Dealing with the impending cookie monster

Posted on by

[Disclaimer: This blog post isn't in any way based on expert knowledge of website law but aims to clarify my own understanding. Errors will be rectified.]

I’ve just taken part in a Lasa webinar on the new cookie law, hosted by data protection guru Paul Ticher.

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came in to effect last year but because of the complexity organisations were given a year to implement the changes.

So this year, on 26 May, website owners will be expected to have made reasonable steps towards complying with that law.

The main focus of the law says that you must not store information on someone else’s computer (cookie) unless they understand the purpose of it and have given their consent.

According to the law you don’t need to get consent for cookies that are ‘strictly necessary’ for the functioning of a website. One example of this could be if you run a commerce site, you could argue that it’s ‘strictly necessary’ to use cookies to keep track of what items people have put into their virtual shopping basket.

So what should organisations be doing now? Well hopefully you’ve been working up to this for the last year and have already made changes but if you’ve only found out about it or were hoping it would go away then there are still things you can do in the next six weeks or so to ensure you don’t get chased by the IC:

  1. Review all of the cookies that you have set up on your website.
  2. Evaluate each one to see how intrusive they are and if they are absolutely necessary. (Cookies that indicate choice are felt to be less intrusive, such as ‘remember me on this computer’. You should still let people know you’re using them)
  3. Update your privacy statement to state where cookies are used on your site and what they’re for, even if you’ve classed them as  ’strictly necessary’.

That’s not the end of it, to be fully compliant you need to give people the opportunity to agree to cookies when they’re using your site. A sign in page can be good for this if you have one.

The Information Commissioner (IC) has said that cookies used in analytics packages are covered by the law but not a priority. (Reference for this statement to follow).

Even though the IC has said that tracking cookies aren’t a priority for them they’re still covered by the law and need to be considered. One issue for users was felt to be that even though the terms of using Google Analytics say you can’t use it to track personal info (section 7), the same terms (section 6) say that Google themselves can use any info captured. There’s no clarity in there about what they might do with this information.

Some examples of cookies statements:

One thing that came up during the webinar and didn’t get answered is if/ how this law impacts on sites like Facebook that many organisations are using for their business and which track users across sites. Does anyone have thoughts on this issue?

Paul has written up a handy guide to the new cookie law at 
http://ictknowledgebase.org.uk/cookielaw
.

There’s also an interesting blog post from E Consultancy 
http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance
.

The Citizenship Foundation are running an event on 4th May in Birmingham 
http://citizensheep.com/blog/2012/04/17/charities-and-the-cookie-law-birmingham-event/
.

About these ads

7 thoughts on “Dealing with the impending cookie monster

  1. We decided to not have an intrusive popup and ditch our Google analytics. I’ve been watching the http://www.gov.uk site closely as they have a popup which I think isn’t compliant at the moment (you don’t opt-in). However in their document on cookies it says:
    “The use of metrics are integral are to departments’ being able
    to provide the best possible user experience in order to encourage citizens to use more
    cost-effective channels for accessing government services. They also allow departments to
    assess and demonstrate whether the digital services they offer provide “value-for-money” as
    demonstrated by the recent National Audit Office (NAO) report.
    Consequently, collecting these metrics are essential to the effective operation of government
    websites, at present the setting of cookies is the most effective way of doing this.”

    http://alphagov.files.wordpress.com/2012/03/gds-cookies-implementer-guide.pdf

    So they are arguing analytics are necessary, I don’t think I could get away with that.

    Reply

  4. Hi Louise. Thanks for the summary and the helpful links. I use WordPress for a self-managed website with Google Analytics. Following the Lasa webinar, I found Cookie Control http://civicuk.com/cookie-law/index – which offers a WP plug in. It works well on my site. I then followed your links which led me to Firebug, (as a means of auditing my site). They also gave me good ideas for my Privacy Policy.

    FYI see the results at http://dashlight.co.uk/

    Reply

  5. Pingback: Cookie law tools and resources | Louise Brown

  6. Pingback: Happy 5th birthday blog! | Louise Brown

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s