Cookie law part 2: Q&A
17 February, 2012
Bray Leino Yucca's Jemma Watkins presents part two of a three-part blog about the new EU cookie legislation.
In the second of our cookie blog series, we answer some of the most common questions arising from the new PECR legislation which requires websites to obtain users’ consent to store cookies on the devices they use to access the web.
This is a bit embarrassing, but… what are cookies?
We're not talking about the choc chip kind here. Cookies are small text files which, when you visit a website, are stored on your PC or device. Typically, they help a website track and “remember” information such as whether you’ve visited that website or page before, what actions you’ve performed on that website (e.g. adding items to a website’s shopping cart) and what your preferences are.
See our first blog to learn more about what the cookie legislation is and why it’s being put into place.
Does this law affect me?
The law will also affect you if you’re a web user. Expect to see all manners of overlays, drop-downs, banners, emails and so on asking for your permission to let companies store cookies on your machine.
Yes you can – you just need to ensure that for non-exempt cookies (see below) you are obtaining explicit consent from users before storing a cookie on their device.
How do I know if a specific cookie is exempt or not?
An essential cookie is one that is deemed strictly necessary for the provision of a service that has been requested by a user. Essential cookies are exempt from the legislation.
Examples of such cookies that might be exempt include:
• those used to register additions to shopping baskets on an ecommerce site, those necessary for ensuring a user’s security (eg for online banking transactions)
• those that are required to help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers.
However, it is made explicit that cookies that will not be exempted (and so do require consent) include:
• those used for analytical tracking purposes (eg Google Analytics)
• those used for advertising purposes (eg behavioural targeting and remarketing)
• those used to recognise a user in order to provide a tailored message
But this cookie IS essential to my business – it allows me to show the user a specific message/track what they’re doing on my site so I can give them the best web experience!
Unfortunately, what might seem essential to you or your business is often not essential to the user. You’ll need to ask users to opt in to use these types of cookie.
OK - how should I ask for permission to use non-essential cookies?
There are three things you should do:
• Explain what you are using those cookies for
• Ask the user for consent
Exactly how you choose to execute this is up to you, but you need to make it prominent and clear on your site. For example, some sites are using (or planning to use) drop-down banners or overlays with tick-boxes so people can opt-in easily.
You only need to ask for consent once.
Can’t I just use an opt-out for people who don’t want cookies? I think most of the visitors to my site will want them…
No – the legislation states that you will need “explicit” consent indicated “either by a statement or by a clear affirmative action”.
A digital agency built my website; who’s responsible for ensuring it’s compliant to the legislation?
Essentially, responsibility for gaining consent lies with the person or organisation setting the cookie and for whose purposes the cookie has been set.
Ultimately you as the website owner are responsible but you’ll probably need to work with your web agency to understand which of your cookies are essential and thus exempt, and which are not, and reach an agreement on how you’ll ask for permission from users for any non-exempt cookies.
In the case of third-party cookies, it is suggested that both the parties (the cookie setter i.e. agency and the owner of the site on which it is set) are responsible for gaining consent.
We’d recommend talking to your agency about how to become compliant as soon as possible if you haven’t already.
Without storing cookies for specific users, won’t I just be showing people who don’t accept cookies the same message asking them to consent every time they visit my site?
Potentially, yes. It’s worth exploring the things you can do to encourage users to opt in. How can you build trust with users? How can you convey to them how using cookies could make their web experience better? You could even consider restricting access to specific content online for people who haven’t opted in, although this is a risky plan which could alienate users.
What happens if I don’t have everything in place by 26th May?
Don’t panic; while the maximum fine is £500,000, this is only if a breach of the law has caused “substantial damage or substantial distress”. In other words, you’d probably have to be using the force of cookies for evil to face a fine like this.
You will however need to demonstrate that you are at least “moving towards” compliance, and ultimately failure to comply will be classed as a criminal offence.