This aim of this guide is to provide you with an overview of the Cookie Law, what it is, the potential implications for e-commerce businesses and the different options you have in terms of how you respond.
Type ‘EU cookie law’ into Google and you will find endless discussions on blogs and forums debating how best to interpret and react to the law. I have read and researched the best of them as well as reading though the ICO’s latest documentation of the law ‘Changes to the rules on using cookies and similar technologies for storing information’, which I recommend you read as well.
I hope this report provides you with enough information to make your own informed decision on how best to respond to the cookie law. Please be assured that on May 26th 2012, the ICO are not going to be contacting you with a £500,000 penalty if you are yet to react, however it is time to think about updating your T&Cs at the least.
“There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there”. – ICO Blog
Privacy and Electronic Communications Regulation – May 26th 2011
On 26 May 2011, the amended Privacy and Electronic Communications Regulations came into force in the UK and EU. As the independent arbiter of information rights, the Information Commissioner has been charged with regulating the new rules for websites aimed at UK consumers. From the 26th May 2012 the Information Commissioner will have the power to serve penalties of up to £500,000 on UK companies who break the law.
What is the Law?
This law requires all website owners to get consent from their website visitors before they can store or retrieve any information on their devices including computers, tablets and mobile devices. One common technique of storing information is widely known as a cookie. N.b. it isn’t all as simple as it first appears don’t panic, read on..
What is the law for?
The law is definitely about behavioural targeting and stopping the abuse of private information, the law is there to protect visitor privacy – that means no 3rd party techniques (sharing information with other organisations), 3rd party ad tracking and no personal information such as name, email address etc. being collected, unless the explicit consent of the individual is given. However in reality there is a lot of confusion about how companies should be interpreting the law, Why? Because the Information Commissioner’s Office (ICO) the body responsible for enforcing the law is currently unclear itself, an issue which is reflected in its current documentation of the law and how it should be interpreted.
Extract from the ICO document answering the question: Will the ICO be producing more specific guidance on what I need to do in future?
“We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”
“Reading the ICO’s latest document, and intended to clarify things is quite hard going because of the amount of contradictions and exceptions. There’s a lot in the document about the different types of cookies, and what the law means for each of these. Cookies which are ‘strictly necessary’ are exempt from consent (e.g. ‘add to shopping basket’ is an example they give as ‘strictly necessary’?) but cookies that are merely ‘important’ are not.”
What are Cookies?
A cookie is a small script placed on the hard drive of your computer by the server of a website that you visit. The cookie is placed there for the purpose of recognising your specific browser / computer combination were you to return to the same site. All cookies have an owner which tells you who the cookie belongs to. The owner is the domain specified in the cookie.
Differentiating 1st Party and 3rd Party cookies
The word “party” refers to the domain as specified in cookie; the website that is placing the cookie. So, for example, if you visit www.site1.com and the domain of the cookie placed on your computer is www.site1.com, then this is a 1st party cookie. If, however, you visit www.site1.com and the cookie placed on your computer says www.stats-for-free.com, then this is a 3rd party cookie. So 3rd party cookies are cookies that are set by one site, but can be read by another site. For example, when you visit site1.com, it might set a cookie that can be read by site2.com. E.g. Some advertisers use 3rd party cookies to track your visits to the various websites on which they advertise (have you noticed ads relating to a website you visited recently following you around the web?).Here is the 3rd Party Cookie definition from the ICO’s latest document released in December 2011:
“Some websites allow third parties to set cookies on a user’s device. If your website displays content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies or similar technologies onto “your” users’ devices. We would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.”
How is this going to affect my e-commerce business? Google Analytics Tracking
The biggest topic in question for e-commerce sites is going to be the tracking of vital analytics data using analytics packages such as Google Analytics. Google Analytics uses 1st party cookies, and currently sets 4 automatic cookies. The ICO guidelines dedicate an entire section to this at the bottom of the document, they say:
“An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent. One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device.”
Despite the entire document explaining that we absolutely definitely need to gain user consent, they admit this little caveat in the penultimate sentence:
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
The next sentence explains what we have to do:
“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
How to comply with the law
No responsible company is likely to want to be open to accusations of defying or ignoring the law. Acknowledging the change and taking preliminary steps to comply seems sensible.
In terms of analytics I think a page explaining what cookies you use and why, is the best solution. It’s worth having a look at a few of the big brands as a gauge, but everybody’s favorite, John Lewis is an example we believe of a very intelligent interpretation of the law by one of the big brands and after all everyone’s eyes are going to be on them.
It’s worth taking a look at johnlewis.com they have a link at the top of the site ‘Privacy and Cookies’, no pop ups or tabs currently. The information they provide is split into bite size chunks of information that are easy to digest..
Here is a very useful extract from ‘What are cookies’ by John Lewis:
Ultimately the decision to the actions that you take in order to move towards full compliance has to be your own after reading all of the facts and making a reasonable risk assessment.
What about share tools for Facebook & Twitter?
If you have Facebook ‘Like’ buttons on your website for example, this is actually a cookie that belongs to the Facebook website and is not technically a 3rd party cookie belonging to your site. A ‘grey area’ however, so taking the lead from John Lewis, they have placed the onus on these 3rd party websites, claiming that John Lewis are not serving the cookie up, but the script that places it there is controlled by them.
This is what John Lewis say:
“If you take the opportunity to ‘share’ johnlewis.com content with friends through social networks – such as Facebook and Twitter – you may be sent cookies from these websites. We don’t control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.”
Unfortunately all of my legal knowledge comes from Poirot and a few episodes of Ali McBeal, Fisheye are not in a place to provide you with legal guidance on this issue. The ICO do say themselves they’re highly unlikely to take formal action against websites with tracking cookies, but wording like “the Information Commissioner cannot completely exclude the possibility of formal action” should be headed!
What action should we take?
In the document the ICO advise you to now take the following steps:
1.Check what type of cookies and similar technologies you use and how you use them.
3.Decide what solution to obtain consent will be best in your circumstances.
Fisheye can provide you with the following support.
Fisheye will provide you with full documentation of the cookies that are used on your site for you to provide your visitors in a John Lewis format. Using the information from the audit will enable you to provide an explanation for your visitors of the cookies that your website uses. How much detail you wish to provide is up to you, however again we recommend you take a look at John Lewis as a benchmark.
Update your T&Cs
We also recommend you ensure your privacy statement within your terms and conditions is up to date and accurate – keep it simple, not full of legal jargon.
Again we recommend you take a look at John Lewis’ T&Cs John Lewis T&Cs, this is what they have added:
One Step further: Pop ups and similar
If you would like to explore the following options, please contact us for further details.
Pop ups and similar techniques
You are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent – but it’s also one which might well spoil the experience of using a website if you use several cookies.