The deadline for businesses to implement the new EU cookies law (26th May) is fast approaching, so time for a quick update on this issue (you can read my previous post on the matter here: http://www.hexagonwebworks.com/2012/eu-cookie-legislation-compliance/).
Statements from both the Information Commissioner’s Office (ICO – the UK’s data protection watchdog) and also from Ed Vaizey (Culture Minister) indicate that although the new requirements are law, and should be taken seriously, a common-sense approach will be taken when it comes to enforcement. So far so good.
The International Chamber of Commerce (ICC) UK has just (April 2012) issued new guidance (PDF doc) on cookies, which has apparently been welcomed by the ICO. The guide categorises cookies into four groups, and includes wording that website owners can use when asking for cookies consent.
The categories are as follows:
- Category 1: Strictly necessary cookies (enable services the user has specifically asked for)
- Category 2: Performance cookies (collect anonymous information on the pages visited – e.g. Google Analytics)
- Category 3: Functionality cookies (remember choices the user makes to improve experience – e.g. remembering user’s name when they leave a comment – so they don’t have to enter it again next time they visit)
- Category 4: Targetting cookies or advertising cookies (collect information about user’s browsing habits in order to target advertising)
With reference to Analytics cookies in particular (e.g. Cookies used by Google Analytics to track visitors to your website), the the ICO has stated that:
“We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.”
“In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
What you need to do
Having read through a number of further articles on the subject, and also the speech given by Ed Vaizey recently, my feelings are now as follows:
You DO need to take this seriously, and establish what cookies your website uses.
It is important that you make this information available to users on your website – and make it accessible and clearly labelled (‘Cookies Info’ for example)
You should then assess the most appropriate way to gain user consent to cookies. The approach you take will depend on the type of cookie. The ICC guidance document seems to suggest the following:
- For cookies in Category 1 – no consent is required
- For cookies in Category 2 – obtain consent by functional use, i.e. on your Cookies page, state something akin to the following: ‘By using our website, you agree that we can place these types of cookies on your device’.
- For cookies in Category 3 – obtain consent as for Category 2, or by obtaining ‘function’ or ‘setting’ led consent, i.e. at the point where the user uses the function which sets the cookie (e.g. WordPress comment form), state something like ‘When you choose to use this form, you agree that we can store cookies on your device’ (you may wish to be more explicit about what the cookies are stored for – or link through to your Cookies page with this info).
- For cookies in Category 4 – obtain consent in a more obtrusive manner, perhaps via a pop-up or distinct notice with opt-in checkbox.
If you are struggling with this and would like further advice or the above implemented on your website, let me know!
- Blog post from Pinsent Masons law firm: http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/
- Ed Vaizey speech: http://www.culture.gov.uk/news/ministers_speeches/8992.aspx
- ICC Blog post: http://www.international-chamber.co.uk/blog/2012/04/02/launch-of-icc-uk-cookie-guide/
- ICC Guide: http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf