The E-Privacy Directive, which was first introduced in 2011 but in the UK, the Information Commissioner's Office (ICO) agreed to delay its enforcement until May 2012, now requires website owners to gain a user's consent before their website stores a cookie on that user's computer.
So what is a cookie?
A cookie is a small text file stored on your computer by your browser (Internet Explorer, Firefox etc). Your browser creates and stores this file when instructed to do so by a website. This happens behind-the-scenes, so you don't particularly realise that it happened.
Are cookies bad?
No, absolutely not!
Despite getting a bad press at times, cookies should not be grouped with "viruses", "trojans", "malware" and other scary-sounding IT nasties.
A website typically creates a cookie when there is a genuine and reasonable need to do so and this is most often to:
- record a user's preferences
- or acknowledge that a user has logged in to the website
- or preserve some information until the user's next visit
For example, when you enter your postcode on the BBC's home page, your choice is recorded in a cookie so that the next time you visit the site, you get information (such as weather and TV listings) relevant to your location.
When you add a product to an online shopping basket, the details might be stored in a cookie so that as you move around the website, the website remembers the contents of your shopping basket.
Some cookies - commonly known as "tracking cookies" - are used to keep a record of a user's browsing habits and it's the use of these cookies and their "big brother" connotations that have caused the recent consternation.
Does my website use cookies?
The easiest way to answer this question is to ask your website designer, who should be able to explain how your site was built and whether cookies are involved. If you prefer, get in contact with us and we'll happily check your site for you.
One simple rule of thumb, which might provide an immediate answer to this question, is that if your site uses Google Analytics for gathering website statistics, it follows that your site definitely uses cookies.
What does the new law require me to do?
The E-Privacy Directive requires that website owners gain consent from users if that website uses cookies.
Given that cookies are often used to improve a user's browsing experience, you might wonder why consent is an issue.
The legislation is aimed primarily at the use of cookies used for tracking visitors' behaviour - in particular, it aims to address the issue of "3rd party cookies", where information about a visitor's behaviour across different websites is recorded in a cookie. An advertising company might deploy a 3rd party cookie so that it can build a more comprehensive picture of a user's online activity, for instance.
The ICO recommends that website owners audit their use of cookies to ascertain which of them are "strictly necessary" and for those that are, the website owner must work out how they will gain the user's consent.
How do I get consent from my website visitors?
At this stage, there doesn't appear to be a definitive answer!
However, if you interpret the legal requirements literally, the only way a user can demonstrate consent is by "opting in" and so a tickbox displayed prominently on the screen, which a user can tick to show that they're happy to receive cookies, seems like the clearest approach.
It's clear that not all websites are as transparent as this though, with many taking an alternative approach ranging from:
- doing nothing, presumably on the assumption that they won't end up in trouble anyway!
- updating their Terms & Conditions to indicate that their website uses cookies
- adding a separate notification on the web page explaining that the site uses cookies
Clearly, while it is good to add information to your site explaining your cookie policy, none of these alternatives truly demonstrate that you, as the website owner, have gained consent from your users.
To ensure your users are kept well informed and given fair notice that your website uses cookies you should consider these actions and work out which apply to you:
Terms & Conditions
As long as your T&Cs are clear and easily accessed, they should include an explanation of your use of cookies. For new users - who might be presented with your T&Cs as part of the sign-up process - this will work well but already-registered users, who may not realise that your T&Cs have changed, will need to be notified differently.
Notify at the time of use
If your website uses cookies to enhance the visitor's browsing experience - just as the BBC's site does when it records your location - you can inform your user at the time they activate the enhanced content and explain that by proceeding, they are deemed to have provided their consent.
Cookie page
The simplest approach might be to add a Cookie Page to your website which explains your cookie policy and highlights where they are used on your site. You should also add a prominent link to the cookie page so visitors can find it easily and feel that they have been kept well informed.
And if I don't...?
Website owners who fail to take the necessary measures to comply with the Directive could face a fine of anything up to £500,000!
What next?
If you need help working out whether your website uses cookies, contact Rubiqa and we'll be happy to help. Similarly, we can work with you to put in place a cookie consent form that will ensure that your website is complaint with the new legislation.
Please note: ultimately, this is a legal matter and Rubiqa is not providing legal advice. You may wish to take separate advice from a recognised legal professional.