This aim of this guide is to provide you with an overview of the Cookie Law, what it is, the potential implications for e-commerce businesses and the different options you have in terms of how you respond.

Type ‘EU cookie law’ into Google and you will find endless discussions on blogs and forums debating how best to interpret and react to the law. I have read and researched the best of them as well as reading though the ICO’s latest documentation of the law ‘Changes to the rules on using cookies and similar technologies for storing information’, which I recommend you read as well.

The challenge (and thus the nature of the debates) is about how to interpret the law, and be seen to respond to the law whilst limiting the potential impact on your e-commerce business. If you follow the guidelines to the letter, (e.g. interrupting your visitors with a pop up asking them to consent to the use of cookies on their website) the majority of your visitors are likely to refuse all cookies. This will impact your ability to use analytics to base future marketing decisions on accurate data, and potentially impact your e-commerce business.

I hope this report provides you with enough information to make your own informed decision on how best to respond to the cookie law. Please be assured that on May 26th 2012, the ICO are not going to be contacting you with a £500,000 penalty if you are yet to react, however it is time to think about updating your T&Cs at the least.

“There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there”. – ICO Blog

Privacy and Electronic Communications Regulation – May 26th 2011

On 26 May 2011, the amended Privacy and Electronic Communications Regulations came into force in the UK and EU. As the independent arbiter of information rights, the Information Commissioner has been charged with regulating the new rules for websites aimed at UK consumers. From the 26th May 2012 the Information Commissioner will have the power to serve penalties of up to £500,000 on UK companies who break the law.

What is the Law?

This law requires all website owners to get consent from their website visitors before they can store or retrieve any information on their devices including computers, tablets and mobile devices. One common technique of storing information is widely known as a cookie. N.b. it isn’t all as simple as it first appears don’t panic, read on..

What is the law for?

The law is definitely about behavioural targeting and stopping the abuse of private information, the law is there to protect visitor privacy – that means no 3rd party techniques (sharing information with other organisations), 3rd party ad tracking and no personal information such as name, email address etc. being collected, unless the explicit consent of the individual is given. However in reality there is a lot of confusion about how companies should be interpreting the law, Why? Because the Information Commissioner’s Office (ICO) the body responsible for enforcing the law is currently unclear itself, an issue which is reflected in its current documentation of the law and how it should be interpreted.

Extract from the ICO document answering the question: Will the ICO be producing more specific guidance on what I need to do in future?

“We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”

Extract from Cookie Law http://blog.silktide.com/2012/02/cookie-law-analytics-are-illegal-but-we-wont-prosecute-you-probably

“Reading the ICO’s latest document, and intended to clarify things is quite hard going because of the amount of contradictions and exceptions. There’s a lot in the document about the different types of cookies, and what the law means for each of these. Cookies which are ‘strictly necessary’ are exempt from consent (e.g. ‘add to shopping basket’ is an example they give as ‘strictly necessary’?) but cookies that are merely ‘important’ are not.”

What are Cookies?

A cookie is a small script placed on the hard drive of your computer by the server of a website that you visit. The cookie is placed there for the purpose of recognising your specific browser / computer combination were you to return to the same site. All cookies have an owner which tells you who the cookie belongs to. The owner is the domain specified in the cookie.

Does your website use cookies? Yes, they are necessary in the case of Magento and other e-commerce sites to enable the visitor to make a purchase. Over 95% of websites use independent or third party cookies. What’s important is that there are different types of cookies 1st Party cookies and 3rd Party Cookies. It’s the 3rd party cookies which appear to be the most important area of ICO’s enforcement and guidance focus; this is the area of 3rd party ad tracking and personalising cookies.

Differentiating 1st Party and 3rd Party cookies

The word “party” refers to the domain as specified in cookie; the website that is placing the cookie. So, for example, if you visit www.site1.com and the domain of the cookie placed on your computer is www.site1.com, then this is a 1st party cookie. If, however, you visit www.site1.com and the cookie placed on your computer says www.stats-for-free.com, then this is a 3rd party cookie. So 3rd party cookies are cookies that are set by one site, but can be read by another site. For example, when you visit site1.com, it might set a cookie that can be read by site2.com. E.g. Some advertisers use 3rd party cookies to track your visits to the various websites on which they advertise (have you noticed ads relating to a website you visited recently following you around the web?).Here is the 3rd Party Cookie definition from the ICO’s latest document released in December 2011:

“Some websites allow third parties to set cookies on a user’s device. If your website displays content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies or similar technologies onto “your” users’ devices. We would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.”

How is this going to affect my e-commerce business? Google Analytics Tracking

The biggest topic in question for e-commerce sites is going to be the tracking of vital analytics data using analytics packages such as Google Analytics. Google Analytics uses 1st party cookies, and currently sets 4 automatic cookies. The ICO guidelines dedicate an entire section to this at the bottom of the document, they say:

“An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent. One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device.”

Despite the entire document explaining that we absolutely definitely need to gain user consent, they admit this little caveat in the penultimate sentence:

“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”

The next sentence explains what we have to do:

“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

How to comply with the law

No responsible company is likely to want to be open to accusations of defying or ignoring the law. Acknowledging the change and taking preliminary steps to comply seems sensible.

In terms of analytics I think a page explaining what cookies you use and why, is the best solution. It’s worth having a look at a few of the big brands as a gauge, but everybody’s favorite, John Lewis is an example we believe of a very intelligent interpretation of the law by one of the big brands and after all everyone’s eyes are going to be on them.

It’s worth taking a look at johnlewis.com they have a link at the top of the site ‘Privacy and Cookies’, no pop ups or tabs currently. The information they provide is split into bite size chunks of information that are easy to digest..

Here is a very useful extract from ‘What are cookies’ by John Lewis:

Cookies are tiny text files stored on your computer when you visit certain web pages. At johnlewis.com we use cookies to keep track of what you have in your basket, and to remember you when you return to our site. To order products on johnlewis.com, you need to have cookies enabled – see the section on Managing cookies. If you don’t wish to enable cookies, you’ll still be able to browse the site and use it for research purposes. Most web browsers have cookies enabled, but see Managing cookies for help to turn them on should you need to.

Ultimately the decision to the actions that you take in order to move towards full compliance has to be your own after reading all of the facts and making a reasonable risk assessment.

What about share tools for Facebook & Twitter?

If you have Facebook ‘Like’ buttons on your website for example, this is actually a cookie that belongs to the Facebook website and is not technically a 3rd party cookie belonging to your site. A ‘grey area’ however, so taking the lead from John Lewis, they have placed the onus on these 3rd party websites, claiming that John Lewis are not serving the cookie up, but the script that places it there is controlled by them.

This is what John Lewis say:

“If you take the opportunity to ‘share’ johnlewis.com content with friends through social networks – such as Facebook and Twitter – you may be sent cookies from these websites. We don’t control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.”

Disclaimer

Unfortunately all of my legal knowledge comes from Poirot and a few episodes of Ali McBeal, Fisheye are not in a place to provide you with legal guidance on this issue. The ICO do say themselves they’re highly unlikely to take formal action against websites with tracking cookies, but wording like “the Information Commissioner cannot completely exclude the possibility of formal action” should be headed!

What action should we take?

In the document the ICO advise you to now take the following steps:

1.Check what type of cookies and similar technologies you use and how you use them.
2.Assess how intrusive your use of cookies is.
3.Decide what solution to obtain consent will be best in your circumstances.

Fisheye can provide you with the following support.

Cookie Audit

One thing we do know (and the ICO agrees) is that firstly you must audit the types of cookies your website uses. Before you can create the right cookie compliance and privacy policy for your domain, you need to understand your compliance risks. That means understanding exactly how many cookies your website is setting on visitor’s browsers and precisely what they do.

Fisheye will provide you with full documentation of the cookies that are used on your site for you to provide your visitors in a John Lewis format. Using the information from the audit will enable you to provide an explanation for your visitors of the cookies that your website uses. How much detail you wish to provide is up to you, however again we recommend you take a look at John Lewis as a benchmark.

Update your T&Cs

We also recommend you ensure your privacy statement within your terms and conditions is up to date and accurate – keep it simple, not full of legal jargon.

Where users open an online account or sign in to use the services you offer, they could give their consent by agreeing to updated Terms and Conditions. However, it is important to note that changing the terms of use alone to include consent for cookies would not be good enough. To satisfy the new rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes.

Again we recommend you take a look at John Lewis’ T&Cs John Lewis T&Cs, this is what they have added:

“We use Cookies to keep track of your current shopping session to personalise your experience and so that you may retrieve your shopping basket at any time – if you do not accept Cookies you will be unable to use this Website for shopping purposes, only for browsing and research. Click here for more information on selecting or deselecting ‘Cookies’. If you’d like to opt out of cookies, please go to the Network Advertising Initiative website (opens in a new window – please note that we’re not responsible for the content of external websites).”

One Step further: Pop ups and similar

If you would like to explore the following options, please contact us for further details.

Cookie Tabs

Less intrusive than a pop up, the tab will be present on every page of your website. When hovered over the tab will display a sentence stating that your site uses cookies and inviting the visitor to click on the tab for more information. A pop up will provide the user with information about the types cookies and the choices they have, as well as links to further more detailed information.

Pop ups and similar techniques

You are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent – but it’s also one which might well spoil the experience of using a website if you use several cookies.