UPDATE: The ICO have updated their guidance, read here. Explicit consent is no longer required.
To know what you have to do to comply with the EU Cookie Law, you first need to know what cookies your site is using. It might be more than you think.
For example, does your website have any of these technologies or features?
- WordPress, or any other content management system
- Google Analytics, or any similar website analytics program
- A blog
- Facebook, Twitter, Google+ or other social media “like” buttons or plugins
- Google AdSense and/or AdWords
- Personalised settings e.g. a welcome message, remember my email, “don’t show me popup ‘x’”
- A shopping basket / cart
You don’t need to get consent for all cookies, however. Cookies that are “strictly necessary” for the running of your website are excluded from the directive. The definition of “strictly necessary” is black and white though:
Cookies that are considered strictly necessary:
- Cookies to remember items in a shopping basket
- Cookies providing essential security measures
- Cookies used for quick loading and distribution of content
However, some common web services are NOT considered strictly necessary:
- Google Analytics, or similar software to analyse visitors
- Cookies that remember user preferences
- First and third party advertising cookies
- Facebook like buttons
What should I do?
At the time of posting this, we have still to find an elegant solution to complying with this law.
- Remove all cookies. Not recommended.
- Add a banner to your site allowing users to opt in to using cookies. This is full compliance. This is what the ICO did on their site and this saw a 90% drop in recorded visitors to their site. This shows people are uninformed about what cookies are and therefore would too scared to set them or indifferent about agreeing to allow them.
We would also suggest you look at what others have done. Many sites are taking a ‘lite’ approach whilst they see what their competitors are doing, but you need to balance the ‘liteness’ of your approach with the risk of non-compliance.
Remember to use common sense. The law is vague and the guidance contradictory but all based on a desire to put people in control of their data to protect their privacy. So, try to operate in the spirit of the law. If you use intrusive cookies, accept you need to be more explicit about gaining consent. If you don’t, then focus on providing information to reassure users and the ICO that you haven’t just stuck your head in the sand!
CuCo will help their customers to apply a compliant solution to their websites once it is available. Each customer will have a responsibility to decide whether to switch their website to operate in this manner and to fund any design changes that might be necessary. Whilst unwelcome and inconvenient, it is a burden imposed directly by the UK Government.
What other high profile sites have done
As of posting this, the following do not comply:
As of posting this, the following have taken steps to comply, but still don’t:
As of posting this, the following do comply:
Disclaimer: CuCo does not provide legal advice. This article has not been reviewed for legal accuracy or correctness.