Blogs

Act now to avoid the cookie monster4

IT | Niki May Young | 26 Apr 2012

These cookies won't make you fat, in fact they could make you lose pounds. Niki May Young explains what your web developers will have to do to ensure your charity avoids an unwelcome fine from the ICO after 26 May.

There is now exactly one month left before the grace period for the implementation of the privacy and electronic communications EC directive comes to an end and your website must comply with its regulations, or risk action by the Information Commissioners Office (ICO).

Wondering what I'm on about? I'm talking cookies, and not the type that are unkind to your waistline, rather the kind that are used to identify users and track their behaviour on your website.

In 2009 a citizens rights directive in the EU amended implementing changes to the existing cookies law in a bid to ensure that users were clearer on where and how their information is being used. On 25 May last year these amendments came into force in the EU, but the UK's ICO implemented a year-long grace period for websites to take action. This ends on 26 May.

Punishments

The legislation is in force now, but as aforementioned, the ICO has given a grace period before it will punish the non-compliant. However once this is over, the ICO could issue an organisation with an information notice asking it to provide the ICO with information of what steps it has put in place with regards to complying. 

If the organisation is found to be non-compliant the ICO can then issue an undertaking requiring the organisation to take action. If this is not adhered to it can issue an enforcement notice.  Non-adherence to this notice is a criminal offence.

In some cases, the ICO can issue a monetary penalty notice, with a maximum fine of £500,000. While this is only likely in extreme cases of abuse it is worth noting that these powers exist.

Act now

If you haven't already gotten in touch with your website developers to conduct an audit of cookies on your site, do it now. While the ICO has suggested that it will look at the most severe cases of non-compliance in the first instance, it will serve your charity well to have at least put measures in place by 26 May to become compliant in the near future, Mairead O'Reilly and Erica Crump, solicitors at Bates Wells & Braithwaite advise.

At a briefing on the upcoming changes this week, the pair said that while some members of the ICO have suggested charities may be treated with a lighter touch with regards to compliance, charities are advised not to take a "wait and see" approach.

So what do you have to do?

On a basic level, what the legislation means is that your website will have to do three things at the earliest point when a user encounters your site:

• Tell the user that cookies are there
• Explain what the cookies are doing
• Obtain consent from the user to store a cookie

The directive states that the information provided should be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies". This means that it is not enough to say that your website uses cookies - ie, a statement on the homepage that reads "This site uses cookies, by using this site you agree to their use" - you must also link to a detailed page explaining in plain English what cookies are, which are present on your site, what information they will collect, and how this information is used. You do not need to list each individual cookie used, only which types of cookie you use.

Crucially, you must gain active consent from the user. This means ensuring they tick a box or take an action to confirm that they have read the information and are happy for cookies to be used. But the user need only give consent once, unless the type of cookies being used on the site change.

Implementing the changes (examples)

Once you have undertaken your cookie audit you will have to liaise with your website developer to implement changes to your site. O'Reilly and Crump advised that the correct solution to applying these provisions will depend on your organisation's and user's needs. But there are examples already out there which comply.

The ICO's own website (see thumbnail 1) displays a banner at the top of the site explaining that it uses cookies, providing links to further detailed information and using a tickbox consent to remove the box from view. The box remains on the user's screen until they tick it. It's not the prettiest, but it does the job and is a simple solution for those who cannot invest much more time in providing a slicker approach. Oxford Web, a web design company  follows suit in a much more palatable way (see thumbnail 2).

Some sites have used the pop-up approach, which appears when a user enters the site. BT offers this stating that the cookie settings on the website are set to allow the cookies, offering the user the opportunity to either 'learn more', opt out, or continue (see thumbnail 3).

Consequences for your site

Some people have raised concerns that the very inclusion of pop-ups or banners advising users that there are cookies on the site may put people off using the site altogether. And if the user disallows cookies for that site, they will have a less than optimum experience of the site. Unfortunately only experience after compliance will tell if this will be the case and to what extent it will affect your site.

Other effects such as skewed results in analytics could also be a result of someone continuing without cookies. Complying with a users request not to use cookies could also present difficulties from a technical point of view and require costly development changes. 

Some things still not clear

The ICO doesn't have it all worked out yet. Some website owners have campaigned for allowances for certain cookies, such as analytics or strictly necessary cookies, which enable activities the user has specifically asked for,  to be left out of the legislation.

Similarly there has been a call for 'implied consent' where simply notifying the user that cookies are used on the site would be considered enough if the user then continues to use the site. While this was dismissed by the ICO as it was believed there was not enough understanding of what cookies are, it remains to be seen if the issue will be revisited later. 

Some have also raised the issue of browser compliance, so that the user can set their cookie preferences on their browser, rather than on each individual webpage, this too has been dismissed initially by the ICO, but could be revisited in the future.

Don't think you have cookies on your website?

If you are not a web developer yourself, you may not be aware of if your site has cookies or not.

Cookies come in many forms but together they create a memory system for a website. Technically, they are a file of numbers and letters downloaded onto a users device when they access a website in order to allow the website to recognise the device. But they are used for a number of reasons which include improving the user experience and avoiding repetitive information inputting. 

Cookies can be either temporary - used just for the one session the user is visiting your site - or permanent - stored for future use until it is deleted. They can also come from either first, or third parties.

First-party cookies are ones originating from the site that the user is visiting and are often used to save user preferences on the site. For example, if a user is asked a question by a website and they tick a box that says 'don't ask me this again', a cookie will log that the user does not want to be asked that particular question, and the answer to the question will be stored to remember the preference for the next time they visit.

Cookies are also used whenever a user fills out a form, or if they are purchasing an item in a shop, in order to allow the user to progress through to payment without losing the details of the sale. These cookies are only an intrusive as the user will allow - if they don't want certain information to be stored, they should not input that information. The information is also only stored by the website in which they are used.

Third-party cookies are generally used in advertising and are often considered to be more intrusive, because they collect information about your browsing habits and are often shared with other websites.

If you use Google analytics or other analytics software, you have third-party cookies, but these only store information about your website use.

Images

Directory: Bates Wells & Braithwaite
Who's Who: Niki May Young