The EU’s Half-Baked Cookie Law Goes into Effect Tomorrow for the UK


Mmmm, cookies. Who doesn’t like cookies?

Well, the European Union, it seems.

Tomorrow marks the day when websites based in the UK are “technically” supposed to be compliant with the new Privacy and Electronic Communication Regulations (in order to be in line with the EU’s e-Privacy Directive).

Although commonly referred to as the “cookie law,” the regulation reaches beyond web cookies and is meant to increase transparency about user tracking. In short, the law requires website owners to get permission to track the activity of users on their site unless the tracking is vital to the operation of the site, as would be the case for keeping items in a shopping cart, for example. In circumstances such as these, consent may be implied. (More on this distinction later.)

 

Why is D-Day Only “Technically” Tomorrow?

So, why did I say tomorrow “technically” marks the day for compliance? Well, except for in some egregious cases where complaints are received, or perhaps for a handful of the larger players, it looks as if this cookie law may have no real byte. (Do you really want to know how many puns I can squeeze into one sentence?)

According to an article on  ZDNet UK, deputy information commissioner David Smith from the Information Commissioner’s Office (ICO) said recently, “All we are doing is removing the moratorium, so that any non-compliance is considered as non-compliance. It’s most unlikely that cookie’s non-compliance will attract monetary penalties, unless you have reached criteria about a serious breach or have caused substantial distress.

“Enforcement is likely to be enforcement notice, which places a requirement on an organisation to stop using cookies.”

On top of this, according to a report by the BBC, it turns out thatthe ‘majority’ of the UK government’s own websites will fail to comply in time.” Perhaps they’ve already got too much on their plates. (Sorry.)


Featured Plugin - WordPress Google Maps Plugin

Simply insert google maps into posts, sidebars and pages - show directions, streetview, provide image overlays and do it all from a simple button and comprehensive widget.
Find out more

 

How to Comply with the Cookie Law

Although it looks as if this law may have no real consequences for the time being, eventually there may come a day where its enforcement is taken more seriously. Technically, one could face up to £500,000 in fines. That’s a lot of dough for a few cookies. (Sorry again. I’ll stop.)

Of course there may also come a day when no one will ever remembered the law was created.

The ICO has put out a PDF guide for compliance that is fairly straight-forward and easy to digest. (Did you really think I’d stop?)

We’ll go over a few of the more important points from the PDF if you still have the appetite for it.

 

First is the idea behind the law itself:

(From the PDF)

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)

 

Your responsibilities as a website owner:

(From the PDF)

Those setting cookies must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

 

Exceptions to the requirement:

(From the PDF)

There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

 

And finally, some examples of “likely” exceptions and “unlikely” exceptions:

(From the PDF)

Featured Plugin - WordPress Appointments Plugin

Take, set and manage appointments and client bookings without having to leave WordPress. Appointments+ makes it easy.
Find out more

 

WordPress Plugins

Of course some clever plugin developers have already cooked up some WordPress plugins that will try to help you gain consent from your visitors. I found a few, and no doubt there will be more.

1. Cookie Law Info Plugin – This ads a bar to the top of your site.

2. Cookie Warning Plugin – This presents your visitor with a pop up upon arrival.

 

No More Fun

OK, no more puns and no more fun. Now it’s time for you to go off and decide if you need to start complying with these new laws. For now, it seems that probably only those in the UK will have to look into all this a little more closely. But there may come a day when countries outside of Europe begin adopting similar laws.

It’s not fun — no. But it is becoming reality. It’s simply something website owners will have to deal with. And you know what they say:  If you can’t stand the heat ….

Featured Plugin - WordPress Facebook Plugin

Would you like to add Facebook comments, registration, 'Like' buttons and autoposting to your WP site? Well, The Ultimate Facebook plugin has got that all covered!
Find out more

 

Photo: Group Of Chocolate Chip Cookies from BigStock

Tags

Comments (6)

  1. This really is just taking the biscuit, is there a crumb of evidence that a cookie has ever caused anyone harm. it just seems to me like another half baked idea from that bunch of Euro pen pushers.

  2. Thanks for featuring my “cookie law info” plugin :)

    When deciding on my approach I found this article vey interesting:
    http://econsultancy.com/us/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance

    Ultimately website owners must balance the level of compliance they see fit, the user experience they wish to provide, and the likelihood of the ICO taking action against them. All whilst keeping an eye on their competition: why be at a disadvantage? A plugin that diverts you to Google if you decline cookies is probably 100% compliant but really- is that the right way to go? I’m sure it is for some, it’s not a criticism of the approach. But it’s not an approach I’m comfortable with.

    The real challenge for WordPress website owners is that you can’t control the code on all of your plugins in the same way that the BBC or BT (www.bt.com) can. With 20,000 available that would be a lot of integration for one plugin author. There are plugins out there that have accept / decline buttons but when you peek under the hood they are only sniffing for Google Analytics so aren’t strictly compliant according to the letter of the law. The WordPress comment_author_ series of cookies are also considered ‘somewhat intrusive’ but I’ve yet to see a clean way to intercept them (you can retrospectively delete them though).

    An interesting solution is to ‘wrap’ JavaScript cookie calls to check for a cookie which registers consent. The next version of my plugin may well offer this. But this still does not guarantee compliance as there are other ways cookies can be set. I’d be interested to see if WordPress will add an action hook for cookie events, so we can determine if we have consent before they are set. That would be a great solution, but plugin developers would have to implement it.

    So personally I think a simple notice saying “we have updated our privacy and cookie policy” is an effective way of entering into the spirit of the law whilst maintaining a good user experience. I’s an approach taken by a number of major sites so far.

Participate