Understanding Cookie Law

On 27th May 2012 the UK’s implementation of the EU’s “Cookie Law” will come in force. My own personal opinion aside, I wanted to take the time to actually read and digest the UK’s interpretation of this EU directive and summarise what it means for users and web developers.

The reason why we have this law

Studies suggest that the majority of internet users don’t know what cookies are and what information can be accessed by certain websites. This raises obvious privacy concerns.

The target of this law is to try and prevent or dissuade website owners and content producers from collecting unnecessary information. The main target of this law appears to be third-party cookies, those that are often set by advertising networks to track a user’s global site preferences while browsing. This law makes it very difficult for them to ask for consent.

What the law actually states

The law is based on a privacy-based EC Directive from 2002, which was later amended in 2009 to require consent for the storage or access of information on a user’s device (a cookie). The UK implemented this change on the 25th May 2011, but delayed the compliance date by one year. It’s the Information Commissioner’s Office’s (ICO) job in the UK to inform us, the public, of changes to the law and what is required of us. 

The law is pretty clear. Websites of individuals and businesses based in the EU must comply, regardless of the where the web host is located or where the website’s visitors are accessing the site from.

Websites have to:

  • Tell users there are cookies on the site
  • Explain why you have cookies
  • Get the user’s consent to store a cookie on their device

For example, this blog would be required to tell the user that a cookie will be saved on their device, which anonymously tracks user interactions on this site (Google Analytics). This site would then need to ask the user for consent to store these cookies.

According to the ICO’s guidance, the user’s consent should be required before you set any cookies. In practice, however, the ICO recognises that most websites load cookies as soon as the site loads. In such cases, site owners should do whatever possible to inform the user as soon as possible that cookies are present and explain clearly what the cookies are for. As implementation becomes universal in the future, expect consent to become Opt-In only.

Who needs to comply with the law?

The law will apply to all website owners within the EU. This not only includes organisations and business, but individuals with blogs and private websites. Any site that sets a cookie, where the owner of the site is based within in the EU, regardless of where the site is hosted, must obtain consent.

Like every law, there are exceptions (hooray!):

  • Cookies used to remember goods when they proceed to a checkout
  • Cookies that comply with stricter security principles, such as online banking
  • Cookies that help distribute workload across numerous computers (e.g. Amazon EC2)

As the majority of websites use tools such as Google Analytics, pretty much everyone will need to think about implementing this.

How to comply with the new law

Fortunately for those in the know, satisfying the new law can be achieved by a small script. Unfortunately for those who don’t know anything about front-end web development may find it a bit moredifficult. Here’s two tools than can help:

If you want to fully comply with the law however, you will need to prevent all cookies being stored until the user has agreed. As a cookie is actually required to remember a user’s choice, users that decline to accept cookies will be informed and asked the same question each time they access the site.

The above tools will likely put you in good stead with the ICO for the foreseeable future, but when Opt-In is fully enforced, you should be preventing cookies altogether until the user agrees.

Other Useful reading