Nichola Jenkins

About Nichola Jenkins

Cookies on your website

Cookies

If you run a business which operates a website, you will probably have heard of the new “Cookies Directive” which came into force during May last year, but you may be wondering what it all means in practice.

There is a certain amount of official guidance and commentary available online, but much of this is fairly lengthy and may leave you wondering what exactly you should be doing to comply with the Cookies Directive, and what will happen to you if you don’t.

What does the Cookies Directive say

Essentially what the Cookies Directive says is that a website operator must obtain positive consent from a user of its website before any cookies are set on that user’s PC, laptop or other device. Consent must be on an “opt-in” basis, so you cannot simply tell users to block cookies by adjusting their browser settings.

What must you do to comply with the Cookies Directive?

These simple steps should help you to achieve compliance with the Cookies Directive.

1          First things first

It is a good idea to start by looking at what actually happens when users access your website. You should carry out an audit of all of the cookies which are set by your website, to identify which cookies are really necessary and clarify what they are used for. You might find that some cookies relate to old or unused features of your website or serve no useful purpose, and the best strategy is to delete these.

Those cookies which are necessary and relevant to your website will tend to fall into one of four categories:

  • Strictly necessary cookies are essential for a user to move around your website, use particular functions or access secure areas of the website. Cookies which are used for shopping baskets or electronic payments are strictly necessary cookies.
  • Performance cookies collect information about visits to a website and the information collected is usually anonymous and aggregated. Cookies set by Google Analytics are performance cookies.
  • Functionality cookies remember information or choices entered by a user, such as login details, location or preferred language, and enhance the user’s experience.
  • Advertising or targeting cookies which are considered to be the most invasive type of cookies are used to collect information about a user’s preferences and deliver targeted advertising. The information which they collect can be shared with other advertisers.

It is likely that your website will use a mixture of strictly necessary, performance and functionality cookies.

2          Be transparent

You should inform the users of your website in clear and simple terms what cookies are set by your website and what they are used for. It is good practice to have a separate cookie policy available from a link on each page, which describes in some detail what cookies are set and why.

You can describe the cookies which your website uses with reference to the categories described above.

3          Deliver notices appropriately

There are various available methods which can be used to inform users about the types of cookies which your website uses:

  • dialogue boxes or pop-ups can be set to appear either at the start of a user’s browsing session or when a user wishes to use a certain feature or function which requires cookies to be set. Pop ups can be locked so that the user cannot continue until they have responded, or can remain visible until such time as the user responds to it. Pop ups can be invasive, so should be used sparingly.
  • Status banners can be displayed as a header or footer either on the home page or every page. However, status banners have in some cases proved to be counter productive. The Information Commissioner’s website suffered a 90% drop in its analytics information after using a banner as a means to obtain consent to setting cookies. If cookies are important to the working of your website, a pop up might form a better incentive for the user to give their consent.
  • Warning bars are similar to status banners but appear whenever cookies are about to be set and where consent is required. A warning bar can be set to lock the page until the user has responded.
  • A link to terms and conditions is risky in terms of compliance as this requires each user to read and agree to terms and conditions of use before any cookies are set. However, this method is unlikely to be considered intrusive and can be relevant in certain circumstances, perhaps where only functionality cookies are used.

4          Obtaining consent

Website users must give their consent to setting of cookies, after they have been provided with information about them and what they do. Consent must be a positive action, and should be used alongside or in conjunction with one of the following methods:

  • Tick box 

“I agree to you setting these types of cookies on my device”

  • Permission to continue use of website or specific functionality 

“By using [our website] OR [this feature], you agree that we can place these types of cookies on your device”

  • Acceptance of terms and conditions

“I have read and agree to the terms and conditions, and I agree to you setting cookies on my device”  o.

Where invasive targeting cookies are used, consent should be clear and unequivocal through use of a tick box.

You need to obtain the user’s consent before setting each cookie. So if you want to obtain consent in one simple step you must, provide appropriate information and receive consent about all of those used.

However, you might wish to split out the process so the user can choose to accept certain cookies but not others.

You do not have to obtain consent before setting strictly necessary cookies, but please be careful about what you class as “strictly necessary”. If the website or a feature will still function even to a limited degree without a particular cookie it is probably not strictly necessary.

Even if your website only uses a few session cookies of an aggregated or anonymous nature, (such as Google Analytics) you still need to obtain consent before these are set, although the Information Commissioner has indicated that he will not prioritise action against non compliance in respect of Google Analytics cookies.

5          Incentivise your users

You should consider the effect on your website or business if you cannot set particular cookies. If you use cookies to enhance the user’s experience of using your website or allow the user to use certain features, you can explain this in an appropriately worded notice and ask the users to give their consent at that point. It is unlikely that a user will respond negatively where the user benefits by cookies being set.

There can be a fine balancing act between “incentivising” a user to give their consent to cookies, and making sure the user experience is not unduly spoilt.

Whichever method you decide to use, you should take a pragmatic approach and find a balance having regard to the number and type of cookies used, whether users will respond to notices in banners, website experience and of course the risk or effect on the business in the event consent cannot be obtained.

You only need to obtain consent once for any particular user of a cookie so a user’s consent to receive particular cookies will apply to future visits to the website unless the user then “opts out” of receiving cookies.

At the risk of stating the obvious, where a user declines consent for any cookies to be set, you must make sure your technology does not allow them to be set.

6          Not my cookie – not my problem?

            You might find that your website sets cookies on behalf of a third party – whether as part of the underlying technology of your website, a third party software application or a third party advertiser. Of course it may be difficult to control these, but you are still responsible for obtaining consent before third parties set cookies through your website. You should therefore ensure your partners and advertisers are on board and comply with the law, and most importantly that if a user does not want to receive those third party cookies, they can be switched off.

7          What about browser based compliance

Browser based compliance relies on a user setting his or her browser to accept or reject different types of cookies. This will place less reliance on website operators.

Although browser based compliance is thought by the Government and Information Commissioner to be a possible appropriate method for obtaining consent, the currently available browsers are not adequate to appropriately address the issue of positive consent. The Government has been working with browser manufacturers to explore whether browser settings can be enhanced to give more information and enable proper consent to be given, and as updated versions of browsers become available, this may help with compliance.

However, businesses should avoid the temptation to simply sit back and wait for browsers to become available and should act now in order to achieve compliance.

What if you don’t comply

The Information Commissioner (who is responsible for all UK data protection matters) is designated to act as the “Cookies police”. In May last year he announced that there would be a 12 months grace period in order for website operators to take action in respect of their cookies compliance. The grace period ends on 26 May 2012, and after that the Information Commissioner may start to take action against website operators who have made no effort at all to comply with the Cookies Directive.

Although the Information Commissioner has the power to award large financial penalties of up to £500,000, it is unlikely that he will do so immediately where he discovers a website operator has failed to obtain consent before setting a single performance cookie. However, it is likely that we will start to see evidence of investigations and the issue enforcement notices against non-compliant website operators, who risk their reputation as responsible businesses.