New Cookie Legislation
Last Update: May 15, 2012
I assume this is just a UK thing but I have just received an email from one of my affiliate companies advising that there is some new cookie legislation that comes into force on 26th May 2012. Well it apparently became law on 26th May 2011 but they are going to be enforcing it with effect from 26th May 2012.
Below are a few paragraphs from the e-mail:
What does the revised law mean?
The Cookie Law means that websites will need to get consent from customers to store or retrieve
any information on a computer or any other web connected device, such as a smartphone or tablet. With most websites using cookies and similar technologies, if your business has a website, you will need to look at making changes to it in order to adhere to the law. EVERY website uses cookies in some way and what you need to do is get your house in order and start making progress towards full compliance.
Why is this law coming into effect?
The law has been made to protect consumers’ online privacy by educating them about how their
information and behaviour is collected and used by websites. It aims to give consumers control over their own online privacy. In our opinion, one of the biggest challenges to that is the lack of general awareness of how the internet operates in the general public. Working in the industry we have a blinkered view of the level of understanding of the average internet user. The vast majority will NOT know what a cookie is or how these cookies enhance and impact their online experiences.
Are there any exceptions to the law?
The basis of the law exists around the ‘right to refuse’ a cookie... and there are exceptions
to the requirement to provide information about cookies and obtain consent where the use of the
cookie is one of the below:
For the sole purpose of carrying out the transmission of a communication over an electronic
communications network
Where such storage or access is ‘strictly necessary’ for the provision of an information society
service requested by the subscriber or user. For example, it is the same for intranet sites purely
targeted at your employees.
The term 'strictly necessary' means that such storage of or access to information should be
‘essential’, rather than ‘reasonably necessary’, for this exemption to apply. However, it will also be
restricted to what is essential to provide the service requested by the user, rather than what might
be essential for any other uses the service provider might wish to make of that data.
It should be noted, that where the use of a cookie type device is deemed 'important' rather than
'strictly necessary', those collecting the information are still obliged to provide information about
the device to the potential user and obtain consent.
Responsibility for providing the information and obtaining consent
The Regulations do not define exactly and clearly who should be responsible for providing the
information and obtaining the consent. However, you are responsible for complying with these
regulations if you operate an online service or website and it requires any use of a cookie type
device for your purposes only.
However, once a person has used such a device to store or access data on a device, that person will not be required to provide the information described and obtain consent on subsequent occasions, as long as they met these requirements initially. While the regulations do not require the relevant information to be provided on each occasion, they do not prevent this.
So, what do you need to do to inform consumers?
Basically, if you are using cookies on your website you will most likely need to make some changes.
You MUST inform your customers, but how you do this can be in a variety of ways. We recommend
that for the time-being you follow some or all of the following:
• Tell visitors to your website that the cookies are there
• Explain the purpose of these cookies
• Get the customer’s consent to store a cookie on their device
The Regulations are not entirely rigid about the information that you need to provide consumers
with, but the text should be sufficiently full and intelligible to allow individuals to clearly understand
the potential consequences of allowing storage and access to the information collected by the
device should they wish to do so.
I have had a look at a few major UK companies to see how they are dealing with this and some, such as BT, are using an implied consent. There is a pop up informing that the website is set to "allow all cookies" to give the best experience - if you don't want to allow all cookies then this can be changed at the bottom of the page but if you continue without changing the settings then you consent to this!
UK government is advising that they want to use cookies to store information and that some parts of the website won't work properly without this and are forcing you to tick a check box to agree to accept cookies.
As stated earlier this covers just about all UK sites which seems rather a lot to be policed but as cookies are essential for what we do it is important that we get this right without scaring off potential customers.
Does anyone have any ideas for the best way to handle this?
Below are a few paragraphs from the e-mail:
What does the revised law mean?
The Cookie Law means that websites will need to get consent from customers to store or retrieve
any information on a computer or any other web connected device, such as a smartphone or tablet. With most websites using cookies and similar technologies, if your business has a website, you will need to look at making changes to it in order to adhere to the law. EVERY website uses cookies in some way and what you need to do is get your house in order and start making progress towards full compliance.
Why is this law coming into effect?
The law has been made to protect consumers’ online privacy by educating them about how their
information and behaviour is collected and used by websites. It aims to give consumers control over their own online privacy. In our opinion, one of the biggest challenges to that is the lack of general awareness of how the internet operates in the general public. Working in the industry we have a blinkered view of the level of understanding of the average internet user. The vast majority will NOT know what a cookie is or how these cookies enhance and impact their online experiences.
Are there any exceptions to the law?
The basis of the law exists around the ‘right to refuse’ a cookie... and there are exceptions
to the requirement to provide information about cookies and obtain consent where the use of the
cookie is one of the below:
For the sole purpose of carrying out the transmission of a communication over an electronic
communications network
Where such storage or access is ‘strictly necessary’ for the provision of an information society
service requested by the subscriber or user. For example, it is the same for intranet sites purely
targeted at your employees.
The term 'strictly necessary' means that such storage of or access to information should be
‘essential’, rather than ‘reasonably necessary’, for this exemption to apply. However, it will also be
restricted to what is essential to provide the service requested by the user, rather than what might
be essential for any other uses the service provider might wish to make of that data.
It should be noted, that where the use of a cookie type device is deemed 'important' rather than
'strictly necessary', those collecting the information are still obliged to provide information about
the device to the potential user and obtain consent.
Responsibility for providing the information and obtaining consent
The Regulations do not define exactly and clearly who should be responsible for providing the
information and obtaining the consent. However, you are responsible for complying with these
regulations if you operate an online service or website and it requires any use of a cookie type
device for your purposes only.
However, once a person has used such a device to store or access data on a device, that person will not be required to provide the information described and obtain consent on subsequent occasions, as long as they met these requirements initially. While the regulations do not require the relevant information to be provided on each occasion, they do not prevent this.
So, what do you need to do to inform consumers?
Basically, if you are using cookies on your website you will most likely need to make some changes.
You MUST inform your customers, but how you do this can be in a variety of ways. We recommend
that for the time-being you follow some or all of the following:
• Tell visitors to your website that the cookies are there
• Explain the purpose of these cookies
• Get the customer’s consent to store a cookie on their device
The Regulations are not entirely rigid about the information that you need to provide consumers
with, but the text should be sufficiently full and intelligible to allow individuals to clearly understand
the potential consequences of allowing storage and access to the information collected by the
device should they wish to do so.
I have had a look at a few major UK companies to see how they are dealing with this and some, such as BT, are using an implied consent. There is a pop up informing that the website is set to "allow all cookies" to give the best experience - if you don't want to allow all cookies then this can be changed at the bottom of the page but if you continue without changing the settings then you consent to this!
UK government is advising that they want to use cookies to store information and that some parts of the website won't work properly without this and are forcing you to tick a check box to agree to accept cookies.
As stated earlier this covers just about all UK sites which seems rather a lot to be policed but as cookies are essential for what we do it is important that we get this right without scaring off potential customers.
Does anyone have any ideas for the best way to handle this?
Join the Discussion
Write something…
Apina
Premium
An interesting article, even the Government will miss the deadline. Also check the last few paragraphs, the ICO in the UK will be acting on a complaint basis. http://www.bbc.com/news/technology-18090118
Adi2008
Premium
If you're running a Wordpress site, have a look at using a Plugin called "Cookie Control" (http://wordpress.org/extend/plugins/cookie-control/) - haven't used it myself (yet) but I made a mental note of it when I saw it in action recently on a site I was visiting.
kyle
Premium
So basically they are saying that they don't want people in the UK or with UK sites to use the internet. Almost all sites use cookies and/or session variables to create a better experience for the user. I could only imagine how this could impact Google and Facebook whom go far beyond cookies to utilize personal information.
People are scared enough as it is, having them click a pop-up telling them about "cookies" is only going to have them fleeing your website.
People are scared enough as it is, having them click a pop-up telling them about "cookies" is only going to have them fleeing your website.
Marad
Premium
Hi Suem,
I live in the UK as well. Thanks for writing about it as I Haven't known anything. I have some notes regarding cookies in my Privacy Policy - which I "borrowed" from Argos web. I think the best way would be to follow the big players as Dean recommends as they have a team of solicitors for that. Lets hope some plugin will appear soon.
Marie
I live in the UK as well. Thanks for writing about it as I Haven't known anything. I have some notes regarding cookies in my Privacy Policy - which I "borrowed" from Argos web. I think the best way would be to follow the big players as Dean recommends as they have a team of solicitors for that. Lets hope some plugin will appear soon.
Marie
Apina
Premium
Ahhh yes, this one, forgot this was coming into effect. In my mind the best way is like with BT, pop up to say cookies are in use, accept to continue otherwise set options for cookies or at very worst dont let them in.
There may be a plugin soon for this. I hope so as there is no easy way to implement this sort of thing.
WIll be a nightmare though, lots of people will turn away from it at first wondering what the hell it is.
Another option would be a geo location plugin. If the user is UK based show the pop up, otherwise business as normal.
One thing this doesn't specify though, are you still liable for the cookie law if the site is not hosted on UK soil? Why I am saying this is with Aweber/Mailchimp I am obliged to provide certain info in order to comply with USA laws as the service is american.
A UK provider wouldn't force me to provide it as the law isn't relevant in the UK. So flip it over, US hosted site doesn't need to follow the UK law?? I'm no legal expert so this may (probably) be wrong, but interesting none the less.
There may be a plugin soon for this. I hope so as there is no easy way to implement this sort of thing.
WIll be a nightmare though, lots of people will turn away from it at first wondering what the hell it is.
Another option would be a geo location plugin. If the user is UK based show the pop up, otherwise business as normal.
One thing this doesn't specify though, are you still liable for the cookie law if the site is not hosted on UK soil? Why I am saying this is with Aweber/Mailchimp I am obliged to provide certain info in order to comply with USA laws as the service is american.
A UK provider wouldn't force me to provide it as the law isn't relevant in the UK. So flip it over, US hosted site doesn't need to follow the UK law?? I'm no legal expert so this may (probably) be wrong, but interesting none the less.