On 25th May 2011 an amendment was introduced to UK law via ‘The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011’, based on changes to Article 5(3) of the ‘E-Privacy Directive’ from the EU. These amendments introduced new requirements on how cookies and other similar technologies are to be handled on websites (see the appendix for the exact wording of the new legislation). In summary, websites must provide more comprehensive information about cookies, and users must give their consent for them to be used.
The Information Commissioners Office (ICO) is responsible for enforcing this legislation, and has published guidance about how to comply with it (see ). However they have stated that they will not actively enforce it until after 25th May 2012 . Even after that there will not be a wave of enforcement actions against companies that do not comply – it is more important to demonstrate that steps are being taken to gradually improve compliance. This report aims to outline the implications of this legislation, provide examples of tools and solutions used by other sites, if you would like to learn more about how this might impact your website, please do not hesitate to contact us.
Cookies are small files that are stored on a user’s computer when they visit a website, and can be used to store user preferences, details relating to the current user’s session (e.g. shopping cart contents), or for tracking purposes – e.g. to find out how many users visited the site and what pages they visited. Note that the legislation does not explicitly apply to cookies – however cookies are the technology that would be most heavily affected by it.
It may be helpful to consider the various types of cookies that are used by a typical site – see  for some examples. Also see  for more detailed examples of specific elements on a website that could be affected. Finally, the International Chamber of Commerce (ICC) has released a guide to cookies (see ), which proposed grouping them into the following categories: ‘Strictly necessary’, ‘Performance’, ‘Functionality’, and ‘Targeting / Advertising’. It can be useful to group cookie types in this way, as a means to establish how intrusive they might be.
Achieving full compliance with this legislation will be extremely challenging to implement (see the section below for some of the potential issues). Indeed, it is very easy to get bogged down in the technical details of how best to comply with all aspects of it. In reality though, it is more important to try and embrace the ‘spirit’ of the law (which is to increase user’s awareness of how cookies are used on a website, and improve their privacy as a result), rather than the letter of it. The ICO’s own guidance states that non-intrusive cookies are unlikely to be a priority, and lists some ‘quick wins’ that could be implemented easily to help improve compliance .
Potential issues to consider:
A good proportion of sites use ‘session cookies’ – i.e. cookies that are set up when a user first visits the site, and that are retained up until the end of the end of their browser session (i.e. when they close their browser). These are used for various purposes, such as checking whether or not the user is logged in, and keeping track of any items in their basket when placing an order.
It is worth mentioning that the legislation does include an exemption for cookies that are ‘strictly necessary’ for the site to work as intended. However the ICO has stated that this exemption has to be interpreted narrowly , and the unique ID associated with session cookies can be cross-referenced against other data, and used for all kinds of other purposes – such as tracking user activity on a website.
A number of ecommerce sites track the exact stage of the order process any users have reached, and link this to any contact data supplied. This allows the website to identify users who have dropped out of the order process prior to completion – and then contact them directly, offering incentives to proceed with the order. Whilst this is of course extremely beneficial from the website owners perspective, it is hard to argue that this kind of activity is ‘strictly necessary’ for the websites to function. In cases like this, the same session cookie is used for multiple purposes, some of which are strictly necessary, some which aren’t. It is probably safest therefore to regard session cookies (and any similar cookies) as subject to the legislation. So for many ecommerce websites to achieve full compliance therefore, substantial re-engineering of some functionality could potentially be necessary.
User experience considerations:
To obtain consent for using cookies may be highly disruptive to the user’s experience of using a website. The most effective solution to guarantee compliance would be to display a popup on every page, asking whether cookies can be used. However this is likely to be incredibly frustrating for users who visit. To prevent the popup from appearing every time a page is viewed, a cookie would probably have to be set after it has been shown the first time – ironically potentially violating the very law that is being upheld!
Another solution would be to display a prominent banner on every page asking the user if cookies can be used. The ICO’s website uses this approach:
However, this is still very disruptive to users visiting the site, not to mention that it does not fit in well with existing designs. Attempting to find a solution that causes as little disruption as possible is therefore important.
Third party services:
Our websites include a lot of functionality provided by third parties. One major example is the usage of Google Analytics to track visits to the sites. Such services may set cookies as well – something we have very little control over. The ICO claims that Analytics cookies are subject to the legislation, but are highly unlikely to be prioritised during enforcement . Interestingly, other government departments claim that the usage of Google Analytics is ‘essential’ to operate their websites and is therefore exempt  – however it could be risky to rely on this assertion!
Other third party services include social media buttons, feeds from other websites (e.g. recent Twitter updates), embedded videos from services such as YouTube, embedded Google maps, embedded third-party advertisements, third-party ‘heatmap’ scripts, etc – all of these could potentially store tracking cookies simply as a result of users visiting our websites, thus preventing our website from being compliant. Unfortunately in most cases it is impossible to avoid this, except by not using the services in question (at least until the user has given their consent) – which creates a more negative experience for visitors.
Types of Consent:
The ICO would prefer consent to be obtained prior to any cookies being set on a site . In reality though, this could be very difficult to achieve – for example as discussed above, session cookies are often set as soon as a user visits a site, and changing this could require a huge amount of re-engineering work. For such cases, the recommendation is that ‘websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies’ .
A related issue is whether users need to explicitly consent to cookies being set, or whether this can just be inferred. Based on the ICO’s guidance (including the implementation examples they have provided), implied consent may be acceptable – but only if there is a clear shared understanding about what is being agreed to . Therefore, if clear information is provided about cookies, and prominent links to this are placed in appropriate places, this may well be sufficient to achieve compliance. Other recent statements from the ICO also tend to support this viewpoint .
The reason this is important, is that requiring explicit consent before any cookies are set is not only highly disruptive for visitors, but also could be very difficult to implement – and in the long run could have a huge detrimental impact on the site. One very good example of this is the ICO website itself – since they introduced the banner at the top asking about cookies, they experienced almost a 90% drop in the number of visitors reported by Google Analytics ! It is highly unlikely that any of our clients would accept analytics statistics relating to only 10% of the people who visit their website… For this reason, a strong recommendation is to rely on implied consent as far as possible.
Next Steps and Auditing tools:
A very important step that should be completed is an audit of your website, to find out what cookies are being used on them at present. This is a challenging task in itself, owing to the number of cookies set by third parties. Thankfully, a number of tools are available to perform much of this work automatically:
Examples of browser plugins that can be used to log cookie usage on a website:
Third party services that provide cookie auditing:
The reason that it is important to audit your website in this way is that part of the legislation requires you to provide clear and comprehensive information about what data is being collected – and merely attempting to implement a solution without actually knowing what cookies are being set will not be sufficient to comply with this. Furthermore, it would make it easier to determine which cookies are more intrusive, and prioritise implementing consent mechanisms for these. Finally, for more complex websites where it will take a lot of time to become fully compliant, it would be a good way to demonstrate that action is being taken to work towards it.
Existing Approaches and Solutions:
One of the challenges associated with this legislation is that there are very few existing examples of implementations on high profile UK websites, making it hard to determine what can be considered ‘best practice’. Indeed, a recent survey of 55 major British companies revealed that only 5% of the websites were compliant . However,  does include some examples of existing implementations.
By far the best implementation so far is visible on the BT website (http://www.bt.com). This works using the ‘Implied Consent’ approach described above – the first time the user visits the site, a fairly inconspicuous notification message appears on the bottom right:
Note that this is cleverly worded – if the user takes no action at this stage, they are presumed to have accepted the usage of cookies. Furthermore the message disappears after a few seconds, and never appears again when they visit the site. However, if they click on the ‘Change Settings’ button, a popup appears with a slider which can be adjusted to determine which types of cookies should be stored when they visit the site (this popup can also be accessed by clicking on the ‘change cookie settings’ link below the footer). There is also a link to a page containing much more detailed – yet easy to understand – information about cookies collected on the site, including a full list of all cookies broken down into separate groupings as recommended by the ICC (see above).
Existing Scripts and Plugins:
A number of scripts and plugins have been made available that could ease implementation of cookie compliant solutions on our websites. Some examples are below:
Cookie Control – http://www.civicuk.com/cookie-law/index
Cookie Consent – http://silktide.com/cookieconsent
CookieQ – http://cookieq.com/CookieQ
cPrompt – http://michaelwright.me/cPrompt
CookieCuttr – http://cookiecuttr.com/ (non-free WordPress plugin also available)
Optanon (payment required) – http://www.cookielaw.org/optanon.aspx
In addition, a few cookie consent WordPress plugins can be used (note that plugins like this are not as readily available on other platforms, so if you do not have a WordPress website you would need to adopt other approaches.
EU Cookie Directive Compliance Plugin – http://wordpress.org/extend/plugins/cookiecert-eu-cookie-directive/
EU Cookie Directive – http://wordpress.org/extend/plugins/eu-cookie-directive/
Cookie Control – http://wordpress.org/extend/plugins/cookie-control/
However, virtually all of the scripts and plugins above appear to have significant limitations:
These limitations dramatically reduce the benefits of using these scripts and plugins. Overall therefore the general recommendation is against using them, except in cases where we are confident they meet our needs precisely, or they are requested directly by a client. It is very important to make sure that in-house solutions are as straightforward and easy to implement as possible however – a high level of re-usability is essential.
References: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx  http://www.ico.gov.uk/news/blog/2011/half-term-report-on-cookies-compliance.aspx  http://www.cookiecert.com/news/cookie-law-by-example.php  http://silktide.com/cookielaw/about/what-is-affected  http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf  http://econsultancy.com/uk/blog/9416-eu-cookie-law-uk-government-crumbles  http://www.cookielaw.org/blog/2012/4/4/cookie-law-update-from-the-ico.aspx  http://econsultancy.com/uk/blog/8210-q-a-lbi-s-manley-on-preparing-for-the-eu-cookie-laws  http://www.kpmg.com/uk/en/issuesandinsights/articlespublications/newsreleases/pages/long-way-to-go-for-uk-institutions-with-majority-yet-to-comply-with-eu-cookie-law.aspx  http://www.malcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/
Below is the exact wording of the new EU legislation relating to cookie storage [emphasis added]:
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information;
(b) has given his or her consent.
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.[Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – see ]
Credit: This post was written by Generate UK Senior Developer Patrick Hathway.