Cookie Law deadline approaches

It's almost a year since the EU Cookie Law was introduced.  It requires website owners to get an 'opt-in' approval from their visitors if the website uses 'cookies'.

The regulators (Information Commissioners Office in the UK) have given website owners a year's grace to look at compliance.  That grace period ends on 25th May 2012.  So you may need to take some action to make sure your site is compliant.

Cookies are small text files that websites store on computers.  They can contain information for just about anything but typically they are used to store things like login information, shopping cart information and web analytics.  They're needed so information can be preserved between webpages - for example, to remember who is logged in.  Without cookie technology, it would be almost impossible to do some things we take for granted on websites.

So what is the legislation trying to address?  Well, it is really all about privacy.  The EU legislators do not want websites storing (and using) information about users' personal web browsing history, sites visited, shopping and anything else, without them having agreed to it.

And that is a worthy goal.  Do you want Google deciding you should see adverts for an item that you looked at on a website three days ago?  Or Facebook logging details of what you post and who you interact with? Probably not.  

So it makes good sense to get people to say it is ok or not.  However there are a few difficulties with implementation of this.  Ultimately, it is believed that the opting in/out will be handled by the browsers, and there is much  discussion with the browser developers going on.  But it will be some time before there is any results on that front.  So the way that consent will be requested will have to be from the webpage(s).  

The main percieved problem with this is the user experience.  

• If a page is asking you to approve the use of cookies, it is an intrusion that you might not get from a competitive site that is non-compliant.  So the non-compliant website actually gets an advantage.  Not fair!
• Also, not having cookies available will make some websites inoperable.  
• Implementing a consent facility requires it to be on pretty much every page and needs a level of technical knowledge to install, so there is a cost aspect.  

The legislation also describes how some cookies may be deemed 'necessary' and won't require consent for usage - but don't prescribe what the 'necessary' cookies are in any detail.  Having said this, in the examples above it is generally agreed that necessary cookies could be shopping cart and login type cookies, while website statistic cookies would not.  

For all sites using Google Analytics then, this is an issue because it uses cookies. Even if you have a consent capability, and not all your visitors agree, the accuracy of your statistics are comprimised.  No doubt Google are working on this, although there has been no official position to date.

So what should you do?  Well, it is law so you shouldn't ignore it - the law covers fines of up to £500,000.  What you should do is find out if cookies are being used on your site - there are plenty of browser plug-ins that will let you see which cookies are coming from your site.  

Then you need to decide if these are necessary or not.  If they are not and you want/need to keep them, you will need some mechanism to ask for consent.  It is unlikely this is something you can do yourself, so you will probably need the help of your friendly web developer.

Incidentally, once you have consented to use cookies, this information needs to be stored somewhere on your comptuer - you guessed it, in a cookie!!