The EU Cookie Law is a new piece of privacy legislation that requires visitors to give consent before allowing a website to store or retrieve any information from any device through the use of cookies. By educating visitors on how information about them is collected through the use of cookies, and allowing them to decide for themselves if they wish to allow it to take place, the aim is to protect online privacy for everyone.
What are Cookies?
Cookies are small text files, downloaded to the visitor’s computer when they access a website. They enable websites to store such information as user preferences and login details. They may also be used to record how long visitors spend browsing each page on a site or what pages they visit most.
Cookies can be thought of as providing a “memory” for the website, enabling it to recognise visitors and respond appropriately. Generally, cookies are beneficial to the visitor, making interaction with frequently-visited sites smoother and easier than they would be without them.
What Should I do to Comply?
There are many ways to obtain the users’ consent. How you operationalise this to a large extent it depends on how your website uses cookies and what you do with the information collected. Most of ESP Projects’ client’s websites will fall into one of the three categories below:
| Zero Compliance Risk | |
|---|---|
| Sites that only use cookies that are ‘strictly necessary’ to provide the requested service and where the cookies expire at the end of the current session. For, example sites where the visitor can log into a “members area” or add items to a “shopping basket”. | No consent is required in this case and therefore no action is needed to comply. However, there is some ambiguity about how to define ‘strictly necessary’.it might be prudent to include a clear statement on your website outlining how and why your site uses cookies. |
| Low/Medium Compliance Risk | |
|---|---|
Sites that set cookies that ‘persist’ from one visit to another but don’t collect ‘personally identifiable information’. For example:
|
Informed consent is required but it should be sufficient to rely on “implied consent via notice”. In other words a clear notice, possibly including a ‘pop-up’ style message, stating that your site uses cookies with a link to your privacy page outlining what cookies are used and why. It should ideally contain links to further information about how users can check and update their browser privacy settings. This is what ESP has done for our own website including a link to our cookie policy. |
| High Compliance Risk | |
|---|---|
| Sites that collect ‘personally identifiable information’ in order to build up a profile of their visitor’s interests and preferences. Also, sites that contain third party adverts from advertising networks that monitor and track visitors across different websites. | It is this type of cookie use that the legislation is primarily aimed at. It can be assumed that a higher level of informed consent is required in this case. An explicit opt-in mechanism should be used that requires some specific user interaction to provide consent. |
Summary
It is important for all website owners to be aware of these regulations and to start taking steps to comply but it is not necessary to panic. The Information Commissioner does have the power to issue fines for non-compliance but the guidance states they will take a practical and proportionate approach to enforcing the rules. This will involve in most cases contacting the organisation responsible and asking them to respond if there has been a complaint to explain what steps they have taken to comply with these rules. Typically it seems that formal action will be considered only where an organisation refuses to take steps to comply or has been involved in a particularly privacy intrusive use of cookies without telling individuals or obtaining consent. Fines will only be issued in the most serious of cases and if specific criteria are met, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. ESP Projects’ take is that, as long as you are open and honest about how your website uses cookies and can show that you have made some effort to inform your visitors (and obtain their consent if necessary), then you will be fine.
If you would like to know more about how we can help with your website then contact us.
