By , Consultant
If you own or manage a website and you don’t yet know that you need to comply with the UK privacy legislation (aka The Cookie Law), you’re probably in the wrong job.
The law was passed last May but UK websites have been granted an additional year by the Information Commissioners Office (or the ICO, the body enforcing the law in the UK) to implement this. If you don’t get up to speed and take the necessary steps, you will be liable for a fine of up to £500,000.
You have until the 25th May 2012 to become complaint, and time is running out.
What does it all mean?
In essence, it is now a legal requirement that you ask for consent (opt-in) if your site uses cookies (small packets of data). However, to confuse matters, if a cookie is “strictly necessary” for the site to function (such as for a shopping basket) you “might” not have to ask for consent. But what does “strictly necessary” and “might” mean?
This law appears to be ultimately aimed at – although not exclusively – behavioural targeting (ads) and potentially analytics which use and leave cookies stored on your computer to use at a later point to track your online behaviour or display ads based on your preferences.
Why is this change taking place?
The reason for this is simple. There has been public discord to the seeming disregard to privacy via assumed consent by advertisers and certain companies (whom I won’t name but one such company was the subject of a 2010 film starring Jesse Eisenburg and Justin Timberlake), and the EU has responded.
Now it is easy and quite good fun to denounce the EU as egotistical and sycophantic, doing its utmost to put EU businesses at a distinct disadvantage in difficult times – as this only applies to the EU while the rest of the world duly ignores it.
Confused?
The ICO guidance isn’t making things any clearer. It states: “if the organisation is UK-based, the laws will clearly apply whether the website is hosted in the UK or overseas.” Great. But unfortunately it goes on to say: “Those corporations outside the UK or Europe are advised that their users in the UK will expect clear information about cookies too.” Really? This just goes to show the preposterous laughable ineptitude of those involved in passing this law have when it comes to considering the WORLD wide web! See how I highlighted “world” there.
But despite the approach, concerns about privacy exist and needs to be addressed. I have not met many people 100% comfortable with the various “unsavoury” practices which are fuelled by cookies on the web today, even if they don’t know what they are, and shouldn’t their concerns (our customers) be our concerns too?
It’s just a shame the rest of the world looks set to ignore them.
What are the cookie options available to you?
a) Ask for cookie consent (opt-in)
All cookies need to be individually listed before they can be used with the explanation of their purpose which probably should appear on every page for the first time a user visits your site. Consent cannot be implied. The positive outcome is that the user will make an informed choice and opt-in, while the process will educate them about the information they’re sharing online.
But will this really result in people giving consent? I think that’s somewhat unlikely and I can only assume that many people will choose not to accept cookies.
It’s also going to cost you money to implement and potentially (depending on your business) diminish the data you capture which shapes how you serve your customers online. Not to mention that asking in the first place will inevitably affect the overall user experience.
There is, however, another piece of confusing information in the guidelines about “non-intrusive” cookies, which might or might not mean Google Analytics. Apparently, Google has been careful not to associate Google Analytics with any personally indefinable information. Should we consider that Google Analytics is a “highly unlikely priority” for formal action? I would like an official statement about this from the ICO and at the very least provided with some guidance to help us out! Oh and it’s been widely reported that Google are struggling to create a system to comply with this directive so if anyone else can enlighten me I would be grateful.
b) Remove the features from your site which require cookies
This action is the sure fire way to resolve the issue and it would give your site visitors the least disruptive experience but inevitably, would reduce the level of business intelligence gained (unless Google Analytics is found to be exempt).
You might have to face up to a reduction of the commercial value of your site by removing the ability to target through ads. No great loss I hear you cry and so do I until I think of what will happen when those services, which are currently free, seek alternative revenue streams. Advertising and cookies start to look appealing to me once more.
c) Ignore the law
Is that a risk you’re willing to take? Is it going to give you sleepless nights knowing you are responsible for the repercussions? Or could it be that you are ignoring the law in the vain hope that at the 11th hour the ICO will have a change of heart, or those who provide the services will completely reworked their systems not to use cookies in time.
If you are, I hope you have an understanding development team or agency just sitting there waiting for the phone to ring if the cavalry doesn’t show up.
d) Adapt: alternatives
There are alternatives out there such as eVisit Analyst which claim to be an analytic alternative that doesn’t use cookies, however, they are not free and I would advise you do your own due diligence here. Bear in mind change is also dependent on logistics, training and how integrated your infrastructure is. This could mean changing a lot of systems at a large overall cost to your business.
So where do you start?
• Audit your site for all cookies
• Assess which ones are necessary and which are not
• Decide how you address those you wish to keep
• Make sure these are also listed in your privacy policy (which is actually a requirement now)
• Speak to your PMs/developers and plan, plan, plan…
If that is too difficult a decision to make you will either have to remove all of them or place an opt-in for all of them from May onwards.
It is apparent that there are many ambiguities, uncertainties and differing interpretations of the ICO guidance. Don’t worry you’re not the only one who’s confused. For now, my only advice would be to make sure you have at least read the ICO guidance document, keep up to date with the debate and if you are completely mystified seek out proper legal opinion.
In the meantime, please add your comments and let’s see if we can sort out this confusion.
My very basic understanding is that even though everyone is focusing on cookies the law actually is more about the principle behind cookies and so sites such as eVisit Analyst would be just as affected by this law if they are doing the same thing but in a different way