Back in May last year, the EU’s Privacy and Communications Directive came into force. Commonly known as the EU cookie law, the government decided to phase its implementation after realising that most websites were unprepared for it and even experts seemed unsure of its implications.
That decision meant that the Information Commisioner’s Office (ICO) wouldn’t start enforcing the law until 26 May 2012. With that date fast approaching, some websites are now scrambling to comply. Others are doing less, or nothing at all.
So, what is the cookie law, and do you need to worry about it?
Interpreting the EU cookie law
Cookies are small files which websites store on visitors’ computers. They allow a website to identify a particular user. Cookies are a key part of website technology which underpin lots of different functions. For instance, cookies are usually used to:
- Remember what items you’ve added to an online shopping basket
- Keep you logged in to a website
- Track visitor numbers and movements (through tools like Google Analytics)
- Display targeted adverts to visitors
The EU cookie law has the potential to transform how people think about cookies, and – as a result – how websites use them. The law aims to make people more aware of what cookies are and how they’re used, by requiring websites to gain permission before storing any cookies on users’ computers.
This means that – by the letter of the law – you need to ask every website visitor if they’re ok with your website placing cookies on their computer. And it’s only if they say ‘yes’ that you’re allowed to do so.
The only exception to this is cookies that are ‘necessary’. But the definition of ‘necessary’ only covers cookies that are required to provide functions requested by visitors. That means you won’t need to get permission for your shopping basket cookies, but you will need to get permission for your Google Analytics cookies.
Finding a way through the confusion
The EU cookie law is pretty confusing. Although its aims of increasing transparency and giving consumers more choice seem laudable, it has the potential to have a huge impact on websites. In short, to comply with the law you’re going to have to display a message asking people to consent to your website using cookies. And only if visitors give that consent will you actually be able to use them.
In an industry increasingly dependent on targeted advertising and measurable results (both which require cookies), there have been some harsh critics of the rules. TechCrunch called it a ‘stupid’ law that could ‘kill our startups stone dead’. A company called Silktide put together a snarky video that still manages to do a good job of explaining the law.
Just about the only example of a website that’s implemented a cookie consent message so far is the ICO’s own site. Rather worryingly, it saw its recorded visitor numbers drop 90% once it added the opt-in message – suggesting that most people were ignoring the request.
What you need to do today
With only a couple of months remaining until the ICO begins prosecuting websites under the new law, there’s still plenty of confusion around its implications. However, the prospect of receiving a £500,000 fine for not complying should be enough to spark most businesses into looking into the issues.
As the dust from this new law settles and more websites start to implement an opt-in message, you can then decide how to move forward.
Of course, it goes without saying that you should seek legal advice on this issue. Strictly speaking, the cookie rules are already law, and any website not in compliance could be prosecuted after 26 May this year.
The new rules aren’t going anywhere. So don’t bury your head in the sand.