Mmmm, Cookies (and the Law).

by Steve

The ICO last year announced new law in line with an EU directive intended to protect privacy of users online.  

There won't be any changing the ICO's mind, since there has been requests / lobbying to ask for amendments for the last year, to no avail.  It's all very wordy, but the practical upshot is this:

You can't use a cookie on a website without asking the user.

So without consent, the following will be illegal:

• Google Analytics
• PHP Session Cookies (used for logging in / out of admin systems)
• Email Tracking (Campaign Monitor, MailChimp, etc)

It's not all doom and gloom, since all we have to do is ask the users if we can store a cookie.  The bad news is this will mean re-engineering existing websites to NOT store a cookie if the user should say no.

And we have checked - it is not legal to imply consent by use of the terms & conditions (Ie: by using this site, you consent to let us use cookies) - we have to actually ask.

This is a huge problem purely because of the sheer volume of sites that are out there. We doubt you will be the first to be sued or taken to court for not asking users, but somebody will. So as of today you need to think about how you can implement these changes easily on your website.

Further reading

There is a useful article on the Guardian talking about the changes: http://www.guardian.co.uk/technology/2012/apr/13/new-law-cookies-affect-internet-browsing

It makes the point that by following the ICO's solution and asking the user to tick a box opting in for cookies, it could reduce the number of users accepting tracking by more than 90%. Which doesn't really bode very well for clients wanting to know how many users are viewing their website. 

However other sites, such as bt.com, will display a prominent message asking users if they wish to change settings, and saying the default will be to accept everything if not. Two simple solutions but could each provide very different outcomes for numbers of users opting in. 

The solution

A popup is obviously not a particularly nice way of attacking this, since most browsers block popups, and the ones that don't block them, have ad-blockers which do block them.

From looking at the ICO's own ironically clunky and uninformative solution – we have came to the conclusion that that some kind of drawer that pops down from the header of the site would work best. Its not a popup, but it is intrusive enough to require the users attention. 

Ultimately watch this space as we evolve the perfect solution – but you need to start talking to your web development agency as you're going to need to make changes to comply.

You can read about these changes from the ICO website:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx