The cookie law: What you need to know

The enforcement of the EU cookie law, will take place on Saturday May 26th. However, the ICO say they won't seek out websites to fine. So what is the cookie law? We can explain.

What is the cookie law?

The cookie law is the requirement for websites to warn and get consent from visitors to use cookies on their device. With over 90% of European websites using cookies for advertising, analytics and an overall better user experience without your consent, there are ups and downs to this law.

It will of course be beneficial to your privacy as a user but it also means that any website within the EU having Facebook like buttons or Google Ads are risking a £500,000 fine - not Facebook or Google. Some are out-right against the cookie law and it has even been labeled as lazy by Silktide.

What are cookies?

Ever wondered how adverts online seemed so targeted to your interests or how a site remembers where you have browsed before? This is all down to cookies. A lengthier but still relatively brief explanation of cookies can be found on this BBC page.

"When you visit a site that uses cookies for the first time, a cookie is downloaded onto your PC. The next time you visit that site, your PC checks to see if it has a cookie that is relevant (that is, one containing the site name) and sends the information contained in that cookie back to the site."

"The site then 'knows' that you have been there before, and in some cases, tailors what pops up on screen to take account of that fact. For instance, it can be helpful to vary content according to whether this is your first ever visit to a site – or your 71st." - BBC

It has been around for a year already

Kind of. In fact, back in 2009, the EU issued a directive banning the use of cookies on websites without warning users beforehand. As it goes with directives, it isn't actually a law but it is a way of making the member states create laws to fit. The deadline was May 2011 at which point only three countries had the law ready to go: Denmark, Estonia and the UK.

Wait? We are breaking the law?

Yes… but not really. The UK realised that no one was ready for this law and pushed the deadline for websites to implement cookie warnings back until May 2012. After this Saturday (May 26th), websites will be required to display some sort of opt-in for cookies. Ironically, most government sites aren't ready for the deadline. It is most likely that they will want to get their own house in order before prosecuting others, so if your site isn't ready don't worry. Yet.

What will the warnings look like?

It is up to you and your development team really. Most sites will probably have pop ups but, as most browsers block pop ups, users may find this infuriating. However, some sites have taken the bold approach of presenting the cookie warning without an accept button. With many users not knowing what cookies really are and what they do, it isn't hard to imagine people clicking close without thinking.

Another example of sneaky cookie warnings is ForLinux. How long did it take you to spot it?

When to panic?

The easy answer is: don't. The ICO's (Information Commissioners Office) deputy commissioner David Smith said that they will be sending out 50 letters to the UK's biggest websites before the deadline to provide information on how they are making an effort to comply. Apart from this, websites will only be investigated if visitors complain.

The ICO have also said they will be taking a soft-touch approach to regulation. If your website is not fully compliant by the deadline day and someone has made a complaint, as long as you can prove you are making steps towards complying, very little - if anything - will happen.

It is also of worth to note that, according to the regulations, organisations do not need permission for cookies that are 'strictly necessary' to the business.

What to do?

While it may be a while before the government start enforcing the dreaded fines for not getting visitors' tracking consent, it is important to be moving to compliance. The first step is to conduct a cookie audit, whether you do it yourself or hire someone. Make sure you know what cookies you have on your site, where they are and what they do.

For a more in depth "What to do", check out this great article on Boag World. For now, put on the kettle, make a cup of tea and have a cookie.

Update - 28th May 2012

On Friday 25th May - a day before the deadline - the ICO updated their advice for websites stating that 'implied consent' is compliant with the regulations. The ICO have listed what they consider to be 'implied consent'.

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

This means that the previous examples we showed you (FT, ForLinux) are perfectly fine. However, this is only for British websites, which is not in line with the EU law - potentially leading to fights with European courts.