The EU Cookie directive comes into force for UK-based websites on 25th May 2012. This directive came into force for some other countries in the EU a year ago, but the UK government gave website owners here an additional year to make their sites compliant, whilst at the same time hoping that the directive itself was clarified.
What does the EU Cookie Directive say?
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information
What does the EU Cookie Directive mean in practical terms?
From 25th May, all websites must tell visitors if they employ non-essential cookies AND must get explicit permission from visitors to store those cookies on their computer. This clearly has implications for many thousands of website owners, given that the majority of websites use cookies.
The choice of how you deal with this directive is yours as website owners, but here are our thoughts :
Implementing the directive is likely to adversely impact your website traffic, as more people will click away from your site rather than accept the cookies. This is irrational on the part of the visitor, because they are likely to be visiting many other websites that are operated outside the EU, or which don’t disclose their use of cookies, but nonetheless is likely to discourage some from entering your website;
If you are using usage tracking systems, such as Google Analytics, your stats are in future likely to grossly under-report your real traffic. The reason for this is that website visitors that arrive at your site and don’t accept your cookies will not be tracked (that’s the whole point of the directive). Anecdotal evidence from other website owners suggests that your reported Google Analytics traffic might fall by as much as 80%-90%;
The directive will put those that comply with it at a disadvantage to those who don’t… although they may avoid a fine!
Most website owners will not implement the directive, either through ignorance, or defiance, or simply because they don’t know how to implement the changes (or think they will cost too much);
A few website owners will have action taken against them;
Is your website affected by the new EU Cookie Directive?
Most websites use cookies. However, some cookie use is exempt from the directive, such as cookies that are used to provide a user function that would not be possible without the use of the cookies. For example, a shopping cart system would be expected to use cookies to store the contents of the cart while the visitor was shopping, and to ensure that when they went to checkout the contents of the cart were available.
However, the use of 3rd-party cookies such as those that track visitor usage of the site, are caught by the directive. This means, for example, that if your site uses Google Analytics, Adwords or Adsense code, the directive applies to you.
If you want to comply with the directive, what should you do?
Based on our current understanding, to properly comply with the directive, you need to either :
Remove the use of all non-essential cookies from your website;
or
Inform your visitors as soon as they arrive at your site that you use cookies; Offer them an opt-in (so they confirm they are happy to use the site in the knowledge that you are depositing cookies on their computer); Tell them what cookies you are using and what they are used for; Bear in mind that visitors can arrive at your site on any page, so this declaration needs to be visible on every page;
In any case, it might be prudent to involve your website developer or to get an independent audit of the cookies in use on your website. Implementing the changes on your website to comply with these directives might just take an hour or two to assess and complete.
We can do this for you
We are not happy that this directive is coming into force. It creates additional work for us which, unfortunately, has to be paid for by our clients. If our clients want us to audit their site for cookie usage, and subsequently to change the website to comply, then we will need to charge for this work.
Our expectation is for a typical cookie audit to cost no more than £20+vat, and making appropriate compliance changes to your website will cost in the region of £40+vat – £80+vat. For larger, or more complex sites, this may be higher, but we will always discuss the costs and implications with you first.
Bear in mind that it’s not necessarily just a case of installing a plugin or other supplied code into your website. To do the job properly we think you need to :
Ensure you have a prominent notification on every page of your website to let your visitors know that you store cookies on their computer;
Give visitors the opportunity to understand which cookies you use and how you use them. We do this in the example site by pointing them to our privacy policy;
Allow visitors to confirm that they are happy to accept your cookies… and make sure you only store the cookies if they have accepted them – this might mean adding a little extra code to ‘wrap around’ your cookie creation process;
If your site allows login or commenting ability (and this process generates cookies), add a short bit of text at the login stage or above the comments area just to gently advise your visitors that this will generate a cookie;
EU Privacy Directive – Update to post : 26/05/2012
According to a Cookie Law report on the BBC website this morning, the ICO (the Information Commissioner’s Office) are now saying they will offer help to non-compliant sites, rather than take legal action against them. The ICO has also updated their policy so that organisations can use “implied consent” to comply – meaning users do not have to make an explicit choice. Instead, their continued use of a site would be taken to mean they are happy for information to be gathered.
This is quite a change, and one which the BBC website itself has already taken on board by merely displaying a banner at the top of the page saying they use cookies and offering visitors the chance to find out more about those cookies or to just continue browsing the site and (by implication) be happy about the cookies. The banner only seems to appear once and disappears on subsequent pages (and I didn’t see it on their mobile website at all).
In addition, the BBC website had already dropped 3 cookies on my computer BEFORE I had even had the chance to read the banner. Taking a closer look at these – one appeared to be a tracking cookie (BBC-UID) that the BBC placed in their ‘absolutely necessary’ cookie category (which I think is a little suspect), ‘S1’ an analytics performance cookie, and the other (CKNS_policy) that isn’t in their cookie privacy policy at all. I’m not pointing this out to bash the BBC, but just to highlight how difficult it is for organisations to comply with the directive, and also how confusing the whole thing is.
How are you handling your own EU cookie directive changes?
The major problem with all of this is that it creates bad user experience. Try visiting the Telegraph website on an iPad to get an idea of what I mean. Another example of poorly thought out EU legislation putting EU hosted websites at a disadvantage compared to websites hosted outside the EU which don’t have to comply. Rant over : )
I completely agree Graham. The genuine sites that comply with the EU directive put themselves at a disadvantage by getting less traffic and user engagement compared to the real problem sites that will carry on regardless (whether they are in the EU or not).
very helpful, thank you
The major problem with all of this is that it creates bad user experience. Try visiting the Telegraph website on an iPad to get an idea of what I mean. Another example of poorly thought out EU legislation putting EU hosted websites at a disadvantage compared to websites hosted outside the EU which don’t have to comply. Rant over : )
I completely agree Graham. The genuine sites that comply with the EU directive put themselves at a disadvantage by getting less traffic and user engagement compared to the real problem sites that will carry on regardless (whether they are in the EU or not).
Thanks for taking the time to comment.