Get your website ready for the new cookie law

In May 2011 a law came into effect requiring websites to get permission before storing pieces of information called cookies on visitors’ computers.

Businesses were given a year to comply with this cookie law, yet most are yet to take action. You might not realise it, but your website probably uses cookies. We look at what you need to do to be prepared.

What the cookie law says

The cookie law requires you to get overt, informed consent from a website visitor before you store cookies on their computer. The Information Commissioner’s Office (ICO) has issued guidance (PDF) to help websites comply.

“The aim is to protect consumers,” says Richard Beaumont from The Cookie Collective, a company offering help to businesses looking to comply with the new rules. “Cookies are used to gather an awful lot of data from people online without them realising it.”

Indeed, many websites rely on cookies to keep visitors logged in or to remember what’s in their shopping basket as they move between pages.

Most web analytics services use cookies to generate website usage statistics. And advertisers rely on cookies to build profiles of individual users so they can display targeted adverts as they move between websites.

“The only cookies excluded from the law are any that are necessary to provide a service people are asking for,” continues Richard. “That mostly covers things like shopping basket cookies and a few types of cookie used to store information temporarily.”

“If you've got a website carrying advertising, or you're using social media add-ons, or rely on Google Analytics to measure site performance, all those types of technologies make use of cookies, so you’ll need to gain consent.”

Preparing for the cookie law

Digital business expert Dave Chaffey, co-founder of Smart Insights, believes companies are taking a ‘wait and see’ approach, as the law’s implications for online business could be far-reaching.

“Businesses are being cautious,” he confirms. “Companies are taking the view that they will wait and see what action the Information Commissioner takes against other brands. However, it’s important you can show you’re taking steps to comply with the law, even if you don’t fully implement a solution by May.”

Richard agrees: “You really need to start engaging the process now, and be seen to be doing that. You don’t need to be completely compliant by May, but if you’re not doing anything, they could come after you.”

The chance of your business being one of the first to be singled out is low. However, the ICO can levy fines of up to £500,000 for breaches of the cookie law, so the penalty for doing nothing could be significant.

Perform a cookie law audit

To understand your obligations under the cookie law, you need to establish what cookies your website uses. “A lot of people are quite surprised,” explains Richard. “They think their site doesn't use cookies, but actually they often do.”

There are several tools available to help you perform a cookie audit. Richard’s company offers Optanon, but you can also try the tools from Attacat or Bitstorm. Each lists the cookies used as you browse a website.

If your site only uses cookies from common services like Google Analytics, interpreting the list should be relatively easy. However, it can be harder to determine the function of less-common or custom cookies. If in doubt, seek expert advice from your IT supplier or web designer.

Getting cookie law consent

Once you know what cookies your website uses, you can determine whether or not you need to get consent from visitors to use them.

“Strictly speaking, most websites will need to get consent,” says Dave. “The only exceptions are cookies that are absolutely necessary to provide a service people are asking for, like a shopping basket.”

You’ll want visitors to opt-in to cookies as soon as they arrive at your website. This will probably mean displaying a message with a checkbox or confirmation button allowing them to provide consent.

The ICO website does this by showing a message at the top of the page. Other methods include showing the message in a fixed bar at the top of the screen or displaying an overlay on top of your website.

Because few sites have implemented cookie opt-ins so far, there’s little data to suggest which approach works best. You may need to experiment to find how to maximise the number of visitors opting in.

“One of the biggest challenges is the messaging,” continues Richard. “There’s a low understanding of what cookies are, so you need to explain clearly and concisely what cookies you use and why you need them.”

Off-the-shelf opt-in solutions are available. As well as The Cookie Collective’s service, Wolf Software provides a free solution for websites using Google Analytics.

As awareness of the cookie law grows, it’s likely other solutions will come onto the market. However, as most will require you to change your website code, it’s wise to get expert advice if you’re not comfortable doing this yourself.

Being pragmatic about the cookie law

Even though the enforcement date is approaching fast, there’s still a great deal of uncertainty surrounding the cookie law. As a result, it may be wise to take a staged approach to changing your website.

“Many businesses are taking a pragmatic approach to the cookie law”, sums up Dave. “They’re covering their backs by getting everything ready, but holding off actually implementing an opt-in until it becomes clearer how the law is being enforced.”

“If you’ve completed an audit and have a plan, it’s unlikely you’ll be made an example of.”

Popular resources relating to the cookie law

We've created a free guide to help you get to grips with the cookie law. Download it now:

• Coping with the EU cookie laws guide

We also have other resources relating to this topic:

• Making sense of the new EU cookie law
• Keep your web cookies legal