Skip Links | Site Map | Privacy & Cookies

BlogSpot: Complying with the Cookie Law - 3 Steps to Getting Started

Is your website legal?

Of course you'd like your website to look its best, with all the latest features, but there are a few less exciting but essential elements that your business website must include, such as your company number and registered address. And there is one more thing you might have missed. From May 2012, if your website saves cookies onto your visitors' devices, you may need to ask permission.

This is because of the EU Cookie Law. This came into force a year ago, though we've all been granted an extension until May this year. And that's looking awfully big in the window...

Does it mean me?

It might. To find out, start here:

Step 1: audit your website for cookies

Find out if your website drops any cookies, and if so, what they are. You could ask your website developer for help, or have a look yourself. Try one of these approaches:

  • the View Cookies extension to Firefox - this allows you to see the cookies set by the web page you are looking at
  • the Attacat Cookie Audit Tool extension to Chrome - this allows you to page through your website while it tracks the cookies being set by the website.

Step 2: find out what the cookies do, and decide if you need to ask permission

Not all cookies need permission from the visitor. Some cookies may be required to make your website work at all; some are needed to do what your visitor wants (e.g. add things to a shopping basket, and have those things remembered until checkout).

In these cases, no cookies = no working site, and you don't need permission from your visitor.

However... are you using social media? Or adding adverts to your site? Using other interactive elements? These can all place cookies, and you will have to ask permission. Exactly which cookies will depend on your website, so you will need to check - and to check every page.

Are you collecting website statistics using analytics software such as Google Analytics? These also drop cookies. However, in April, the ICO (Information Commissioner's Office) said it was unlikely to take action in these cases.

Some of the tools suggested in Step 1 will tell you what the cookie is for and whose it is.

Step 3: update the 'privacy' page on your website

The intention of the EU Cookie Law is to help safeguard people's privacy. So you should update your privacy page to say which cookies your website is placing, including any placed by analytics software, to comply with the spirit of the law.

Examples: the DWP privacy page for an example or the Lowell Group privacy page

My site is setting cookies; how can I get permission?

There isn't a one-size-fits-all solution here, as websites vary so much in their style and function. Options include:

  • Pop-ups - a box covering the content until permission is given / refused
  • An intro page / splash screen - a page hiding the site until permission is given.
  • A drop-down / roll-over - a bar across the top that drops down, covering the content
  • A push-down / privacy pane - a section that expands, moving the content down

This is the pebble in the shoe: visitors dislike pop-ups and intro pages, but these are the most likely to be seen by your visitor, who might click away to a competitor. The others may be ignored by the visitor, meaning that consent is not actively given. So there is a risk that if you fully comply with the law, you might lose visitors and therefore money...

So what is everybody else doing?

Many people are waiting for clearer guidance from the ICO as to what will be an acceptable solution; some have come up with solutions of their own. Some companies are offering potential solutions (see CivicUK for example) but there is no easy answer.

It is important, though, that you can demonstrate that you are working on a plan for compliance.

I'm not a lawyer, so I'm not offering advice, but I think many businesses will follow the steps outlined above:

  • audit - to find out where they stand
  • reveal - on their privacy page
  • develop - a plan for compliance.

And then they'll wait before implementation, to see what will or won't be acceptable. Many of the FTSE 100 have updated their privacy pages on their corporate sites, for example, but not yet implemented any request for permission. Though do look at BT's customer site for their solution.

Whatever you decide to do in your own circumstances, you do need a plan. Or have you already found a solution that works for you?

Lancaster University cannot be held responsible for any activity by its Association Members. We display information from InfoLab21 Associate Companies on our site and we are not responsible for the content or privacy polices of InfoLab21 Associate Companies' sites, nor for the way in which information about them is treated.

Fri 27 April 2012