The Cookie Law - Are You Legal?

Tweet

  

Note : We've updated our advice since writing this article - UK Cookie Law Advice.

The Cookie Law (Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 to give it its more formal title) is going to be enforced from the end of this month (May 2012). If you're based in the UK and run a website you're going to have to pay attention.

The worry about this law was that every website in the UK would have to get consent from every visitor before they could use cookies. Cookies are essential for many parts of your website's operation. They keep track of what people are putting in the shopping cart, whether they are logged into your members area and so on. The worst-case scenario was that you would have to have a big pop-up window as soon as someone arrived at your website asking for permission to use cookies. If they refused parts of your site would not work.

The Information Commissioner's Office (ICO) who are reponsible for the law haven't been very clear on the exact details which has left a lot of website owners very concerned about how to stay clear of the hefty fines. Luckily the International Chambers of Commerce (ICC) have released a guide which gives a very clear explanation of how they see the law. Although the guide doesn't constitute legal advice it's an excellent starting point in making sure your website is okay. In fact David Evans at the ICO agreed the guide was a good starting point which is probably as close to a recommendation you're ever going to get from a government organisation.

Basically the guide breaks cookies down into four categories. The first three of these can be easily covered by making sure you have the appropriate wording in your website privacy policy or terms and conditions.

The fourth group of cookies are the ones the law is really aimed at so if you're using any of these you need to pay close attention.

These are cookies which are needed to make the website work. Shopping carts, secure areas of the website, membership areas and suchlike all use cookies to keep track of the user. These are all exempt from the law so you don't need to do anything.

This is the interesting category as it contains the cookies that people are most concerned about. The law was very unclear about web analytics cookies - for example the ones that make Google analytics work. Without these cookies it was going to be very difficult to measure your website performance and see what visitors were doing. The ICC has put analytics, advertising, affiliate tracking and Pay per Click cookies in here.

For these cookies you simply need to mention them in your privacy policy or your website terms and conditions. Providing you've made it clear what cookies you are using and why, it's then up to the user to turn them off if they want to. As the majority of users never read these documents it's pretty safe to assume these cookies will be unaffected.

These are cookies your website might use to remember user choices. They might be used to remember if a special message has been displayed, if the user has selected a different text size, information the user has typed in to pre-fill forms for them, etc.

Again these cookies can be covered in your privacy policy or terms and conditions.

These are the cookies the law is really aimed at stopping, or at least making sure the website user is fully aware they are being used. These tend to be used by advertising networks so that they can build up a picture of what you've been looking at on the web. If you've ever wondered how a website can suddenly display and advert for something you were looking at yesterday, now you know.

If your website is using this sort of technique you're going to have to get the user's permission.

So for most of us it's simply a matter of making sure we talk about cookies in our privacy policy or terms and conditions. So hopefully the panic is over. Obviously we'll have to wait to see exactly what the ICO says but it looks like this guide has got it just about right.

If you've got any concerns over this feel free to give me a call.

P.S. You have got a privacy policy and terms and conditions published in your website haven't you? If not now would be a good time to get some.