Complying with the EU Cookie Directive




A lot of our clients have been contacting us for advice on this thorny topic.  And I’ve got to say – despite reading almost every authoritative article and document on the subject that I can find, it’s definitely a tricky one.  Cookie Law – It’s a perfect storm - where the complexity of web technology, well-intentioned efforts to protect individual ‘privacy’, business interests, confusion and ignorance have all collided.  Not a pretty sight really.

So what we have tried to do in the following piece is make sense of it all for our clients and at the end to provide some practical advice.

Confusion

You could argue that the confusion we are faced with was inevitable when the words ‘privacy’ and ‘cookies’ came together.  After all, surely online privacy is about not having others construct or even steal your details or identity? To our knowledge, mainstream cookies have not normally played a part in that kind of activity.  Generally (and this would include all of our clients) cookies can only impact the way websites behave for you, or impact the way owners build them.  We don’t see either of these things as negative or impacting ‘privacy’.  However, where we have some sympathy – and research shows that consumers do think there is an issue – is ‘cyber-stalking’ or as someone said in the Econsultancy document: ‘. . . no-one is going to choose to opt-in to have a pair of trousers (ad for) chasing them around the Internet’.  But perhaps they should in that case be offered the opportunity?

The Law

Owners of websites that use cookies (or importantly, store information about visitors some other way) are obliged to use them only with the visitor’s consent, that user having been provided clear and comprehensive information about the cookies.


The legislation actually came into effect a year ago.  However, site owners have been given a year to consider what to do about it.  It is a measure of the confusion that even many big brands are probably only now beginning to consider what their strategy is.

What do we know others are doing about it?

Unfortunately for typical SMEs and most B2B site owners, there is no sign of a single approach developing among the bigger brands that you might expect to give a lead.  There appears to be a complete range of reactions in the industry ranging from at one end quite a few (generally anonymous) site owners saying that they will do nothing, through to BT at the other end of the spectrum who have provided a sort of app on their site that allows users to visually select the cookies they will accept and change their setting accordingly.  However, they probably spent as much developing that as some of our clients have spent on their website.

What the ICO are saying and how they will enforce the Directive in the UK (First of all: what is the ICO? It is a quango – the Information Commission Office - set up to uphold data privacy.  http://www.ico.gov.uk/  They have the power to impose penalties of up to £500,000 for serious breaches of the Data Protection Act 1998)

That’s the scary bit.  Now the good bit: They aren’t out to get you. Firstly their guidance re: cookies is as follows:

  • Conduct an audit of cookie usage on your site
  • Assess the relative intrusiveness of each of those cookies
  • Choose an appropriate consent mechanism based on how intrusive they are
Secondly, they have taken up a friendly stance of encouragement rather than vigorous pursuit of offenders in their own words:

“We’re here to educate and promote good practice”

“. . .we intend to enforce the law proportionately”

They have also stated that they will only act on complaints, that they would probably advise an organisation before prosecuting it,and that you’re unlikely to get into trouble if the only cookies on your site are analytical tracking ones.

Your options – what should you do?

Although we have some national brands in our client list, they haven’t come to us for advice, so if you have read this far you are probably an SME and most likely a B2B one, so this advice is intended for you.

Firstly, if you haven’t, try to audit your site to determine what cookies it is serving (Give us a call if you would like us to do this for you).

We think that (in simple terms) there are four types of cookie that could exist on a site:

1. A functional cookie – that enhances the usage or individual experience you have on a website (example – remembers what you put in a website shopping basket)

2. Google Analytics cookie – That allows you to track aggregate usage of your website.  Innocent because Google prevents you from tracking individual site visits or data
 
3. Re-marketing cookie – Less innocent arguably. Tells user browsers that you have been on certain websites and prompts other websites to serve up specific ads because of it
 
4. Advanced Analytics cookie – Allows site owners to identify individual visitors through individual tracking and cross-comparing data
 
Assuming that your site only has cookies 1. and 2. above, you really shouldn’t have too much to worry about.  However, if cookies 3 and 4 exist on your site then we think you may want to be explicit about that.

'Take it or leave it' - what you should say to your visitors

Assuming that you do not want to have an elaborate, interactive notification and opt-in process like BT what should you do?  We believe that you should signpost (reasonably prominently) your ‘Privacy & Cookie Policy’ in which you explain exactly what cookies exist on your site.  If people are OK with that, they should continue to use your site.  If not – they should be asked to go (or change their cookie settings)

So, in the case that you only have cookies type 1.and 2. above on your site, then we would recommend using this adapted version of the standard Google Analytics privacy policy text.  If you find – or know – that you have cookies type 3. and 4. above as well, we think that you will need a bit more specific text at minimum.  Please contact us in that case if you need help with developing that part of your policy.


This site uses cookies. A cookie is a small text based file given to you by a visited website that helps identify you to that site. cookies are used to facilitate your visit as you navigate different pages on a Website or return to the Website at a later time.


This website uses Google Analytics to help analyse how users use the site. Google Analytics cookies collect standard Internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of the website (including IP address) is transmitted to Google. This information is then used to evaluate visitor’s use of the website and to compile statistical reports on website activity for [Company NAME].

We will never (and will not allow any third party to) use the statistical analytics tool to track or to collect any Personally Identifiable Information (PII) of visitors to our site. Google will not associate your IP address with any other data held by Google. Neither we nor Google will link, or seek to link, an IP address with the identity of a computer user. We will not associate any data gathered from this site with any Personally Identifiable Information from any source, unless you explicitly submit that information via a fill-in form on our website.

You may choose to accept or decline cookies. Most Web browsers automatically default to accept them, but you can usually modify your browser setting to decline cookies. If you reject cookies by changing your browser settings then be aware that this may disable some of the functionality on our Website.

User’s Personal Information: Visitors to our website may be able to register to use our services, attend events, make a purchase, join a community or upload/download information. When you register, you will provide personal information such as name, address, email, telephone number or facsimile number and other relevant information. If you are making a purchase, we will request financial information including your credit card number, expiration date, and security code. Any financial information we collect is used only to bill you for your purchase. This information may be forwarded to your credit card provider. We will not disclose personally identifiable information we collect from you to third parties without your permission except to the extent necessary, including: To fulfill your requests, to protect ourselves from liability, to comply with the terms and conditions of our internet host provider.

3rd Party Policies

Related services and offerings linked to or from this website have their own privacy statements that can be viewed by clicking on the corresponding links within each respective website. Since we do not have control over the policies or practices of participating merchants and other third parties, we are not responsible for the privacy practices or contents of those sites. We recommend you review their policies before you provide any personal information or complete any transaction with them.
If you are unsure of any of this information or would like to know more, please contact us. If you do not wish to receive cookies from our site, please alter your computer cookie settings to disallow them or do not use our website.
 
Useful documents:

ICO Guidance on the use of cookies and similar technologies
 

Comments:

Comments
Blog post currently doesn't have any comments.

Some Of Our Clients

  • First-Central
  • Boux-Avenue
  • Conversis
  • John-Lewis
  • EY
  • Kompan
  • Living-Streets
  • Meteor
  • OSI
  • Schwarzkopf
  • GoCycle
  • SSTL
  • Chaucer-Direct
  • TurtleMat
  • UK200Group
  • ASDA
  • Vinci
  • Zoggs

We Deliver Marketing CertaintyTM

Find Out More