Long story short
The legislation forces websites to request permission from their visitors before cookies can be used. In the past, website visitors had to ‘opt out’ to cookies, now users have to ‘opt in’.
- Google Analytics or similar analytics, tracking or website optimisation tools
- Any form of "remember my settings" style functionality on your website
- A content management system (CMS)
- Third-party plugins - such as Facebook Like buttons or Twitter feeds
- YouTube Videos (even with privacy-enhanced mode)
What are ‘cookies’?
Cookies are text files that websites place on visitors' computers to store a range of information, usually specific to that visitor. This may be information such as personalisation options (such as language or font size preference settings), search, browsing or purchase history and log-in information.
- Monitor how you use a website (known as 'analytics')
- Personalise pages and remember visitor preferences (language/font size)
- Remember what you’ve added to your shopping basket in online stores
- Remember who is logged into the website
- Track people across websites and deliver targeted advertising
Cookies are not viruses. Cookies are created when a user's web browser loads a particular website. Cookies are used for enhancing and enabling web usability or website processes. Disabling cookies may prevent users from using certain websites or website functionality.
Types of cookies
There are a number of cookies such as:
1. First Party Cookies
If the host name is the same as the domain in the browser address bar when it is set or retrieved, then it is a First Party Cookie.
2. Third Party Cookies
Third party services that create cookies, such as Google AdSense, AdWords and Analytics. While you may not be responsible for creating these cookies, they are delivered via your website. Third party cookies are set by a domain other than the one being visited by the user.
3. Session Cookies
These are stored on the user’s computer until a user leaves the website, at which point they are deleted. Example: If you have to login to a website every time you open your browser and visit it, then it is using a Session Cookie to store your login credentials. Session cookies are considered less privacy intrusive than persistent cookies.
4. Stored or Persistent Cookies
A cookie is downloaded onto the hard-drive and used to identify a visitor whenever they return. All persistent cookies do have an expiry date (usually with a set lifetime of 30, 60 or 90 days), if that expiry date is reached, the cookie will be destroyed.
5. Secure Cookies
Secure cookies are only transmitted via HTTPS - which you will typically find in the checkout pages of eCommerce sites. This ensures that any data in the cookie will be encrypted as it passes between the website and the browser.
Are all cookies affected?
All cookies that are not “strictly necessary for a service requested by a user” are affected. Here are some examples: A website visitor adds an item to their online shopping cart on your eCommerce website, that would be considered "necessary" – a cookie is technically required to remember that user and retain their shopping basket contents.
A cookie which is set to welcome a visitor back to your website; or to record which pages they view would not be "strictly necessary". Session cookies to ensure the website works (such as log-in cookies) may not need compliance.
How does this affect the use of web analytics?
For most website owners, the biggest impact is going to be on websites using analytics packages such as Google Analytics. Google Analytics is used on around 60% of the top 10,000 websites on the internet. Google Analytics currently sets 4 automatic cookies (1st party cookies) to anonymously report on site visits.
Unfortunately, at the time of writing this, there is no official word from Google regarding the compatibility of Google Analytics cookies with the new regulations. So, keep an eye on the Google Analytics blog and group.
Relates to: cookie law, online privacy, EU internet legislation
Get the latest editions delivered straight into your mailbox.
Informative, creative, straight-talking. No spamming. Drop-out any time.
Does the Cookie Law affect me?
If you’re based in the EU, this law affects you. Websites outside the EU are required to comply with the law if they are targeting EU Member States (Example: Your website sells to the UK market or your website has a language version aimed at users in the EU). The law affects any website which uses ‘non essential’ cookies, such as visitor tracking code or advertising.
All websites across the EU are required to ask your permission to place cookies on your machine (opt in). Even if you have a simple brochure-style website but you use Google Analytics, this law affects you.
Cookies which are deemed not “strictly necessary for a service requested by a user” (visitor tracking codes, advertising and most Google Analytics tools) are illegal under the EU Cookie Law. Cookies that are “strictly necessary” (cookies used to remember which items you have placed in your online eCommerce shopping cart, or whether you’re logged in to a website or not) are allowed.
What do you need to do to comply with the Cookie Law?
The ICO has laid out clear steps it expects you to go through:
Conduct an audit to check what cookies your website uses
Find out what these cookies are used for and what data they hold
Establish whether the cookies can be linked with personal data
Find out whether they apply to the session or if they’re persistent
You’ll need to make clear to your website visitors what cookies are being used, what the purpose is, and ask for consent. The Information Commissioner’s Office (ICO) suggest using pop-ups, message or header bars to ask a user for permission.
The updated guidance provides additional information around the issue of implied consent. Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
We would also recommend keeping up to date with the ICO and any announcements it makes which may offer more official guidance on the subject.
How may compliance affect my website?
Unfortunately, it is very likely that the user experience will suffer for those who say no to cookies...
- You may see increased bounce rates from adding warning messages;
- You may lose valuable web analytics data;
- Website personalisation will be affected;
- Other marketing areas such as email marketing and use of advertising networks will be altered.
Pop-ups and getting users to accept your terms and conditions are a major distraction from the website’s content. Pop-ups do not lead to a great user experience and may in fact deter some website visitors from using your website.
Our thoughts on this matter...
Whilst like any technology, cookies can be used for good as well as bad, the directive could make the web less accessible for all, unless the ICO introduce more flexibility. In our opinion, this is a perfect example of a government trying to control the web.
Cookies are everywhere and can't really be avoided if you wish to enjoy the biggest and best websites out there. We can only hope that the Cookie Law will crumble eventually...