The law requiring websites to gain consent before storing cookies on users computers was passed in the UK in May 2011. The law has been adopted in most other EU states but there are some major differences in how each state interprets the cookie law.
Apart from one or two lonely voices, reactions from website owners have been entirely negative. Many saw the law as an ill-conceived nonsense that failed to appreciate the technical reasons for which cookies are used. Many are holding out for a u-turn on the legislation, perhaps in the hope that a Conservative, red-tape-busting government might be averse to interference with the World Wide Web. Some plan never to comply and others hope for some kind of meta-solution from browser vendors and the major players like Google and Facebook.
But the law isn't ill-intentioned. In fact, while it poses one or two compliance headaches, we believe that it's Quite a Good Thing.
Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online. Not that it chooses to exercise that power. And in theory laws exist to discourage it from doing so.
We think the new cookie law will produce a new kind of good practice for websites. The rules will help prevent such user-identifiable data getting into the hands of big corporates (and their governments). Ultimately, for the protection of individual freedoms online, this is a good thing.
What the law means for webmasters
There are a few steps to go through in order to achieve compliance with the law:
- Depending on the kind of cookies you're using on your site, you must decide on a model for managing user awareness and consent. We have identified three such models (below).
- You must make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.
In practical terms it means you need to avoid using cookies or deploying third party software that uses them except where it is essential for the purpose making your website work. This is because as soon as explicit consent is required, users may refuse that consent. If you see a particular feature as important, you'll want to know that it will work all the time, whether or not users have consented to cookies.
Bear in mind that in the UK, the ICO is taking a relaxed approach to analytics. Their guidance is that analytics cookies are fairly unintrusive and that therefore, as long as you inform users about their use, explicit consent is not required.
A friendlier user-interface
Our aim with Cookie Control is to provide a mechanism for getting consent that minimises the impact on the user experience of your website that you've spent many hours carefully crafting. A single button press is all that we require from a user to secure their consent.
Suitable for: sites where the only cookie-setting scripts are analytics, webmasters who lack the skills to adapt their scripts to interact with Cookie Control's callbacks / functions.
Behaviour: Cookie Control pops up with a notification for users about how cookies are used on the site. It appears once only. (A cookie is set to prevent it popping up on every page.)
Implied Consent (Opt-out)
Suitable for: most sites - unless cookies are very intrusive indeed. Webmasters must adapt their cookie setting scripts to work with Cookie Control callbacks and functions.
Behaviour: By default all cookies are enabled. The old "I'm happy with this" button has been replaced with a new switch toggling between "Cookies are off" and "Cookies are on". This is more akin to the BBC's current approach. By default, we'll only pop up the UI when a user first visits a site.
An ironic side effect of this approach, which will upset purists, is that a cookie must be set if a user opts out. We do, however, warn users about this.
Explicit Consent (Opt-in)
Suitable for: the extremely risk-averse, sites with very intrusive cookies. Webmasters must adapt their cookie setting scripts to work with Cookie Control callbacks and functions.
Behaviour: By default all cookies are disabled. The UI will pop up on every page load. Users may supress the pop up without opting in - although this requires, you guessed it, a cookie. This is pretty much how Cookie Control works at the moment.
Tweaking your scripts
Examples are provided on how to adapt typical third party scripts to test for user consent before they run, and the team at CIVIC are ready to help with custom implementations.
The solution was originally rolled out in response to the needs of CIVIC's many government clients, including the Scottish Government, SQA, Skills Development Scotland and the NHS.
Cookie audits and privacy policies
Let's try it!
Please visit the support forum.