EU cookie law: make sure your website complies

Cookies — EU cookie law

In May 2011 a law came into effect requiring websites to get permission when storing pieces of information called cookies on visitors’ computers

At the time, there was some confusion over how the law would be implemented. As a result, websites took differing approaches in an effort to meet the rules.

At one end of the scale, some businesses did absolutely nothing. At the other, companies added large consent messages to their websites, requiring users to explicitly agree to the website's cookie policy before being able to proceed further.

What the cookie law says

The cookie law requires you to get consent from a website visitor when you store cookies on their computer. The Information Commissioner’s Office (ICO) has issued guidance (PDF) to help websites comply. There's also a useful video on its website.

Richard Beaumont of The Cookie Collective

“The aim is to protect consumers,” says Richard Beaumont from The Cookie Collective, a company offering help to businesses looking to comply with the new rules. “Cookies are used to gather an awful lot of data from people online without them realising it.”

Indeed, many websites rely on cookies to keep visitors logged in or to remember what’s in their shopping basket as they move between pages.

Most web analytics services use cookies to generate website usage statistics. And advertisers rely on cookies to build profiles of individual users so they can display targeted adverts as they move between websites.

“The only cookies excluded from the law are any that are necessary to provide a service people are asking for,” continues Richard. “That mostly covers things like shopping basket cookies and a few types of cookie used to store information temporarily.”

“If you've got a website carrying advertising, or you're using social media add-ons, or rely on Google Analytics to measure site performance, all those types of technologies make use of cookies, so you’ll need to gain consent.”

Beyond wait and see

When the law first came in, many companies took a 'wait and see' approach, preferring to see how the ICO was going to enforce the law before adding disclaimers that could affect their websites' performance.

However, now the law has had time to bed in and organisations have been able to see how it works in practice, a consensus on how to gain users' consent seems to be emerging.

It's worth noting that the ICO can levy fines of up to £500,000 for breaches of the cookie law, so the penalty for doing nothing could be significant.

What are cookies?

Cookies are small files which websites place on visitors’ computers.

They’re used to give website users a better experience – for instance, by keeping them logged in or remembering what items they’ve placed in their shopping basket.

More controversial uses for cookies include tracking visitors as they move between websites in order to provide targeted adverts. If you’ve ever visited a website, then seen adverts for that company’s products on other websites, that’s cookies at work.

Perform a cookie law audit

To understand your obligations under the cookie law, you need to establish what cookies your website uses. “A lot of people are quite surprised,” explains Richard. “They think their site doesn't use cookies, but actually they often do.”

There are several tools available to help you perform a cookie audit. Richard’s company offers Optanon, but you can also try the tools from Attacat or Bitstorm. Each lists the cookies used as you browse a website.

If your site only uses cookies from common services like Google Analytics, interpreting the list should be relatively easy. However, it can be harder to determine the function of less-common or custom cookies. If in doubt, seek expert advice from your IT supplier or web designer.

Audits can easily go out of date as cookies and websites change quickly. Richard advises clients to think about auditing at least once a year — and in some cases every 3 — 6 months.

Getting cookie law consent

Once you know what cookies your website uses, you can determine whether or not you need to get consent from visitors to use them. Most websites need to get consent.

Since the law came into force, the most common way of doing this seems to be to display a message when a visitor first arrives at the website. For instance (from the BBC website):

"We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the BBC website. However, if you would like to, you can change your cookie settings at any time."

The message is usually shown alongside a button labelled 'continue' (or similar), allowing the user to close the message and continue their visit.

It's also a good idea to provide a link to more information about the cookies you use. After all, the law requires users to give their informed consent.

You can see a similar message at the bottom of the ICO's own home page. Other methods include showing the message in a fixed bar at the top of the screen or displaying an overlay on top of the page.

“One of the biggest challenges is the messaging,” continues Richard. “There’s a low understanding of what cookies are, so you need to explain clearly and concisely what cookies you use and why you need them.”

How to show your cookie message

How you display a message to your users will depend on how you built your website:

  • If you created your website using a website builder tool or software, there may be an option to add a message about cookies. 
  • If you built your site from scratch or worked with a web designer then you may have to edit your website's code. Seek assistance if you are not comfortable with this.

Off-the-shelf solutions are also available, and these may be the most convenient option. As well as The Cookie Collective’s service, Sitebeam provides a free solution.

Is this enough for the cookie law?

Although most websites that have implemented a cookie message take the route described above, this may not be strictly compliant with the law.

Further guidance (PDF) issued by the EU suggests that you must give visitors the choice of accepting or refusing cookies (rather than just a 'continue' button), and that you should keep this choice available during each visit.

Having said that, pragmatically it seems unlikely that any business which has taken steps to make users aware of its cookies will attract attention.

In December 2012 the ICO confirmed that it is concentrating its efforts on sites that make no effort to raise awareness or seek consent — and within that group, that the UK's top 200 most popular websites were its priority.

More on this topic: