The deadline for the EU Cookie Law is Saturday, 26 May, 2012. What does this mean for your business?

Executive Summary
What this means
Visitors to your website must give their consent to the use of cookies
Non-action is likely to result in penalties from the Information Commission Office

Actions to take
1. Audit your cookies
2. Implement a cookie consent solution

How Prospect can help
1. Design non-intrusive cookie consent solutions for you
2. Advise on impacts to your site

In Detail
What this means
The EU Cookie Law requires visitors to your website to give informed consent to store cookies on their machines. There is an exception for cookies that are required for explicitly requested user interactions such as shopping baskets. There are negotiations underway to give Google Analytics and similar cookies a "free pass" on the legislation, however these seem unlikely to pass as they would favour one analytics provider over others.

This means there is a requirement for your website to ask each visitor at least once for consent to use cookies. This is subtly different to an all or nothing opt-in or opt-out situation. The current understanding of the legislation is that you can use cookies while presenting your visitors the consent option. However, this has been understood to apply to metrics cookies rather than the more intrusive cookies for data collection.

While there are differing opinions on how to implement this, and what the impacts will be, the general agreement is that it cannot be ignored. The twelve month extension has allowed a lot more clarity on the effective rules to emerge, although there are some areas where the fine details of the practical enforcement will only be released in May. This would imply that a more conservative approach should be the preferred option. The recent update to bt.com shows an implementation of the cookie directive law, using the "implied consent" rule. However, this is a risky strategy as it has not yet been cleared as a compliance strategy by the team enforcing the new law.

The Information Commission Office has announced that complete compliance will not be expected on 26 May. However, showing willingness to comply and demonstrating movement in the right direction is expected. They have announced that "low hanging fruit" will be sites showing no effort towards compliance on 26 May, and these will be targets for penalties.

Actions to take
There are a number of simple steps that Prospect recommends you take to make compliance easier for both yourself and your customers.

1) Audit: Know what cookies you are serving to your customers and what each one does. The audit should be performed by your IT teams, and the cookies should be grouped into types: advertising, metrics, content sharing. The reason for grouping is that it simplifies choices for your customers, as you might have upwards of sixty cookies used on your website. Reduce, consolidate and clean you cookies where possible.

Cookies grouped by intrusiveness:

Moderately intrusive
- Embedded third-party content and social media-plugins
- Advertising campaign optimisation

Minimally intrusive
- Web analytics / metrics
- Personalised content / interface

Exempt from changes to privacy regulations
- Stop multiple form submissions
- Load balancing
- Transaction specific

2) Privacy: Ensure your Privacy policy is clearly visible, perhaps even above the fold, and is updated to reflect the EU Cookie Law. It should give simple explanations for each cookie group and how you use them on your website. There are a number of good "plain English" websites you can link to giving further explanations of how cookies work.

3) Nudge: Visitors must give informed consent, but this does not have to be prior to the delivery of the cookie ("phew!"). A general consensus is that the consent request does not have to give them the details on opting out, only an option to give explicit consent. We would recommend a nudge approach, making acceptance of the cookies the default action, with the privacy policy and information about cookies secondary.

4) Frequency: The current analysis of the legal situation is that you will need to ask visitors once and once only per device. However, storing a visitor acceptance as a permanent cookie may not be practical. A solution would be a six to twelve month cookie to record visitors, so a visitor need only accept cookies once per device in a year or more of visiting your site.

Once you have decided what to do for cookies, the implementation needs to also take into account context. The solution will need to work across digital platforms, and not interfere with the use of your site. The preferred option would be a small banner at the top of the page, that is displayed until the visitor accepts the cookies, and therefore hides the cookie notice. This works better than a full or partial screen overlay, which is disruptive and can cause problems on some mobile devices.

How can we help
If you would like to talk about how Prospect can help you ensure your site is ready for 26 May, please contact Dr Jane Harrison or Anja Klüver.  

For more information on the EU cookie law:
For the full UK legislation
Information Commission Office

Government examples of good cookie policy pages
Cookies at gov.uk
Cookies at Culture.gov.uk
Consumer Focus