site owner:

  • Try and run through your own web­sites and see what cook­ies they use.
  • Try turn­ing cook­ies off via the browser pref­er­ences panel and exper­i­ence first hand whether your web­site works as inten­ded without cookies.
  • Find out about 3rd party cook­ies espe­cially, do you use Google Ana­lyt­ics or any form of advert­ising mech­an­ism? The ICO are still not clearly defin­ing any exemp­tions, so keep check­ing back to their web­site or this art­icle which we will keep updating.

Def­in­itely don’t panic

The media have whipped up this story lately and done some scare-mongering, £500,000 fines for non-compliance etc but in all like­li­hood, you’d prob­ably have had sev­eral warn­ings and requests to com­ply fully before being hit with that kind of a fine.

No-one is sure how this require­ment is to be policed or how ser­i­ously any change towards com­ply­ing with it is going to be taken by the online community.

A good gauge of web com­pli­ance is usu­ally someone like the BBC, and although they have a great ‘cook­ies policy’ page that is very detailed and inform­at­ive, so far they don’t seem to be ask­ing any up front opt in per­mis­sion from their visitors.

How to imple­ment a solution

How many web­sites have you come across that ask you to opt in to accept cookies?

Prob­ably none.

Is that per­haps a sign of how ser­i­ously the new legis­la­tion is being taken, or just how poorly pre­pared UK web­site own­ers are?

Quite a few popup solu­tions for web­sites are start­ing to appear, and Twenty­four­ten have decided to trial one for a few weeks called Cookie Con­trol you will have already decided whether to click ‘I am happy with this’ in which case won’t see the mes­sage again (until you clear your cook­ies) or you ignored the mes­sage and just closed the pop-up for now.

We’d have liked a bit more say over col­ours and look and feel, radio but­tons for which cook­ies you do or don’t want to accept might be nice, but it does come in a stand­ard wid­get format along with Word­Press plug-in and Drupal mod­ule flavours.

It’s worth point­ing out too, that even with the func­tion­al­ity to only kick in the 3rd party Google Ana­lyt­ics cook­ies once the user has given per­mis­sion, reg­u­lar 1st party domain related cook­ies were placed on the vis­it­ors com­puter as soon as the page loaded.

That’s not ideal, but the ICO do say the users per­mis­sion should be gained as soon as is pos­sible, so prob­ably okay and cer­tainly there is an effort being made here to com­ply — the only way to really do it would be inter­rupt the page load and ask at that point, but that isn’t very grace­ful or unobtrusive.

If any of our cli­ents would like to dis­cuss UK cookie law com­pli­ance — just get in touch via the usual methods.

Please let us know below what you think about the UK Cookie Law or solu­tions to com­ply with it.

 

Article by Simon Knight


Simon Knight is Art Director at Twentyfourten Ltd. A Web Designer since the late nineties he has survived framesets, tables, ticker banners, Flash splash pages and spinning e-Mail '@' symbols - though he dearly misses the 'clunk-clunk-weeeeee-clang-clang' whine of a 56K dial-up connection.


Author Connect » Twitter | |

{ 1 comment… read it below or add one }

Wolf Software April 27, 2012 at 12:44 pm

We have created and provided for FREE a suite of compliance solutions for people and businesses to use on their sites.

http://demos.dev.wolf-software.com

Reply

Leave a Comment

If you’ve got a web project, talk to us about it - we can help you.

Get in touch today!