The law which applies to how you use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device is changing on 26 May 2011.
If you run a website then you are probably wondering if this affects you and how you can comply with this change in the law.
But what exactly is the change? Well previously companies could simply provide information about how they were using cookies on a page such as their privacy policy. As long as it was clear how cookies were being used then everything was fine essentially. If the user didn’t want to allow you to use cookies they had to know how to rummage through their web browser settings and block them.
This ‘automatic opt-in’ to cookie use is what the law is attempting to change. Instead the law now states that the user must ‘give their consent’.
But what does this mean from a practical point of view? This is what is currently causing web developers , and designers, to be tearing their hair out with frustration (not that I have any hair left myself – it has long since been sacrificed to the programming gods).
The government’s own website provides a brief overview (http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf) but it comes down to interpretation. Indeed as of today (two days before the law supposedly comes into effect) the ICO website itself has not implemented any kind request for consent, so if the government isn’t doing it what chance has anyone else got of working it out !
Anyway, back to specifics.
How could this be implemented?
Well there are essentially two options:-
1. the closed-door approach
Before you let anyone into your website you send them to a ‘pre-website’ page that forces them to give you consent to use cookies before you let them in.
Technically the least complicated to implement, but from a usability perspective this is the digital equivalent of drowning kittens. It just makes you want to scream NOOOOO!
2. the ask-when-you-need-to approach
You let people enter your website as normal, but with no tracking cookies enabled. You ask for consent, perhaps through a popup or as part of a relevant sign-up form, as and when you need to start using cookies. Which may of course be straight away as soon as they land on your home page.
More difficult, and therefore costly, to implement but better for usability.
Which cookies?
You may also be wondering if this law applies to all cookies or just some.
Strictly speaking it is all cookies unless a cookie is ‘strictly necessary’ for the operation of the website. This term is of course rather open to interpretation.
And yes, this does include the ubiquitous Google Analytics. If your users decide to block your Google analytics cookies (and given the choice they most probably will) then you can wave goodbye to your ability to find out how many people are visiting your site and how they are interacting with it.
Still confused?
Don’t worry, just about everyone else is in the same boat right now.
My advice would be:-
- audit your current cookie use, and work out which of your cookies are likely to require consent from your user
- make sure your privacy policy is up to date
- consult with your web developer to decide the most appropriate course of action for your particular website, and what the likely costs of implementing the changes will be
- plan for the impact this will have on your ability to gather statistics about your website use
Right now though everyone seems to be watching everyone else to see how best to progress.
