A lot of attention was focused earlier this year on cookies, those little snips of coded text that websites automatically place on your computer when you visit those sites with your web browser.
The attention on cookies was all to do with a European Union directive on individual privacy and personal data that came into effect in May 2011, requiring each EU member country to implement national laws that, broadly speaking, give website visitors the power to explicitly accept or reject the placement of cookies on their computer.
In the UK, the government deferred implementation of the directive for one year until May 2012, saying that “it will take some time for workable technical solutions to be developed, evaluated and rolled out so we have decided that a phased in approach is right.”
What that means is quite simple: you still have time to figure out how to implement the UK law – The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 – before it comes into effect next May.
The website of the Information Commissioner’s Office (ICO) – the law’s regulator – offers a glimpse of how an organization might address the way in which permission is actively sought of a visitor when he or she lands on their website – a one-time request that requires you to accept or deny it.
The ICO’s request text reads:
The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete or block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.
While you could argue the wording – I’d like to see something a little more attuned to the benefit for the visitor, not solely for the website owner – the text is clear enough and as a website visitor you need to take a specific action, ie, accept the request. If you don’t accept it, parts of the website won’t work correctly as the request wording says.
Will that be enough to enable people to really understand what they being asked? I doubt it, frankly. The best example I’ve seen so far is that of AllThingsD, the Wall Street Journal’s tech site, which has a lengthy explanation in plain English of what their site wants to do with cookies.
For most people, though, it’s a murky area to be exploring. How do you set this up on your site? Does every website owner, business or personal, have to do this? What about third-party cookies? Will there be penalties after May 2012 if you don’t have this sorted out? (In a word, yes.) What about blogs – how will this work on those? (Interesting but unresolved discussion thread about this on the WordPress.org forum.)
You can find plenty of information on the ICO’s website. Read it now – you have less than six months to get ready for the cookie law.
4 responses to “Get ready for the cookie law”
Stop it Neville, we’re quite happy burying our heads in the sand.
Well said, Chris :)
The AllThingsD website is not actually compliant. Compliance requires a user to give active consent – this assumes it just because you make a return visit.
There is a compliance solution now available from http://www.civicuk.com/cookie-law. This is a free widget known as “Cookie Control”, which will be adopted by Public Sector websites in Scotland in the run up to the May 2012 compliance deadline.
On its own the solution doesn’t guarantee compliance (you still need to do a cookie audit and publish the results in your Privacy Policy), but it gets you a long way there by making it explicit to users that cookies are at work on your site.
The widget is configurable with editable boiler-plate advisory text, configurable link to your privacy policy and styling options to ensure it fits in with the design of the website.
Check out the widget here – http://www.civicuk.com/cookie-law