March 15th, 2012.
The new directive is a piece of European Union legislation that has been adopted in the UK. The government have now updated the Privacy and Electronic Communications Regulations, which now means that the EU directive is now UK law.
This law requires all website owners to get consent from their website visitors before they can store or retrieve any information on their devices including computers, tablets and mobile devices.
When Does The Law Come Into Force?
The new law comes into force on 26th May 2012. A 1 year grace period was given from May 2011.
What Are Cookies?
Cookies are files that are stored on your computer or device that store information about the user, that websites can use and retrieve at a later date. This may be information such as personalisation options, search history, purchase history, log-in information, and browsing history.
Does My Site Use Them?
How Can I Comply?
In order to comply with the legislation your website must obtain explicit clarification before you can store information about them on their devices. An exemption has been made for cookies that are deemed to be vital to the operation of a website. Advertising, analytics and personalisation functions are not exempt however.
Key points set out in the amended cookies advice include:
- More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
- The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
- However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
- Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
- The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.
The Cookie Law And Google Analytics
Unfortunately there is no official statement from Google as yet.
In the past the EU’s Privacy and Electronic Communications Directive applied to user data, and this was largely interpreted to relate to e-mail data storage. The ‘EU cookie directive builds on this – no surprise you might say in light of the huge increase of seller side platforms (SSP), demand side platforms (DSPs), retargeting, tracking, ad-optimization and real-time bidding and personalization.
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
How Will Compliance Affect My Site?
There are some probable negative affects of complying with the new law.
- You may see increased bounce rates from adding warnings to pages, most of your visitors probably won’t even know what a cookie is.
- You will lose valuable analytics data
- Website personalisation will be affected
- Other marketing areas such as email marketing and use of advertising networks will be altered
What Will Happen If I Fail To Comply?
There is a maximum £500,000 fine if a breach of the law has caused “substantial damage or substantial distress. It is worth noting that there is a clear distinction to be made between first party cookies set for your own site and third party cookies often used to track behaviour across multiple websites.
“There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there”. – ICO Blog
Ultimately the decision to the actions that you take in order to move towards full compliance has to be your own after reading all of the facts and making a reasonable risk assessment.