Our Digital Director Mark Hope wrote a blog post last year after the Cookie Law was first announced by the ICO, giving background information to what it actually meant for our client websites. Since then, things have changed. The new EU Cookie Law comes into play in the UK on May 26th after a ‘year of grace’ for UK websites. This will mean that users will have to give their consent if you wish to continue gathering data about their visits.
What is a Cookie?
A cookie is a file that is stored on the user’s device to identify them each time they arrive on your site. When the user loads a web page their browser will send back any cookies generated by the site so that the site can see if certain settings need to be loaded if the user has visited before.
The most important use of a cookie is to authenticate a user to see whether they are logged in or not. When you log into any site you are issued with a cookie that uniquely identifies you as logged in.
Many analytics services use cookies to track user movements through the site to provide more detailed reporting. No personal data should ever be stored in a cookie, but it is this tracking and the privacy concerns associated with it that has caused this EU cookie law to be created.
What does the law state?
The new law essentially states that the user must give their consent for you to store information about their visit. You must also describe details of how you store, access and use the data on the user’s machine.
What are the implications if I don’t comply?
As this will now be UK law, fines will be applicable to those who fail to comply. Whilst figures of up to £500,000 have been bandied about as maximum penalties, we don’t expect fines* to be as hefty as this straight away.
Are there any exceptions?
There are a couple of exceptions to the new law. Your site is free to use ‘functional’ cookies if:
- The user has specifically opted into a service that requires cookies
- You use cookies for providing security
What you can do
- Break the law
- Stop using cookies
- Ask for permission
If you’re going for the third option (which we’re sure you are), then there are three main avenues which we would suggest exploring:
- Give users an option on the homepage to opt in. Further to this, outline the types of cookies which will be used, how long the cookies will last on the user’s device and further details regarding privacy policy. If your site is built on the Drupal platform, there is a module available which implements this option for Drupal 7 and an example of it working on the Civic UK website.
- Give users the option to tick a box and accept cookies. This could be in the form of a pop-up or any other type of overlay, and could be shown on every page if the user doesn’t opt in.
- Add a warning bar to the top of your site which tells visitors that some cookies will be set. If the user then clicks on any other links on the site, then this is deemed as consent.
And that’s that! Hopefully this post will have given you a little extra detail and reassurance as to what the new law will entail, but if you have any questions, just leave a comment and we’ll reply. If you’re after some more reading on the subject along with more technical information, be sure to check out our very own Phil Norton’s blog on the subject.
*we're many things, but we're not lawyers! It's worth checking with your company's legal representative as there's still a lot of debate and speculation around how this will play out.