From the 20th May, technically, every website that is available in the UK/Europe should:
- notify visitors of the cookies they use and what each cookie does
- ask for explicit consent from the visitor on the first page load.
The EU Cookie Directive, which has come to be known as the Cookie Law, will present a massive step backwards for site operators who have grown accustomed to the masses of data available for analysis and more. But, there still aren’t any clear examples which do the job in a user-friendly way.
The Law
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Regulation 6 of the Privacy and Electronic Communications (PDF)
What The Law Means
Firstly, visitors must be clearly notified of the cookies that will be stored and be given comprehensive information about what each cookie does. Secondly, they must give their explicit consent for the cookies to be stored.
Let’s remember, that this is for any cookie set on a website. For example, most sites will set a session cookie at the very least; more complex sites will set third-party advertising cookies, preference cookies, past-behaviour cookies and more.
The comprehensive information you need to provide can’t just be “We set cookies to improve your experience”. The information should explain:
- what a cookie is
- why they are used on your site
- what cookies, or the categories of cookies, are set
- an example of what they do
Is There Anything Else?
Yes. There are several use cases for exceptions.
Some cookies are “strictly necessary” for the “provision of… services… requested by the… user”. An example given by the ICO is that of an online retailer, where a cookie is “used to ensure that when a user… has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page.”
This also includes load-balancing cookies and cookies set for security (by an online banking service, for example). However, cookies set for analytics or advertising are not seen as strictly necessary, and so need to be given explicit consent in order to be dropped.
What About Browser Settings?
Browser settings aren’t enough – yet.
…if the user visits a website, the website can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result can be confident that in setting A, B and C they have the users consent to do so. They would not set cookie D.
At present, most browser settings are not sophisticated enough…
But it could become an option in the future.
Anything Else?
Yes.
The ICO guidelines make allowances for instances where a visitor is given clear notification and the chance to explicitly consent, but then clicks on an internal link elsewhere on the page.
In this case, all cookies can be set on what is effectively the second page load – as long as the initial notice is clear, you can infer that they have “actively indicated they are comfortable with cookies”.
The ICO does say though that you may want to prominently display a notice to remind users that you have set cookies.
Will We Be Prosecuted For Dropping Analytics Cookies?
Probably not.
Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services…
How To Get Started
There are many different interpretations of the law, but below we’ve identified three steps to ensure you’re ready for the Cookie Law.
The First Step For Site Operators
Site operators need to firstly carry out a cookie audit. This means looking at:
All of the cookies your site sets and why
This is useful not just for this purpose, but because it can also help reduce things like page loads and get rid of redundant cookies which you may still be setting.
How intrusive each cookie is
The ICO document notes that “although the law makes no distinction between different types of cookie it is intended to add to the level of protection afforded to the privacy of internet users.”
Effectively, this means that the more intrusive your cookies, the more you should think about changing how it is used – although there is no need to notify users of how intrusive the cookies you set are.
Whether a cookie is “strictly necessary”
In some use cases, there will be cookies that are strictly necessary and that abide by the “spirit of the law” set out in the regulations – in which case these can be set automatically, without the need to gain consent. Remember that only cookies which are strictly necessary for the provision of a service requested by the user can be set.
Everything OK? Now Find a Solution.
This really will be the Holy Grail of ensuring you keep as any users clicking “I agree” from 20th May onwards.
Below, we’ve listed and critiqued a few cookie law solutions – but we’re sure there must be more we haven’t found. Feel free to email your suggestions to james@predictiveintent.com and we’ll add it.
The Cookie Collective’s solution is very nice: it’s polished and is based on getting visitors to click Allow – visitors can’t escape from the bar or close it unless they Accept.
However it only allows visitors to accept all cookies and may not be the right option for site operators looking to allow visitors to choose the type of cookies they want to allow.
The solution starts at £295 +VAT per year, but is fully managed – their team will audit your cookies, write copy that complies with the “comprehensive information” requirement.
Score: 8/10
Having only recently come across Portent, it’s a nice and simple (free) solution – however it’s not certain that it complies with the regulation.
On the first page load, a standard dialog box will appear asking the visitor to accept cookies. It doesn’t provide any “comprehensive information” on the cookies used. If a visitor ‘cancels’ the box, they will be redirected to a seperate privacy policy page (which can’t set any cookies).
We’renot confident that this solution could meet the requirements for the law, and I don’t think it provides a good user interface. However, we do like the fact that it will check to see if the visitor is from the EU before showing the box – and so, could be a contender for internationally-based businesses with UK traffic.
Score: 2/10
The free Jpecr package from Wolf Software has a lot of good points. Visitors can be presented with the notification in a number of different ways (a top/bottom bar, a hover box, automatically appear from the top or appear as a modal window); site operators can input clear and comprehensive information about both why they are using cookies, what they do and go into detail on the exact cookies used. We like that users can select which cookies they want to recieve – therefore being able to opt-in to Facebook cookies but opt-out of 3rd party advertisers.
But, in binary opposition to the previous solution, this gives the user too many options. Take a look at their (very comprehensive) demo page, and try Demo 8. From a consumer point of view, you would be scared if you arrived on a site and were presented with that.
This could very quickly become a winner if they enhanced it with some aspects from the Cookie Collective solution.
Score: 6/10
The Cookie Q Solution seems to be a bit more complicated than any others, as they focus around the “button”, rather than the clear notification – although an optional banner is provided. The banner doesn’t offer the “comprehensive information” on the cookies that will be set and what they do, but they do say that they have a “gated” Facebook Like system and that, interestingly, you can still collect useful statistical information about 100% of the visitors whether they have opted-in to cookies or not.
They do focus on “buttons”, so for site operators looking to implement their own notification bar/modal window solution but looking for the technology to control the opt-in, this might be one for you.
Score: 6/10
Again, it’s not certain that this complies. Firstly, the notification options aren’t clear enough – the notification shows on each page load, then disappears after a few seconds into the orange triangle (a diamond shape is also available). The notification doesn’t show “comprehensive information” and only links to a site’s privacy policy. However, the authors say that more advanced users can go further with the product.
Score: 5/10
Any others?
Email me at james@predictiveintent.com and we’ll write up a review.
Closing Thoughts
We’re surprised that there’s no single solution which uses the “second page load” exception, or any that are really designed for the user – rather, they seem to be designed in a complicated way by developers with no idea about user interfaces or persuasive design. Something for an innovative entrepreneur, perhaps?
Your Opinion
What do you think will happen on May 20th? Will consumers all over Europe wake up to ugly modal boxes, or will the ICO hit corporations with enforcement notices?
An excellent article about the ins and outs of the cookie law.
I work for the Cookie Collective and would like to explain why our default approach is for users to allow all cookies in the Optanon solution.
We essentially felt that there is a greater risk of confusing site visitors at this time if they are given too much choice. This is especially true while awareness of cookies in the general public is low – although it may change in the future.
Therefore we decided that the ‘allow all’ approach was the best option for both site owners and visitors. In order to make such a decision an informed one.
The focus is then on giving visitors as much information as possible – which helps to raise that visitor awareness level, and enable more informed decisions.
Of course this situation may change over time, and when it does we will be offering the ability to selectively control use of cookies, should site owners decide they want to offer that option.
I am the CTO of Baycloud Systems the developers of CookieQ. I would like to refute your grotesquely glib analysis by relating a few facts.
The reason we have a button is to continuously reflect whether a visitor has consented to cookies at a website or not. The button can be customised to fit in with look and feel of customer’s sites and can even be a hidden element that does not appear at all. It is there to give visitors an instant check if they have consented to cookies, and to allow them to withdraw or give their consent at any time by clicking the button.
This is an important feature as without it visitors could only withdraw their consent by deleting all their cookies in their browser, as they must with other solutions you mention. This is difficult for visitors to do, even if they are aware they can, and inconvenient because important preferences at other websites would be lost.
But it is optional and does not need to be shown.
Our reminder banner is, as you say, optional and the text and styling is also easily customisable for any website. It is there to remind visitors if they have not opted-in to cookies and contains a link so that they can opt-in.
We have also implemented the Article 29 Working Party’s suggestion for a “Refuse” option so that if a visitor has decided not to agree to cookies they can switch of the reminder banner so it will never appear again.
Most of our customers have implemented the reminder banner option, but some have chosen not to. The banner is not obligatory exactly because we have the button which visitors can always use to register their choice.
CookieQ deletes all cookies which are not “strictly necessary” when a visitor has not opted in. It also has an option to just remove visitor identifying cookies as a customer configured option. It does not require an external repository of cookie names, which in any case can never be exhaustive. The “name” of a cookie is simply one of a number of ways to tag a cookie with a specific value. These values have a meaning only to the programmer who designed the relevant code and can be changed at any time. Attempting to build an authoritative database of them is a bit like trying to herd cats.
Our solution may appear complex at first glance because it supports a great number of features.
• It gives visitors the ability to opt-in or opt-out at any time at a customer’s website or from a single common location. It does not encourage visitors to click a one-way trap “Allow” button then not give them the option to change their mind. Web publishers can link to any information they feel necessary to allow for explicit informed consent, and there is no need to confuse visitors with irrelevant and arcane technical information.
• Supports all browsers even where JavaScript has been disabled.
• Websites can use the “ThirdParty” button to replace 3rd party content, stopping 3rd party cookies from being placed if they have not been agreed to, but giving visitors the option to accept them if they want. Once visitors have consented to cookies from a 3rd party site, which they may do on any site, the content is delivered and the web publishers need take no further responsibility.
• Supports the insertion of custom variables into the Google Analytics AJAX call so unique visitors can be detected even when the GA cookies are deleted.
• Supports the non-deletion of “strictly necessary” cookies.
• Allows web publishers to categorise cookies as non-identifying such as those that simply register user preferences, on identifying i.e. contain visitor unique value. Publishers can then give their visitors the option to accept all or non-identifying cookies. They do not need to bombard their visitors with complex descriptions and obscure cookie names.
• It responds to Do-Not-Track notifications in a way that complies with EU law.
• Our complementary cookie audit automatically spider scans all pages on customer’s websites and detects all JavaScript and http cookies including 1st party, linked 3rd party and 3rd party beacons. It does not require manual scanning and does not involve passing sensitive cookie values to 3rd party sites.
The feature list is large and technically complex but this reflects the maturity of our product and the incorporation of many features requested by customers. Our aim is nevertheless to make it as simple and seamless as possible for any web publisher to comply with the law and we have many less tech savvy customers who have implemented it on their websites without difficulty.
We are a very technically focussed company. We have concentrated on developing a solution that can meet all necessary requirement, and have maybe spent less time than those with less technically sophisticated solutions in marketing ourselves.
Thanks for the mention of Cookie Control James.
Just to be clear – it’s up to webmasters to comply with the law, not solution providers. No solution is “compliant” out of the box unless it’s appropriately deployed.
Cookie Control is neat because of its inherent flexibility. You can deploy it as a first step towards compliance, or in tandem with some other tweaks to your code, as a strict compliance solution.
That’s not “uncertain” it’s just up to you, which is how it should be.
Also worth mentioning that this has been developed for free, for the web community under CIVIC’s “Pride” program.
- It’s free
- Open source
- Geo-aware
- Customisable
- Lightweight
- Flexible
Happy to help anyone with their implementation, should they need it.
Mark
Head of Client Services
CIVIC
Hopefully a lot of the large online companies use a common approach and that will, again hopefully, set the standard that other smaller websites can follow.
The majority of end users will have no idea why they are being presented with the question, a lot will invariably just hit YES or NO without even reading the text and will be left wondering why websites don’t function the way they used too. Genuine website owners will get far less insight into their visitors and will not be able to provide as good a website experience as previous until every end user is comfortable with the new law.
I would think the majority of website owners will take a sit back and discover approach and leave their sites none compliant, hoping that the bigger websites that would be under scrutiny set the way forward.
[...] http://www.predictiveintent.com/2012/02/cookie-law-solutions/ [...]
Hi James
Thank you for including Wolf Software in your review and also providing some interesting feedback at the same time.
We actually have 2 solutions, the image on this site is actually the jpecrGA solution, but that’s not a problem.
As for scaring people, it might yes, but the number of cookies that people put up for consent is down the site owner, so it could be 1 or it could be many. You could even use the plugin in a ‘accept all’ state without a problem.
Both solutions are:
- Free
- Open source
- Geo-aware
- Customisable / totally skinnable
- Lightweight
- Flexible
For us we have put out a solution so people have options, they need to decide what is right for them.
Hey everyone,
I’m the author of the free Cookie Law Solution at Portent. The script is free for anyone to use and therefore, is customizable. I didn’t put copy in on the popups or refusal of cookies page because it should be customized to the site the script is on.
If that is the only mark against the script, I think it should be taken with a grain of salt and understood that comprehensive information of the cookies being used on the site can be added to the script.
Something to consider anyway..