Here’s some clarification for website owners on the new EU law – the EU privacy directive on cookies -
What it is:
“The new law is an amendment to the EU’s Privacy and Electronic Communications Directive and will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store and retrieve usage information from users’ computers.”
When Is It Law?
Today
What you need to do
You need to get consent from visitors to your site if you want to put a cookie on their computer. Lots of websites require cookies to operate – if you use Google Analytics, for instance, to track visitors on your site, your website uses cookies. A good place to start is to find out from your website developers what cookies you are currently using. If you use WordPress (WordPress and WordPress plugins (the types of software that powers this blog) uses cookies if you are registering with the site, or commenting on the site. More about that here - http://codex.wordpress.org/WordPress_Cookies), for instance for your blog, then this software uses cookies too. So – as a start point – you might want to actually find out what cookies your website sets and add a note about them to your privacy policy notice – this is what we will be doing shortly.
When You Could Get In Trouble
UK companies which use cookies to track how their customers browse their website have up to a year to comply with new privacy laws, the information watchdog has said. The new EU rules came into force on 25/26 May 2011, mean firms which run websites in the UK will need to ask for permission to store and receive information on users’ computers in the form of cookies – a cookie is a small file that a website uses to track users’ actions online – and A LOT of websites use them.
Information Commissioner Christopher Graham announced UK companies will be given up to 1 YEAR to “get their house in order” before the new EU cookie law is enforced by the UK. That is 25 May 2012.
“I have said all along that the new EU rules on cookies are challenging,” Mr Graham said. “It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
UK Companies could face a fine of up to £500,000 if they don’t comply with the new EU Privacy Rules. They are obviously taking this a lot more seriously (it seems) than accessibility or company act directives of past.
Communications MP Ed Vaizey added:
“This Europe-wide legislation will ultimately help improve the control that individuals have over their personal data and help ensure they can use the internet with confidence. But it will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a ‘phased in’ approach is right.”
I saw this comment as well from Yahoo news – I am not sure how accurate this is – I am still learning about this too.
Just a quick clarification for some of you confused. This covers all cookies that keep hold of user specific data, from tracking customer page views to remembering login details. Explicit consent does NOT need to be done on a per visit basis and for those of you who require logins or registrations it should be fairly easy to work round. This law does not cover things like shopping baskets etc.
Practical Use
This is the official message that is on the ICO website (who should know what they are doing) – and they do it through a pretty unobtrusive header message:
On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
…the ICO also go on to say about the EU law on cookies -
Organisations have 12 months to make sure they comply with the new rules (EU Privacy Directive On Cookies). In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent. If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012. We will continue to consider complaints about organisations that are not providing information about the cookies they use because this has been a requirement for several years. From May 2012 we will expect websites to be complying with the law and will deal with complaints about sites that are not complying in line with our normal procedures.
Why the reason for the 12 months grace for UK businesses? Well, it’s practically unworkable for a lot of sites at this time. The ICO will obviously lead the way and is an example of what you can expect but even they have run into problems:
Our priority has been complying with the law from 26 May. The biggest change is that we are providing users with a choice to accept cookies from our site before they are set. We ask this question only of users who haven’t disabled cookies at the time they arrive at our site, or where we can’t tell if they’ve disabled them or not. We are setting our analytics cookies only when a user provides their consent. Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site – at which time they’re informed that the cookie has been set – and is deleted when a user leaves the site. We are continuing to look at ways to provide users with choices about this and all the cookies we use on our site. Finally, we have updated our privacy notice to provide more information about the cookies we use, as well as directing users to detailed information about how to delete and manage cookies.
Google Analytics FYI
I found this info quite interesting:
The impact on Google Analytics users – Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here – you already respect your visitors privacy…!
Though there is clearly some confusion about that interpretation as the question of whether or not GA is essential to the working of your website is probably going to be debated – and – I guess things will become clearer as the year goes on. Affiliate marketers are in for a torrid time at any rate.
I’ll update this page with more later…..:)
Royalty Free Cartoons credit where credit is due.
Thanks for this – first I’ve heard of it. Like most people who have blogs I have no idea if my blog uses cookies. I mostly use blogs as review sites or adsense sites. Any info on how the average non techie blogger can handle this will be more than welcome! I can understand this law from a consumer and big business point of view but it seems odd to the average “lone blogger” who only wants to know how many unique visitors” they get and don’t knowingly collect any information. I would have thought that list building was a much more important issue with regard to privacy issues.
Hi Hobo, great update and more serious to web experts and site owners than many realise right now. This will be big. Thank you, Clinton.
“the ICO website (who should know what they are doing)” ROFL
How will it be determined whether a site is an EU site or not for this ruling – presumably by the whois/nominet registered address?
[...] demorar la implementación técnica de esta medida hasta el final, en el Reino Unido, por ejemplo, parece que serán 12 meses a partir de ahora, pero es posible que muchos negocios aprovechen este tiempo para cambiar de aires, al menos en lo [...]