On the 26th May 2011 the Information Commissioner’s Office (ICO) issued new rules about the use of cookies and similar technologies on websites for the storage of information.
This new law is intended to increase the level of protection internet users have over their privacy and will be enforced over a period of one year.
Essentially you will need a user’s consent if you want to store a cookie on their device but the way you use cookies and how these impact your users’ privacy also have a big role to play.
What is a Cookie?
In internet speak a cookie is not a delicious snack but a small file used to store user data in a browser. They are small text files made up of letters and numbers and are downloaded onto internet users’ devices to track their website preferences and choices.
Some cookies are required for certain functions and on the whole they generally enhance user experience. If you visit a website that uses cookies it might download a cookie to your browser to store information about you which it can then access in the future if you re-visit the website.
Example: The first time you visit a dual-language website you make a choice to view the website in English. The website downloads a cookie to your browser stating that English is your preferred language. The next time you visit the website it accesses the cookie it stored on your browser and automatically sets the language to English.
While this example enhances your experience some cookies are required to make the website function properly. An e-commerce website, for instance, needs cookies to track which items you have added to your shopping basket.
The law
Formerly, the law required you to tell people how you use cookies and also how to opt out of using cookies. Most sites do this by putting the necessary information in their privacy policies.
The new law requires businesses and organisations operating websites in the UK to get consent from visitors to their websites before they store and retrieve information on users’ computers. It has been suggested that one way this could be achieved would be to put a welcome message on a website informing the user about cookies and allowing them to click to either accept or decline their proposed use.
The only exception to this rule is if the cookies in use are necessary for a service requested by the user. As previously mentioned, one example of this would be a cookie you use in an online store to ensure that when a user has chosen products they want to buy and clicked ‘add to basket’ or ‘checkout’ your site remembers what they chose on the previous page. As this is necessary for the fundamental function of the website you wouldn’t need to get explicit consent.
How to comply
The ICO has declared that it will give website owners one year to comply with the cookies law. So, by the end of May 2012 you need to be sure that your website isn’t contravening these rules.
Which cookies do you use?
The first step in attempting to comply with the law is to identify which cookies you use on your website.
- How many cookies are in use?
- What are they used for?
- How do they work?
- Do you even need them?
Many websites are a culmination of years of development and some of the cookies and functions may no longer be needed. This is a good opportunity to carry out a thorough audit of your website and identify areas for improvement.
Impact
Once you have identified which cookies you use, you need to think about the impact they have on the privacy of your users.
- Do they store personal information?
- Do they track user habits?
- Are they necessary for the website to function?
Once you have addressed these questions you can think about how to obtain consent from your users, if any is needed of course.
Consent
There are a number of ways to get consent for your use of cookies from users. When you decide on a method it’s important to consider who is using your website, how this addition will affect their experience and how you will integrate the consent message with your existing web design.
Examples:
- Pop-up message when a user first lands on your website. This would disappear after consent has been given/declined.
- Discreet message at the top of your webpage. Again this would disappear after consent has been given/declined.
- Permanent message in your website template e.g. a box next to your contact details.
Or any variation on the above.
Resources
Cookies Regulations and the New EU Cookie Law
ICO Guide: Changes to the rules on using cookies and similar technologies for storing information
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011
Open Letter by Ed Vaizey in conjunction with the Department for Culture, Media & Sport
Ballyhoo will be more than happy to help you answer the questions in this article and, if required, help you comply with the new cookies law.
Full disclosure of the methods used to store user information in our core systems Ballyhoo Commerce and Ballyhoo Refresh is available on request.