Courtesy navigation

The cookie crumbles: making sense of new EU law

The cookie crumbles: making sense of new EU law

September 12, 2011 by Finlay Carmichael (C2 Software)

Cookies

No, not that sort of cookie

The new EU law on website cookies came into force on 26 May. But there’s been little clear guidance of what’s expected of website owners or what the penalties might be if you don’t comply.

For business owners who might not even know what a cookie is, expecting them to interpret this new law seems a little much! It’s frustrating, so we’ve tried to make some sense of what you need to do to comply with the law.

What is a cookie, anyway?

A cookie is a small piece of information that a website can place on your computer when you visit it. Cookies are used for all kinds of things - most commonly, for web analytics, to track what people do when they’re on a website.

However, they can also be used by sites to remember what was in your shopping basket last time you visited, or to show you particular adverts or content depending on what you’ve looked at before.

The principal behind the new cookie law is that people have a right to know and decide what’s downloaded to their computers. When they first visit a website, they should see an explanation of the cookies that site uses and be able to choose which should be used.

And that’s where it gets tricky. Many website owners don’t know what cookies their sites use themselves. There will be cookies used to smooth the browsing experience, cookies that collect information on user habits, and increasingly, third party cookies used by services like Google Analytics.

Audit your cookies

This confusion means the best way to start is to audit your website, so you know what’s there. There’s some good advice about doing a cookie audit here, and a free tool that can help too (although you’ll need to be using Google Chrome as your web browser).

If your website was built by a web developer or designer, they should be able to help you understand what cookies it uses. Your IT supplier may be able to offer advice too.

Decide which cookies you actually need

Once you have a list of all the cookies your website uses, decide which you actually need, and think about which ones your visitors are likely to accept.

For instance, do you need cookies for web analytics (yes, probably – without them you’ll struggle to learn more about the people who visit your site), or for social bookmarking services?

Then you need to work on telling visitors about the cookies you decide to keep. How do you explain each in a way that encourages people to accept them? In my experience, people can be understanding when they realise the benefits cookies bring them. So, with careful wording, you can make sure most are accepted.

You should list each cookie and link to information about it to have a greater chance of it being accepted. There’s a good example at the top of the Information Commisioner’s website:

“The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.”

The message is followed by a simple check box which users can tick (or not). If they tick it, the site can activate all the non-essential, but useful cookies.

A big change

There’s no denying this is a big change. Some web designers have serious concerns about its impact.

For now, we can just advise you to manage these issues as well as possible, with the aim of making it easy for visitors to understand what your cookies are and why they are important. As more websites start to make these changes, people will become savvier – as individuals, we’ll discover our own cookie comfort levels and work from there.

Finally, don’t panic. There’s a year-long grace period for websites to get things in order. But what happens after that – in terms of penalties – is unknown. So our advice is to do the work now, while you have time to think it through, and before you are forced into doing it.

Posted in IT security | 1 comment

Comments

TheCookieCrunch's picture

A small point, but Google Analytics does not set third party cookies - they only report back to the site they are hosted on, and therefore are first party cookies - so they do not enable tracking between domains.

For more information - check out: http://www.cookielaw.org

Tue, 13/09/2011 - 15:48 — TheCookieCrunch

Add a comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <p>
  • Lines and paragraphs break automatically.

  • Links to specified hosts will have a rel="nofollow" added to them.

When you click 'Register' to create a new account, you accept our terms of service and privacy policy