In Praise of the EU's "Cookie Law"

A new law has come into force in the UK that requires many website owners to change how their websites work.

It has been nicknamed cookie law, but it is better described as online privacy legislation.

The law started life as the EU e-Privacy Directive. It was meant to be written into law by all EU member states by 26 May 2011, although many countries missed the deadline.

One country that did pass a local law on time was the UK. The legislation came into force on 26 May 2011, although everyone was given a grace period of one year in which to upgrade their websites to comply with the legislation.

The deadline for compliance thus passed on 26 May 2012.

The law requires that all websites – also apps and all types of electronic services – obtain "informed consent" from people before gathering and storing any information about them or their behaviour.

It is our use of cookies on websites that is most affected by this new legal requirement.

What are cookies?

Whenever you request a web page via a browser, it's not just the web page that gets sent to your computer. Websites send lots of additional information that is invisible to people but which provides web browsers with useful data and instructions.

For example, information will be relayed to the browser about the format and character encoding of the requested web page. This information helps the browser to correctly display web pages without error.

This invisible data comes in many formats. One of those formats is the cookie.

Cookies are a simple means of getting web browsers to remember very small amounts of data for long periods of time.

Cookies are stored on your computer hard drive as plain text files. Because the cookie data is stored on your computer or device, it can be accessed at any time by your web browser. Thus, cookies help web browsers to remember things from one web page to the next.

For example, cookies can remember whether or not you are signed in to a website. And they can remember what items you have placed in your shopping cart.

Without cookies, membership systems and e-commerce and many other things will not be possible.

These are legitimate uses for cookies. The new privacy legislation does not impact on the use of cookies in the provision of essential web functionality such as this.

But cookies can also be used to track the activities of individual people on the web.

For example, they can be used to record which web pages you visited and when. This information can be used to generate usage analytics, or to show advertisements that are better targeted to each user's interests (based on past browsing).

It is these uses of cookies that are affected by the new privacy legislation.

Cookies are the most common technology used on the web for tracking the online activities of individual people. There are many other technologies that we can use to do the same thing. Whatever technology we use to gather and store information about people, the new online privacy legislation applies.

So it's not just about cookies. It's about how we build websites and software applications in general.

What are the legislative changes?

In a nutshell, you must now get "informed consent" from people before you can gather and store any personally-identifiable information about them, by whatever means.

For example, most websites gather usage data, known as web analytics. This helps website owners to improve their websites. If we better know our audience, we can better tailor our websites to those people.

It is still perfectly acceptable to generate analytics data. But it is now law that we must gather usage statistics in a way that the raw data can never be traced back to individual people.

To put it another way, if you want to track the activities of individual people who browse your website, you must get prior informed consent from those people before you do so.

What does "informed consent" mean?

Well, it means that it is no longer enough to just include some information hidden away deep in a privacy policy page. Visitors to your website must be made aware of any devices installed in your web pages that are used to track their personal online activities. And visitors must provide their consent before such devices can be deployed.

But what about generating anonymised usage data, and storing it in an aggregated format? Well, that's fine. You can do that, and you can use cookies to help you. You don't have to get consent from individual visitors beforehand, because you're not generating data that can tell you anything about their personal activities while they are visiting your website.

What do you recommend?

There are different ways to comply with the new law. The solutions vary depending on the nature of the information that you gather about your web users, and what you do with that information.

The first step is to do a privacy audit: document and review all of the information that your website automatically gathers about individual users.

You should check that you gather only the basic information that you need to deliver your web services. Excessive collection of personal information needs to be curtailed.

The second step is to update your privacy policy. This policy should contain detailed information about what data your website gathers, how the data is retrieved, for how long the data is stored, and for what purposes the data is used.

In the case of cookies specifically, we recommend providing a simple table on your website's privacy policy page that lists each cookie by name, alongside a description and expiry time for each. Third party cookies (e.g. from Google Analytics) should be listed also.

You should check also the policy of the web analytics service that you are using to generate usage statistics about your website. Does it store the IP addresses of individual users in an unencryted format? What other personally-identifiable information is gathered by your web analytics service?

If your website does not gather any personally-identifiable information about individual visitors without their express prior permission, then you need take no further action. You are already compliant with the law.

Incidentally, registration and contact forms are perfectly legal since users manually and knowingly provide their personal information when filling out such forms. But your privacy policy should still make clear what you will do with user-submitted data.

Further action

If your website in any way tracks the activities of individual users, or attempts to quietly gather any kind of information about them, then you may need to take further action to comply with the cookie law.

Even if it is third party systems such as Google Analytics or advertising platforms that are embedded in your web pages and are the ones doing the data gathering, it is still for you to comply with the law, not the third party.

You have three options.

1. Show a "splash" message

A very quick and simple solution is to display a prominent message at the top of the page when someone first arrives on your website.

The message should inform the visitor that their activities on your website will be monitored by you (or by third parties). The message should also state that by continuing to use your website the visitor gives their consent for you to monitor their activities.

The message should be worded something like this: "This website will monitor your activities to provide you with a better experience. If you do not agree, please exit this website."

This solution is used by the BBC and many other popular sites.

Cookie notice on the BBC website

2. Provide opt-in functionality

In some cases, implicit consent may not be enough. You may need your users to give explicit consent before you start to automatically collect certain information about them.

So the second option is to have automatic collection of personal data disabled by default, but to give your users the means to turn it back on.

In this scenario, if a user decides not to opt-in, he can still browse your web pages but without his activities being tracked.

This solution is highly recommended if you gather any kind of very sensitive personal information without it being explicitly provided by the user: contact details, physical location, health status, that sort of thing.

This solution is robust but expensive, as it often requires considerable rebuilding of a website's core architecture for it to work.

3. Remove non-compliant functionality

Finally, rather than trying to make your website's existing functionality comply with the new legislation, you may choose to simply remove any functionality that potentially compromises your users' online privacy.

If your web analytics service stores IP addresses in a non-encrypted format, or stores any other kind of personally-identifiable information about your users, then you should consider using a different tool to generate usage data.

If you embed YouTube videos in any of your web pages, then you should do so using YouTube's privacy-enhanced mode.

Another thing to check are the "Like" and "Follow" widgets provided by the social networks. By embedding these in your web pages, you may be allowing the social networks themselves to track the activities of users on your website. A cheerfully quick solution is to just swap these plugins for plain vanilla links to your social profile pages. That way you can still be popular and on the right side of the law at the same time.

My personal preference is to gather only anonymous usage data, collected and analysed in aggregate form, such that the activities of individual users cannot be monitored. And I prefer to do this myself, using systems that I manage myself, rather than relying on any third party service such as Google Analytics. This policy if fully compliant with the cookie law and it means that I don't need to render ugly splash messages on my otherwise pristine web pages.

What if I don't comply?

If you do not comply with the new law, nothing bad should come of you any time soon.

In the foreseeable future, the Information Commissioner's Office, the government department responsible for enforcing the new privacy legislation, will likely only target the big boys (Google, Facebook, etc.) for non-compliance.

And you will be issued with a notice to comply, before you are issued with a fine. The ICO has stated that they will be gentle, especially with small firms.

In the words of the ICO, it is "wilful non-compliance" that will land you in trouble.

The ICO's recommendation (and mine) is to do your best to comply with the law. If you do not fully comply yet, you should at least have a clear roadmap to compliance for the near future.

The ICO has published a very detailed (but very long) guide on cookie law compliance for webmasters and website owners.

Conclusion

The EU cookie law has been widely criticised. Actually, I don't think it's all that bad.

In 2012 the advice from the EU was updated. It made clear for the first time that anonymous data gathering is exempted from the legislative requirements.

But the legislation is still widely misunderstood. Most web publishers have just placed great big notices all over their web pages, stating that they use cookies.

That misses the point.

The purpose of the cookie law is to encourage website owners to respect the right of everyone to browse the web anonymously. That seems like a worthwhile objective.

Cookie law is about getting website owners to be more open, honest and transparent about how their web services are delivered. We should be doing that anyway, with or without the law.