EU Cookie Law

The UK is enforcing the website cookie law from 26th May 2012.

Fines of up to £500,000 for non-compliance.

In line with recent changes in European legislation, UK law now requires website operators to ask for a website user's permission when placing certain kinds of cookie on their devices for the first time. Where consent is required, the law states that it should be "informed consent". This increases the onus on websites to ensure that visitors understand what cookies are and why website operators and others want to use them. 

The Information Commissioner’s Office (ICO) has published detailed guidance on the law and a number of other organisations have published information about the use of cookies by businesses: see the Further Reading section at the end of this guide. The ICO's guidance contains useful information on the practical implications of the new law and how to comply with it, including recommendations for a cookie audit as the first step in a compliance strategy. 

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device. You can find more information about cookies at: www.allaboutcookies.org and www.youronlinechoices.eu

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.

Guidance for website operators

The law applies to cookies and also to similar technologies for storing or retrieving information such as local shared objects (often referred to as "flash cookies"), web beacons or web bugs (including transparent or clear gifs).

It is up to website operators that use these technologies to develop their own statements and consent methodologies. The principles and the wording in the guide may be adapted for this purpose. Website operators will need to discuss with relevant parties e.g. their advertising networks what technologies they are using and how consent from website users may be captured so that the website operators can produce appropriate consent wording in respect of these technologies. 

Cookie Categories

Category 1: strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided. 


Examples include:

  • Remembering previous actions (e.g. entered text) when navigating back to a page in the same session.

  • Managing and passing security tokens to different services within a website to identify the visitor’s status (e.g. logged in or not)

  • To maintain tokens for the implementation of secure areas of the website

  • To route customers to specific versions/applications of a service, such as might be used during a technical migration 

 

Category 2: performance cookies 

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. 

Examples include:

  • Web analytics — where the data collected is limited to the website operator’s use only, for managing the performance and design of the site. These cookies can be third-party cookies but the information must be for the exclusive use of the publisher of the website visited.
  • Ad response rates — where the data is used exclusively for calculating response rates (click-through rates) to improve the effectiveness of advertising purchased on a site external to the destination website. If the same cookie is used to retarget adverts on a third-party site this would fall outside the performance category (see Category 4)
  • Affiliate tracking — where the cookie is used to let affiliates know that a visitor to a site visited a partner site some time later and if that visit resulted in the use or purchase of a product or service, including details of the product and service purchased. Affiliate tracking cookies allow the affiliate to improve the effectiveness of their site. If the same cookie is used to retarget adverts this would fall outside the performance category (see Category 4)
  • Error management — Measuring errors presented on a website, typically this will be to support service improvement or complaint management and will generally be closely linked with web analytics.
  • Testing designs — Testing variations of design, typically using A/B or multivariate testing, to ensure a consistent look and feel is maintained for the user of the site in the current and subsequent sessions. 

 

Category 3: functionality cookies 

These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. The information these cookies collect cannot track your browsing activity on other websites. 

Examples include:

  • Remembering settings a user has applied to a website such as layout, font size, preferences, colours etc.

  • Remembering a choice such as not to be asked again to fill in a questionnaire.

  • Detecting if a service has already been offered, such as offering a tutorial on future visits to the website.

  • Providing information to allow an optional service to function such as offering a live chat session.

  • Fulfilling a request by the user such as submitting a comment. 

 

Category 4: targeting cookies or advertising cookies 

These cookies are used to deliver adverts more relevant to you and your interests They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation. 

 Examples include:

  • Cookies placed by advertising networks to collect browsing habits in order to target relevant adverts to the user. The site the user is visiting need not actually be serving adverts, but often this will also be the case. 
  • Cookies placed by advertising networks in conjunction with a service implemented by the website to increase functionality, such as commenting on a blog, adding a site to the user’s social network, providing maps or counters of visitors to a site. 

 

ICO guidance

For more background on the new law, the ICO has published guidance on the new rules for using cookies which can be found at:
https://ico.org.uk/media/for-organisations/documents/1545/cookies_guidance.pdf
 

Getting consent in practice

Which method will be appropriate to get consent for cookies will depend in the first instance on what the cookies you use are doing and to some extent on the relationship you have with users.

When considering how to provide information about cookies and how to obtain consent it may be helpful to look at the methods most websites already use to draw users’ attention to information or choices they want to highlight.

Many websites make use of different techniques to highlight things they want users to see, such as promotions, special offers, or customer satisfaction surveys. Websites also commonly obtain agreement or consent from individuals in other contexts, such as verification of minimum age requirements, changes in terms and conditions and to double check whether customers definitely want to proceed with a purchase. Providing users with information and obtaining their agreement is not a new feature of the internet. The approach you take for cookies can build on these existing mechanisms. 

Pop ups and similar techniques

Pop-ups or similar techniques such as message bars or header bars might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent - but it’s also one which might well spoil the experience of using a website if not implemented carefully.

However, you might still consider gaining consent in this way if you think it will make the position absolutely clear for you and your users. Many websites routinely and regularly use pop ups or ‘splash pages’ to make users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed well enough, be a useful way of highlighting the use of cookies and obtaining consent. 

Using this technique you could ensure you are compliant by not switching on any cookies unless the person clicks I agree. Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option you might want the reassurance of a notice appearing elsewhere on the site which reminds users that you are setting cookies. 

Terms and conditions

It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up. Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service. There is no reason why consent for the cookies cannot be gained in the same way.

However, it is important to note that changing the terms of use alone to include consent for cookies would not be good enough even if the user had previously consented to the overarching terms. Consent has to be specific and informed. To satisfy the rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms.

The key point is that you should be upfront with your users about how your website operates. You must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance. Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant. 

 

Information taken from:

guidance_on_the_new_cookies_regulations.pdf - Version 2 (13 December 2011) ICO
icc_uk_cookie_guide.pdf - April 2012 ICC

 

 

Copyright © 2005 - 2017 x3 Internet Solutions LLP.