EU Cookie Law – ecommerce sites selling to UK need to do something now

by Tim Leighton-Boyce

Google Analytics Cookies and EU LawSite owners in the UK have had several years to get to grips with implementing the EU Tracking directive. The period of grace ended on May 26th 2012 and so UK ecommerce sites have no excuse for not complying with our version of the EU ‘Cookie Law’.

But what do you really need to do? There was a lot of fear, Uncertainty and Doubt back in 2012. The sneers of “they cannot be serious” were joined by complaints that “it will set back the economy”.

By 2014 the situation was becoming clear, so I recommend you skip to the key updates in the resources section below. To skip straight to the updates, click here: [Updated: June 2014 with a link to a great summary of what’s actually been done in the way of enforcement].

I had already sent out my own thoughts on the subject to my email list months before writing this original blog post in 2012. So I wasn’t going to add yet more to the public debate by writing a blog post. But… I’m a great believer in using Google Analytics Site Search Reports as a way of finding out what people want. And those reports show that people were coming to this site looking for information about the EU cookie law.

So here goes.

What you need to do now

1. Do an audit of your site and document what you’re tracking, how and why
2. Update your privacy policy to include the information

Taking these first steps towards obeying the law ought to be sufficient to reduce the chances of a fine.

But you shouldn’t stop right there. That would be particularly irresponsible if you’re a prominent site which is more likely to attract the attention of someone who wants to complain to the ICO either out of malice or simply to provoke a test case.

Because:

Strictly speaking, the law requires you to have an opt-in consent system live on the site. Now.

So:

3. You should also be able to at least show that you’re working on your solution to the requirement to ask all visitors to your site to actively give consent for you to use cookies or any similar tracking systems. [Update: when Dan Barker’s 2014 post you will see how this aspect of ‘doing something’ has a real impact on the attitude taken by the ICO]

EU Cookie Law Opt-in Systems

The general opinion in most of the discussion on the subject I have seen is that sites will be able to get away with breaking the consent aspect of the law for a bit longer, provided that they can show they have started to comply by documenting the audit and updating their privacy policy.

This opinion is based on a series of reasonable assumptions:

  • That the law is intended to target sites which are using tracking in suspicious or devious ways, not sites which are using the standard analytics and marketing systems
  • That the ICO does not have a huge team to police this and start actively checking every site

The opinion is supported by things like this guide to implementing the law on public sector websites issued by the UK Government Digital Service:

http://alphagov.files.wordpress.com/2012/03/gds-cookies-implementer-guide.pdf [Opens in new tab]

At the moment there are very few examples to look at out in the wild. You can bet that some more will appear on the day itself on big-name sites such as BBC, Amazon, Tesco, ASOS etc. If I remember correctly Argos went live with one when the law took effect last year, but removed it within hours as soon as the period of grace was announced.

The best example I have seen so far is the one on part of the BT site:

Screenshot showing BT EU Cookie Law Opt-in Overlay

And here’s a video of it in action:

You can visit the site to see it for yourself here:
http://www.productsandservices.bt.com/ [Opens in new tab]

This is particularly good for these reasons

  • It’s a prominent overlay which appears when someone lands on the site.
    • But because this position is also widely used for things like survey invitation and “you may also like” promotions, the notice may be affected by a convenient form of ‘banner blindness’
    • People may be more likely to ignore it and assume that whatever the site is trying to get them to do will go away. Which it does.
    • Then viewing any more pages after this one will be taken as having opted-in. (Probably not 100% compliant, but that would be a fight which would make the lawyers rich.)
  • The language used makes accepting the default opt-in the most simple choice.
    • Using phrases such as “if you would like” and “change your settings” subtly conveys the idea that this would be something extra to do
    • So the tempting thing to do take the easy option and do nothing

These factors combine to keep the disruption to the visitors experience to a minimum and make it most likely that the site can carry on tracking just as before.

The BT example is worth examining further. The interface they’ve provided for managing the cookie settings is extremely good and is also designed to reduce the risk of a visitor insisting that nothing is stored.

Screenshot of BT Cookie Settings Option with default options (all tracking on)

Screenshot showing BT Tracking Options with only functional and necessary tracking on

Screenshot showing BT cookie and tracking settings with only necessary tracking enabled

  • The language does not use technical jargon: ‘cookies’ are mentioned with a link to another resource, not a wordy explanation
  • The copy describes the tracking in terms of benefits to the visitor
  • The sliding control shows which ‘benefits’ have been lost as the tracking is reduced which might encourage people to turn them back on

That’s impressive. The interface avoids a simple ‘yes’ or ‘no’ choice and pulls of something much more complex which may still allow them to record some valuable data. Visitors choose between the levels of ‘intrusiveness’ specified in the guidance on the directive, in a way which does not use complex language and encourages people to turn off less of the tracking.

Plenty of other solutions will appear as models during the next few months.

The need may also only be relatively short-lived. The browser developers will introduce functions for this kind of thing in due course since concerns about tracking are international.

But there will be a considerable gap before a universal solution such as that appears.

So you do need to do something now.

EU Cookie Law Resources

Official Guidance

The ICO’s Official Guide [.pdf Download]

Updates and Discussions

Acknowledgements

Although there’s no obvious article for me to link to, it seems wrong to write anything on this subject without crediting some people who have put notable efforts into covering the subject:

  • Vicky Brock from Highland Business Research is responsible for the Freedom of Information request which obtained the famous data on the ICO’s 90% drop in recorded visits after they implemented their cookie opt-in. Vicky is also a member of the board of the Digital Analytics Association.
  • Phil Pearce has been compiling research and resources on this subject for a long time. He’s maintaining the material he has curated in a Dropbox which he shares with interested parties. You can contact Phil via his Linked-in profile: http://www.linkedin.com/in/philpearce

{ 4 comments… read them below or add one }

Vincent April 6, 2012 at 8:30 am

Good article detailing the new cookie law, and great example/case study.
Thank you.

Wolf Software April 25, 2012 at 7:06 am

Wolf Software have created a number of solutions to allow companies and individuals to gain consent from users before delivering cookies.

Demos and downloads available at http://demo.dev.wolf-software.com

David May 1, 2012 at 9:14 am

If we’re confident that a universal solution appears like you said, why don’t we just wait? It’ll take a long time and money for all of us small businesses to implement our own solution to this law so why can’t we just wait? This law has been incredibly badly thought-out and criminalises small websites that aren’t harming anyone whilst the big scary privacy perpetrators like Google and Facebook go free.

This law needs more thought before we start fining small companies who aren’t a problem. We created a protest site against the cookie law at http://nocookielaw.com please sign the petition if you disagree with the law.

Wolf Software May 4, 2012 at 10:44 am

David,

You can download and use any of our solutions for free, and most of them simply drop right into a site to resolve the issue, so it shouldnt cost anything but a little time to become complaint.

Our solutions are in use by companies such as Heinz and have all been verified by the ICO.

Leave a Comment

This blog is kept spam free by WP-SpamFree.

Previous post:

Next post: