What to do about Cookies? Website Cookie Law in 2016
Ah, the infamous Cookie law. We’ve all seen those annoying pop-ups on some of the websites we visit, but to this day many people are still unclear on why they’re there, or whether we should all have them on our own websites. As a web agency, we still get asked about this every now and then, so here’s what you need to know.
It all started with a 2011 EU Directive in relation to privacy. The directive said that all web users should be given the opportunity to refuse the use of Cookies which could impact their online privacy. This directive was then enshrined in law in all EU countries – and in the UK that took the form of the Privacy and Electronic Communication Regulations (PECR), which came into force in May 2012.
What is a Cookie?
A cookie is simply a text file that is downloaded onto your computer or smartphone while you’re browsing, which stores a very small amount of information – usually to enable the browser to recognise that device. It enables the kind of functionality where a website remembers things about you – what you’ve put in your basket, or a preference you’ve set, without you having to log in everywhere all the time. Cookies are also frequently used to track website performance statistics via applications such as Google Analytics; and some (“third party cookies”) don’t enable functionality on the site you visit, but rather record information about products you’ve viewed so that similar products can be advertised to you later.
What does the law say?
The law says that you must tell people on your website if you set Cookies, explain what the Cookies are doing and why, and get the user’s consent to continue using Cookies on their device.
Opt-in or implied?
That all seems pretty straightforward, right? Well, the tricky part comes in correctly interpreting what is meant by “consent”, and whether consent needs to be explicit or implied. With explicit consent, you not only tell the visitor as soon as they arrive what Cookies you’re using and why, but you also ask them to check a box to say they’re okay with that – that is, they have to take a specific action to approve the use of Cookies. With implied consent, you provide all the information about Cookies, and go on to say that by using the website the user accepts the use of those Cookies.
When the law was originally passed, the advice was largely that explicit (opt-in) consent was required, but since then the ICO (Information Commissioner’s Office – the body responsible for enforcing the law in the UK), has updated its advice to say that implied consent is sufficient:
“Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set.”
What do you need on your website to comply with Cookie law?
So now we have a judgement call to make. What do we need to do, to be “confident” that our users fully understand that we will be setting Cookies when they use our website? Do we have to wave it under their noses as soon as they arrive, or can we be content with putting some nice clear wording in an easy-to-find Cookie policy?
Well, there’s no official advice on that at the moment, which is why some websites are going with the full-on “Hey, we use Cookies and here’s why” the minute you arrive, while others aren’t. But, we can perhaps take some guidance from the ICO’s approach to enforcement, as laid out on their Action we’ve taken page. There, we’re told that in the financial year to March 2016 there were 210 complaints about Cookies. That’s compared to 161,186 complaints about nuisance calls, texts and emails. Translation: it’s not a priority.
The same page notes:
“Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. We have maintained a consumer threat level of ‘low’ in this area due to the very low levels of concerns reported by members of the public.”
So, the situation at present seems to be that – as long as you ensure that you have correctly and clearly informed visitors of what Cookies you use and why (in a place that’s not completely hidden away), you’re covered, and this is especially true if your site is not high-profile. You don’t need an annoying pop-up demanding that folks opt-in to Cookie use before they can use your site.
Template Cookie Policy
You can create your own Cookie policy wording by collating information on what Cookies your website uses, and explaining those in simple terms. However many people prefer to start with a template and two examples are given below:
Final thought: does Brexit affect Cookie law?
This sometimes gets asked because the whole Cookie shenanigans is associated in many people's minds with the EU. But the short answer is no. Although it all started with an EU Directive, PECR (which contains the wording on Cookies) is now part of UK law, so until or unless the law is changed, this information on Cookies still applies.
We will endeavour to update this post if the situation changes.