In May 2011 a new directive came into force across the EU with the aim to protect user privacy by providing information on what information is collected by cookies and requiring user consent for sites to use these cookies.
In simple terms the law stipulates that a website must do the following:
Categorise a list of the site cookies based on their criteria
Inform/Obtain consent from the customer.
All websites owned in the EU or targeted towards EU citizens, are expected to comply with the law.
There are two main categories of cookies; essential and non-essential.
Broadly speaking these can be defined as follows:
Essential - Always 1st party and not persistent. These include functional navigation and user session cookies for shopping baskets. These fall out of the remit of this law
Non-Essential but harmless - Always 1st party and may be persistent. These cookies include accessibility options for visually impaired users and arguably, analytics cookies. These fall within the remit of the EU Cookie Law.
Aside from these two main categories there are also the following types of cookies:
Fairly Intrusive/Medium compliance risk - Usually 1st party and persistent. These might be used to store personally identifiable information, or limited cross-site tracking, in order to present content based on previous visits. Another good example is the Facebook “Like” button
High compliance risk - 3rd party and persistent. These are mainly used to track and record visitor interests without prior consent, and aggregate this data for use by 3rd parties - normally advertisers. This also includes cookies set through the provision of embedded content which is not ad-related, such as Google Maps and YouTube videos.
For a site to comply with the legislation they must gain the consent of their web users for placing non-essential cookies on their computers. Essentially the site must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, dismissing a banner, sending an email or subscribing to a service.
The original law stipulated that users should have the option to opt out of cookies meaning that the site had to allow the additional functionality of not generating cookies for that user however from a logistical standpoint this was deemed unfeasible. In most cases it is acceptable to provide information to the user on how cookies can be controlled / disabled on the site.
In general, implied consent is assumed, however, these also vary from country to country and in some cases consent must be given in advance. There are two main types of consent:
- Implied – The site assumes that the user agrees to the use of the cookies on the site and if they continue to browse then this is taken as official consent
So what steps should be undertaken to become compliant?
Getting a site to a compliant state can vary on many of the factors which have been mentioned but generally they can be summarised in 5 simple steps:
- Perform an audit of the cookies and identify each cookie’s category and purpose
- Confirm what regional rules govern the site
- Review implementation options
- Agree on cookies policy working and content
It is important for every business to become compliant with The Cookie Law. So if you need to carry out a cookie audit but you’re not really sure where to start, contact us for help and advice.