In May 2011, the EU Privacy and Communications Directive came into force which stated that all non-essential cookies used on websites must be clearly identified to the website’s users and that the website users must consent to the cookies being used (on an opt-in basis). The Information Commissioner’s Office (ICO) gave UK website owners a year’s grace in order to become compliant with the new law and that period expired on 26 May 2012.
What is a cookie?
A cookie is a small text file that helps organise and store browsing information. Common examples of non-essential cookies include Google Analytics which provides anonymous tracking data about website users, affiliate links, Google Adsense, cookies used to recognise a website user when they return to a site and cookies for advertising. Examples of essential cookies are those used to remember the goods a user wishes to buy when the user checks out, cookies for internet banking security and cookies that help pages to load more quickly.
Why was the law introduced?
The EU was concerned about consumers not being aware that their surfing behaviour is being monitored and data being stored for advertising purposes. Such behavioral advertising is carried out mainly with the use of “persistent” cookies. Hence the legislation seeks to impose a duty on website owners to tell their users about the cookies on the site and only be able to use such cookies with the website user’s informed prior consent.
What you need to do to comply
Firstly you need to identify what cookies are being used on your website. You can purchase cookie audit software for this purpose or undertake a free audit. However please note that such software tools are not 100% reliable.
Otherwise you can clear your browser cache, go onto your website and then look at the stored cookies. Then identify which are from your site and which are from a third party site. You then need to identify what purpose the cookies serve, do they contain personal information and whether they are being used to track the user and if so the lifespan of the cookie. You should also check any WordPress plugins that you have on your site.
The final step is to obtain consent from your users to the use of non-essential cookies. If the only cookies on your site are essential then you do not need to obtain consent, but as most of you will at least use Google Analytics (which is non-essential), you will need to obtain consent.
Using a free code for an opt-in button that looks like this:
Or adding the code to your website for an opt-in box in the bottom right corner of your website.
If you have a wordpress site, the EU Cookie Directive WordPress Plugin displays an opt-in message at the top of your site and also lists in your admin panel the cookies you have installed. The opt-in message is customisable.
What will happen if I’m not compliant ?
The ICO has the power to fine you £500,000 if your website is not compliant. However this is very unlikely. Firstly the ICO will not have a team of investigators tracking down non-compliant websites. And secondly, even if there is a complaint made against you, the ICO has commented that as long as website owners are “moving towards compliance” and are not “wilfully avoiding the regulations”, the ICO will work with website owners to help them be compliant rather than fine them. Indeed a Cabinet Office spokesman has commented that “the majority of government department websites will not be compliant with the legislation” by 26 May 2012.
Copyright Suzanne Dibble 2012
You may reproduce this article if you provide the following copyright notice and credit “copyright Suzanne Dibble 2012. Suzanne Dibble is a multi-award winning business lawyer who specialises in e-commerce law. Suzanne has vast experience ranging from acting for plc’s on billion pound projects to helping micro businesses with their day to day business law requirements. To find out more about Suzanne and read the many testimonials from happy clients please see www.lawyers4mumpreneurs.com.”