The EU Cookie Law

Many moons ago I created a website called theeucookielaw.com – it was designed to help educate web developers who were freaking out over some changes they may have had to undertake on their website.

The site has ran its course, the information on it is likely out of date and I am going to pull it down.

In an effort to preserve the content I wanted to share it here.

Theeucookielaw.com Backup

The EU Cookie Law - An Overview

Like me I am sure you have heard a lot of talk recently about this new EU Cookie Law, and like me when you first heard about it you added it to your ‘To think about later’ pile.

Unfortunately for all of us we no longer have the luxury of thinking about it later, the law is upon us and we may need to act on it. The purpose of this micro-site is to inform and arm you so that you can firstly decide if you need to do something, and secondly easily action something to do.

What is the EU Cookie Law

The EU Cookie Law is the EU e-Privacy Directive that is set to come into action on 26th May 2012 and what it means is that you have to get your visitors informed consent before placing a cookie on their machine. Here is a video explaining the EU Cookie Law and here is a link to the ICO website detailing the law.

What is a Cookie?

A cookie is a small text file that a website can store on your computer to help keep track of different things, like if you want to stay logged into a website, or your preferences within a website. You can read more about them on this HTTP cookie Wikipedia article.

What is the fuss?

Because cookies are just text files, they can be used to store pretty much anything the website author wants to store, which can cause many privacy concerns. Things like the Facebook ‘like’ button that can be used by Facebook to track people on websites other than Facebook have escalated the issue.

Is is just cookies?

No - The law also affects anything that acts like a cookie, for example:

Flash Cookies HTML5 Local Storage The ICO has said that it isn’t good enough to just re-implement the tracking some other way outside of cookie storage.

The EU Cookie Law - Tooling Up

There are really two things you are going to really need before getting your site ready for this law.

• To know what cookies you store
• To know what stored cookies fall within the remit of this law

What cookies does my website store?

Ideally your web owner will know this information, but with so many people relying on third-party tools to make websites it is my experience that you never really know what cookies your own site might be storing.

The best way I have found for finding out what is left behind is to clear all your cookies then use your site, visit each page and complete each action, once you have done this view your cookie information - how you view this information will depend entirely on the web browser you are using, here are some of the more common ones.

Google Chrome

1. Click on the spanner icon.
2. Click on ‘settings’.
3. Click on ‘Under the Hood’
4. Click on ‘Content Settings’
5. Click on ‘All Cookies and Site Data…’
6. Browse to your URL and take a look

Firefox

1. Click on ‘Preferences’
2. Click on ‘Privacy’
3. Click on ‘remove individual cookies’
4. Browse to your URL and take a look

What do I do with the cookies that I do store?

The first thing you should do is stop producing cookies for anything that you do not need, over years of development a website could be leaving things all over the place and if you have anything you can remove you should.

With any other cookies you have left you should classify them appropriately as this will determine if you need to comply or not.

How should I classify my cookies?

You should classify your cookies into four categories:

• Essential - Required for your website to function, for example to mark someone as being logged in.
• Non-Essential but harmless - Not essential to core functionality but doesn’t get used for tracking a user
• Fairly Intrusive - Used to track people but do not provide personally identifiable information, for example Google’s Analytics
• Very Intrusive - Used to track people and provide personally identifiable information What should I do with each type of cookie?

Once you have classified your cookies you will need to plan your next move based on what category they fell into.

One thing you will need to do for any and all cookies is provide some way for people to read about what you are doing, this is normally done as part of a privacy policy, which can be a lengthy document or in the case of this site - a short paragraph at the bottom of the page. This policy should be as easy to read as possible.

Essential

You do not need to do anything with these, if they are required for the site to function then they fall out of the remit of this law.

Non-Essential but harmless

You should question why they are being used on your site and if you can use some other technology to achieve the same result, technically these fall within the remit of the EU Cookie Law so you should allow people to opt-out, although it has been mentioned by the ICO now that implied consent is allowed.

Fairly Intrusive

You should consider that these might start to land you in trouble if you do nothing, make 100% sure you have documented their existence in a privacy policy and consider following the actions for a Very Intrusive cookie.

The following is a quote from the ICO:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

Very Intrusive

You need to work out the best way of allowing people to opt-out of these cookies, unfortunately there hasn’t been one standard implementation of this yet. The important thing is that they are asked before the cookie is set, it is no good to give them easy access to delete a cookie, having said that this is a quote from the ICO regarding when a cookie is sent:

The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.

The EU Cookie Law - Conclusions

Unfortunately there are currently no solutions 100% set in stone, hopefully this website has helped to educate you somewhat and at the moment I think that educated is the most you can hope to be.