The EU website directive that became law in May 2011 is being enforced from 26th May this year by the UK following 12 months grace. This new law requires ALL website owners to inform visitors of their ‘cookie’ use and what choices visitors have before they enter the website. Failure to comply with the new law could incur a fine of up to £500,000.
The ICO provided detailed guidance for website owners in December 2011, which is available from their website here.
So, what exactly are cookies?
Cookies are small (often encrypted) text files that usually include a unique identifier. They are downloaded on to a computer or web browsing device by the majority of websites when visited. Cookies have two primary functions: to improve the website experience for the user and to provide analytical data about website use for the website owner. Cookies are not programmes and cannot harm your web browsing device (computer, tablet, smartphone, game console etc.).
Typically, cookies are divided into session cookies and persistent cookies. Session cookies ‘self-destruct’ once your web browsing activity is concluded. They are primarily used as short-term memory files so, for example, when you add things to a website shopping cart and then go browsing elsewhere the cookie is used to remember what’s in your cart. New session cookies are downloaded to your browsing device when you go online and then get deleted when you go offline.
Persistent cookies stay around longer, maybe years, and are used to remember your specific website preferences and settings. So, for example, when you visit Amazon after the first time its web server checks your browsing device to see if there is a persistent cookie there, if there is, it logs you on and provides recommendations etc. based on information associated with that persistent cookie.
Analytics software like Google Analytics use persistent cookies to allow website owners to measure the number of new and returning visitors to a website, their location, the pages they look at, the amount of time spent on each page and much, much more.
There are other names for these cookies (HTTP cookies, transient cookies, permanent cookies) and other cookie variants such as supercookies and Flash cookies.
Persistent cookies are also known as tracking cookies (although session cookies can be used for tracking too) and tracking is where the major privacy concerns are, which has been the main contributory factor in the change to the law.
Why the cookie law has changed
Over recent years tracking cookie use has become very sophisticated and is especially noticeable in behavioural advertising. This is primarily done through the use of third party cookies. It works when a website lets an advertiser place ads on their pages. When you click on one of these ads, a third party cookie is downloaded by the advertiser to your browsing device. This third party cookie can then be tracked across every new site you visit that’s connected to the advertiser – allowing the advertiser to learn your browsing habits and build up a profile of you – known as behavioural tracking. Then the advertiser can target specific ads at you that match your interests gleaned from your browsing history. Although these cookies are not internet security risks, there are obvious privacy concerns.
Most websites just use first party cookies and this is for two reasons, to create a better browsing experience and to provide analytics to the website owner of how their site is used. The interesting fact here is that most websites use a third party provider for their analytics (frequently Google) but because their analytic cookies, specifically Google’s, are website specific they are classed as first party cookies.
First party cookies, as described above, should not fall foul of the new law. It’s the intrusive nature of many third party cookies that are drivers for this law. But just the same you need to comply to be safe.
The rules in this area are essentially designed to protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement.
So, how do you approach this new law and what should you do to comply?
How to tackle the new cookie law
However, the few first party cookies found on most smaller B2B websites (excluding analytics) are usually ‘non-intrusive’ and are part of its core functionality, or its content management system, and may be classed as ‘essential’ – therefore outside the remit of the new law and the opt-in process. However the big issue for most B2B organisations is going to be the analytics and measuring website traffic.
So what are the options?
Firstly, you can do nothing. This looks likely to be the default setting for a large number of small B2B website operators – due to ignorance of the law or the belief that nothing will happen. They could well be right on the second point but, just the same, the law is being broken.
If you want to take more practical steps, you need to instigate a full cookie audit before anything else. Depending upon the size of the website, this could be a big project and may require hours of specialist assistance (specifically in defining what each cookie does and its intrusiveness) or it could just take a quick half hour and a little bit of ‘googling’.
The information you need to find for each cookie on your website:
- The cookie name
- The source domain (identifies first or third party cookie)
- The expiry date (identifies session or persistent cookie)
- Description of cookie purpose (identifies importance to website functionality and its level of ‘intrusiveness’)
There’s no effective solution to gaining opt-ins
The issue (as the ICO have found) is that most people just ignore the opt-in feature and browse anyway. This is no big deal if you’re a ‘normal’ business that’s not reliant on third party advertising, apart from the fact that the analytics now don’t work.
According to the ICO, their visitors dropped by around 90% when they adopted the opt-in feature. Obviously not correct, it just shows that only 10% of visitors ‘opted-in’ – probably less given the increased interest in the cookie law during this period.
There is little else you can do at present (especially in finding an effective opt-in approach) until this ill-conceived law gets reviewed and the focus is placed only on advertising tracking cookies.
There are non-cookie based analytic tools available but the two leading products we tested did not compare favourably with Google Analytics, so we’re a bit reluctant to recommend any alternatives at present, but hopefully these will improve.
Unfortunately not a great ending for now, but if you want to discuss making your website compliant call our BBI team on 01494 452600 or contact them via the BBI website. Or you could watch the BBI video on the new cookie law first.