By Brandboost

The EU website directive that became law in May 2011 is being enforced from 26th May this year by the UK following 12 months grace. This new law requires ALL website owners to inform visitors of their ‘cookie’ use and what choices visitors have before they enter the website. Failure to comply with the new law could incur a fine of up to £500,000.

The ICO provided detailed guidance for website owners in December 2011, which is available from their website here.

So, what exactly are cookies?
Cookies are small (often encrypted) text files that usually include a unique identifier. They are downloaded on to a computer or web browsing device by the majority of websites when visited. Cookies have two primary functions: to improve the website experience for the user and to provide analytical data about website use for the website owner. Cookies are not programmes and cannot harm your web browsing device (computer, tablet, smartphone, game console etc.).

Typically, cookies are divided into session cookies and persistent cookies. Session cookies ‘self-destruct’ once your web browsing activity is concluded. They are primarily used as short-term memory files so, for example, when you add things to a website shopping cart and then go browsing elsewhere the cookie is used to remember what’s in your cart. New session cookies are downloaded to your browsing device when you go online and then get deleted when you go offline.

Persistent cookies stay around longer, maybe years, and are used to remember your specific website preferences and settings. So, for example, when you visit Amazon after the first time its web server checks your browsing device to see if there is a persistent cookie there, if there is, it logs you on and provides recommendations etc. based on information associated with that persistent cookie.

Analytics software like Google Analytics use persistent cookies to allow website owners to measure the number of new and returning visitors to a website, their location, the pages they look at, the amount of time spent on each page and much, much more.

There are other names for these cookies (HTTP cookies, transient cookies, permanent cookies) and other cookie variants such as supercookies and Flash cookies.

Persistent cookies are also known as tracking cookies (although session cookies can be used for tracking too) and tracking is where the major privacy concerns are, which has been the main contributory factor in the change to the law.

Why the cookie law has changed
It’s all to do with tracking and how it’s developed. Tracking cookies have been around for ages, as has the law that states visitors should be able to know what the cookie policy is of each website visited. This information is usually hidden away on the privacy policy page.

Over recent years tracking cookie use has become very sophisticated and is especially noticeable in behavioural advertising. This is primarily done through the use of third party cookies. It works when a website lets an advertiser place ads on their pages. When you click on one of these ads, a third party cookie is downloaded by the advertiser to your browsing device. This third party cookie can then be tracked across every new site you visit that’s connected to the advertiser – allowing the advertiser to learn your browsing habits and build up a profile of you – known as behavioural tracking. Then the advertiser can target specific ads at you that match your interests gleaned from your browsing history. Although these cookies are not internet security risks, there are obvious privacy concerns.

Most websites just use first party cookies and this is for two reasons, to create a better browsing experience and to provide analytics to the website owner of how their site is used. The interesting fact here is that most websites use a third party provider for their analytics (frequently Google) but because their analytic cookies, specifically Google’s, are website specific they are classed as first party cookies.

First party cookies, as described above, should not fall foul of the new law. It’s the intrusive nature of many third party cookies that are drivers for this law. But just the same you need to comply to be safe.

In the ICO’s report from December 2011, Guidance On The Rules On Use Of Cookies And Similar Technologies, they state the reason for the law change as:

The rules in this area are essentially designed to protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement.

What this means, in practical terms, is that any website that uses cookies (which is the big majority) will need to seek permission from visitors to download cookies to their browsing device BEFORE they enter the website. Visiting a website therefore becomes an opt-in process.

So, how do you approach this new law and what should you do to comply?

How to tackle the new cookie law
According to uncorroborated data floating around the internet, 92% of websites use cookies. If this figure is anywhere near accurate, and extrapolates across the UK, it leaves an eye-wateringly large number of websites that need updating soon.

However, the few first party cookies found on most smaller B2B websites (excluding analytics) are usually ‘non-intrusive’ and are part of its core functionality, or its content management system, and may be classed as ‘essential’ – therefore outside the remit of the new law and the opt-in process. However the big issue for most B2B organisations is going to be the analytics and measuring website traffic.

So what are the options?
Firstly, you can do nothing. This looks likely to be the default setting for a large number of small B2B website operators – due to ignorance of the law or the belief that nothing will happen. They could well be right on the second point but, just the same, the law is being broken.

If you want to take more practical steps, you need to instigate a full cookie audit before anything else. Depending upon the size of the website, this could be a big project and may require hours of specialist assistance (specifically in defining what each cookie does and its intrusiveness) or it could just take a quick half hour and a little bit of ‘googling’.

The information you need to find for each cookie on your website:

• The cookie name
• The source domain (identifies first or third party cookie)
• The expiry date (identifies session or persistent cookie)
• Description of cookie purpose (identifies importance to website functionality and its level of ‘intrusiveness’)

Once you have this data it’s best to review the cookie area within the existing privacy policy section of the website to ensure it is still up-to-date. It should be from previous regulatory requirements, but it’s still worth checking and updating if necessary.

There’s no effective solution to gaining opt-ins
The few websites that are already complying appear to be following the ICO lead (usually with a bit more wit and style) by going for an opt-in panel either positioned on every page (usually at the top), as a ‘sticky’ header that scrolls with the page or via a ‘pop-up’ style box that appears when entering the website – you’ve guessed it, it sets a cookie in the process. The opt-in feature must clearly explain about the new law, about cookies and provide details of all the cookies used on the website (this can easily be done using a link to the updated cookie section of the website privacy policy).

The issue (as the ICO have found) is that most people just ignore the opt-in feature and browse anyway. This is no big deal if you’re a ‘normal’ business that’s not reliant on third party advertising, apart from the fact that the analytics now don’t work.

According to the ICO, their visitors dropped by around 90% when they adopted the opt-in feature. Obviously not correct, it just shows that only 10% of visitors ‘opted-in’ – probably less given the increased interest in the cookie law during this period.

There is little else you can do at present (especially in finding an effective opt-in approach) until this ill-conceived law gets reviewed and the focus is placed only on advertising tracking cookies.

There are non-cookie based analytic tools available but the two leading products we tested did not compare favourably with Google Analytics, so we’re a bit reluctant to recommend any alternatives at present, but hopefully these will improve.

Unfortunately not a great ending for now, but if you want to discuss making your website compliant call our BBI team on 01494 452600 or contact them via the BBI website. Or you could watch the BBI video on the new cookie law first.