New cookie law: what you need to know

The E-Privacy Directive, the law that applies to how website owners can use cookies to store user information, comes into effect today (26 May).

Website owners will need to gain “explicit” consent from their users if they are to store their usage information and will need to provide “clear and comprehensive” information about why they are storing cookies.

Essential cookies provided by the website at the request of the user (such as on some subscription and e-commerce services) will not require consent.

This is how it affects you.

What is a cookie?

Cookies are text files on web browsers that store user information. They can be used to store passwords, information about users’ shopping habits, to personalise the browsing experience to show more relevant content and for tracking browsing habits.

Users can delete their cookies to protect their privacy or free up storage space on their computers, although the files are tiny.

What will website owners need to do?

Website owners are advised by the ICO (Information Commissioner’s Office) to conduct a full audit of their sites to analyse what types of cookies are strictly necessary. “Strictly necessary” cookies include those that allow users to add items to shopping baskets and proceed to checkouts.

Those cookies that could be deemed “intrusive” by users should be removed, altered or the company should decide what solution they will take to gain consent. The UK government, the ICO and the online industry are working together to decide on a scale of instrusiveness and will provide further information soon.

What consent options are there?

Browsers have not yet adapted to the law to assume that users have given their consent for cookies, so the onus is on the website owner. The government is currently working with major browser manufacturers to establish future solutions.

  • Pop-ups – Although pop-ups can potentially detract from the user experience, they are one of the simplest options to draw in user attention and ask for consent.
  • Sign-up terms and conditions – When a user registers with a site they will give their consent for the website owner to operate in a certain way, which could include cookies. However, website owners would need to ensure current users are alerted to the change in the terms and conditions and must gain their consent to the alterations.
  • Settings-led consent – Some website features, such as a choice on languages, text sizes or colour schemes, use cookies. When a user chooses their preferences, they can be alerted to the fact that a cookie will be used.
  • Feature-led consent – Cookies are also stored when a site remembers feature-led preferences, such as the personalisation of content or where a user has got to in the video they were watching. When the user clicks for one of these features to be activated, the website can inform them a cookie will be set.
  • Functional uses – Often cookies are taken in the background, without the consent of the user, for tracking purposes. A solution to provide information on these types of cookies could be taken could be to place text at the header or footer of the web pages, or to provide a specific page with further details.
  • Third party cookies – If a website displays advertising, this third party may take cookies from users. The ICO admits the process to get consent in this instance is complex and it is currently working with the industry and European data authorities to assist in addressing concerns.
  • Tracking icons – Some big advertisers, including AOL and Google, have committed to placing recognisable icons on any ads using tracking technology.

What could happen if companies do not comply?

Given the confusion surrounding the new Directive and the complex technology required to make websites compliant, the law will not be enforced for one year.

The UK government says there will be “no overnight changes” and the ICO says it will give business and organisations up to one year to “get their house in order”.

Failure to take any action before 26 May 2012 will result in a fine of up to £500,000 in the UK.

How has the industry reacted?

Caroline Roberts, director of public affairs at the Direct Marketing Association, says: “The DMA welcomes the long-awaited regulations and is reassured by the government’s decision to allow businesses more time to come up with workable technical solutions before enforcement of the new law begins in the UK.”

Law firm Thomas Egger says: “Is it, once again, the law struggling to keep up with the rapid changes in social and business use of the web?”

Peter Gooch, privacy expert at Deloitte, says: “Since there is no ’one-size-fits-all’ approach here, businesses will need to implement a solution that best reflects how their website operates so that users are fully aware of what they are agreeing to.”

Ed Vaizey, Minister for Culture, Communications and Creative Industries, says: “We remain firmly convinced that UK implementation is correct that it is good for business, good for consumers and addresses in a proportionate and pragmatic way the concerns of citizens with regards their personal data online.”