From the 20th May, technically, every website that is available in the UK/Europe should:
- notify visitors of the cookies they use and what each cookie does
- ask for explicit consent from the visitor on the first page load.
The EU Cookie Directive, which has come to be known as the Cookie Law, will present a massive step backwards for site operators who have grown accustomed to the masses of data available for analysis and more. But, there still aren’t any clear examples which do the job in a user-friendly way.
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
What The Law Means
Firstly, visitors must be clearly notified of the cookies that will be stored and be given comprehensive information about what each cookie does. Secondly, they must give their explicit consent for the cookies to be stored.
Let’s remember, that this is for any cookie set on a website. For example, most sites will set a session cookie at the very least; more complex sites will set third-party advertising cookies, preference cookies, past-behaviour cookies and more.
The comprehensive information you need to provide can’t just be “We set cookies to improve your experience”. The information should explain:
- what a cookie is
- why they are used on your site
- what cookies, or the categories of cookies, are set
- an example of what they do
Is There Anything Else?
Yes. There are several use cases for exceptions.
Some cookies are “strictly necessary” for the “provision of… services… requested by the… user”. An example given by the ICO is that of an online retailer, where a cookie is “used to ensure that when a user… has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page.”
This also includes load-balancing cookies and cookies set for security (by an online banking service, for example). However, cookies set for analytics or advertising are not seen as strictly necessary, and so need to be given explicit consent in order to be dropped.
What About Browser Settings?
Browser settings aren’t enough – yet.
…if the user visits a website, the website can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result can be confident that in setting A, B and C they have the users consent to do so. They would not set cookie D.
At present, most browser settings are not sophisticated enough…
But it could become an option in the future.
The ICO guidelines make allowances for instances where a visitor is given clear notification and the chance to explicitly consent, but then clicks on an internal link elsewhere on the page.
In this case, all cookies can be set on what is effectively the second page load – as long as the initial notice is clear, you can infer that they have “actively indicated they are comfortable with cookies”.
The ICO does say though that you may want to prominently display a notice to remind users that you have set cookies.
Will We Be Prosecuted For Dropping Analytics Cookies?
Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services…
How To Get Started
There are many different interpretations of the law, but below we’ve identified three steps to ensure you’re ready for the Cookie Law.
The First Step For Site Operators
Site operators need to firstly carry out a cookie audit. This means looking at:
All of the cookies your site sets and why
This is useful not just for this purpose, but because it can also help reduce things like page loads and get rid of redundant cookies which you may still be setting.
How intrusive each cookie is
The ICO document notes that “although the law makes no distinction between different types of cookie it is intended to add to the level of protection afforded to the privacy of internet users.”
Effectively, this means that the more intrusive your cookies, the more you should think about changing how it is used – although there is no need to notify users of how intrusive the cookies you set are.
Whether a cookie is “strictly necessary”
In some use cases, there will be cookies that are strictly necessary and that abide by the “spirit of the law” set out in the regulations – in which case these can be set automatically, without the need to gain consent. Remember that only cookies which are strictly necessary for the provision of a service requested by the user can be set.
Everything OK? Now Find a Solution.
This really will be the Holy Grail of ensuring you keep as any users clicking “I agree” from 20th May onwards.
Below, we’ve listed and critiqued a few cookie law solutions – but we’re sure there must be more we haven’t found. Feel free to email your suggestions to email@example.com and we’ll add it.
The Cookie Collective’s solution is very nice: it’s polished and is based on getting visitors to click Allow – visitors can’t escape from the bar or close it unless they Accept.
However it only allows visitors to accept all cookies and may not be the right option for site operators looking to allow visitors to choose the type of cookies they want to allow.
The solution starts at £295 +VAT per year, but is fully managed – their team will audit your cookies, write copy that complies with the “comprehensive information” requirement.
Having only recently come across Portent, it’s a nice and simple (free) solution – however it’s not certain that it complies with the regulation.
We’renot confident that this solution could meet the requirements for the law, and I don’t think it provides a good user interface. However, we do like the fact that it will check to see if the visitor is from the EU before showing the box – and so, could be a contender for internationally-based businesses with UK traffic.
The free Jpecr package from Wolf Software has a lot of good points. Visitors can be presented with the notification in a number of different ways (a top/bottom bar, a hover box, automatically appear from the top or appear as a modal window); site operators can input clear and comprehensive information about both why they are using cookies, what they do and go into detail on the exact cookies used. We like that users can select which cookies they want to recieve – therefore being able to opt-in to Facebook cookies but opt-out of 3rd party advertisers.
But, in binary opposition to the previous solution, this gives the user too many options. Take a look at their (very comprehensive) demo page, and try Demo 8. From a consumer point of view, you would be scared if you arrived on a site and were presented with that.
This could very quickly become a winner if they enhanced it with some aspects from the Cookie Collective solution.
The Cookie Q Solution seems to be a bit more complicated than any others, as they focus around the “button”, rather than the clear notification – although an optional banner is provided. The banner doesn’t offer the “comprehensive information” on the cookies that will be set and what they do, but they do say that they have a “gated” Facebook Like system and that, interestingly, you can still collect useful statistical information about 100% of the visitors whether they have opted-in to cookies or not.
They do focus on “buttons”, so for site operators looking to implement their own notification bar/modal window solution but looking for the technology to control the opt-in, this might be one for you.
Email me at firstname.lastname@example.org and we’ll write up a review.
We’re surprised that there’s no single solution which uses the “second page load” exception, or any that are really designed for the user – rather, they seem to be designed in a complicated way by developers with no idea about user interfaces or persuasive design. Something for an innovative entrepreneur, perhaps?
What do you think will happen on May 20th? Will consumers all over Europe wake up to ugly modal boxes, or will the ICO hit corporations with enforcement notices?