We are getting emails from concerned clients who have been contacted by third parties informing them that they will be sued and fined up to £500,000 if they are not compliant by the deadline.
I thought I would write a post in order to put minds at ease.
The ICO insisted this weekend was not a deadline, but an attempt to help companies focus on their general cookie use.
“We never said was that if you’re not compliant by 27 May we will come and get you,” Mr Evans told the BBC.
“What we want is good compliance, not rushed compliance. If it’s focused people’s minds, that’s a good thing.”
The government websites themselves are not yet compliant and are looking to become compliant at the closest possible opportunity.
However, today I have read that they are not.
The ICO have said that the ambiguity is there to enable websites to interpret the rules to best suit their own audience and website design.
Which in our industry is not very helpful. Web developers have spent many years across countless sites optimising for success, having tried and tested measures to make sales or generate enquiries. Not knowing if a website has to, by law, have an extra step in the sales process to allow for opt in of cookies is not very helpful. The effect on sales, conversions or ROI of that extra step could be catastrophic, meaning the majority of sites will sit and wait, unwilling to put in this extra step if it is unnecessary as they do not wish to be the first to lose business especially in such a harsh economic climate.
Also many smaller companies who do not know if they comply with the law already do not have the resources to test systems and produce an elegant solution to the problem that is undamaging to their business. Many are waiting for the larger businesses with the resources to apply solutions first, as this will set precedent over how to comply and everyone will likely follow suit and optimise over time.
Onto the details of the law and the guidance given.
The ICO have produced a 31 page document of guidance
I will copy many of the most important bits below:
This is what the law requires:
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Activities likely to fall within the exception
- A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
- Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
- Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.
Activities unlikely to fall within the exception
- Cookies used for analytical purposes to count the number of unique visits to a website for example
- First and third party advertising cookies
- Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored
The majority of websites that we deal with will mainly be focusing on gaining compliance around cookies for analytical purposes and first and third party advertising cookies.
The BBC today launched its own solution to this problem, with the use of a status bar at the top of the page giving visitors information on which cookies are being applied and why. It also links to a page giving the visitor control over the cookies that will be placed on their computer and a description of each cookie.
As usual the BBC have come up with an elegant enough solution which gives power to their visitors. The solution and level of control given may be outside the realms and resources of many small businesses but achievable by larger ones.
Inform your visitors
If you are using Google analytics and wish to inform your visitors of which cookies are being set and why then below are the names and descriptions:
- __utma Cookie
- A persistent cookie – remains on a computer, unless it expires or the cookie cache is cleared. It tracks visitors. Metrics associated with the Google __utma cookie include: first visit (unique visit), last visit (returning visit). This also includes Days and Visits to purchase calculations which afford ecommerce websites with data intelligence around purchasing sales funnels.
- __utmb Cookie & __utmc Cookies
- These cookies work in tandem to calculate visit length. Google __utmb cookie demarks the exact arrival time, then Google __utmc registers the precise exit time of the user.Because __utmb counts entrance visits, it is a session cookie, and expires at the end of the session, e.g. when the user leaves the page. A timestamp of 30 minutes must pass before Google cookie __utmc expires. Given__utmc cannot tell if a browser or website session ends. Therefore, if no new page view is recorded in 30 minutes the cookie is expired.This is a standard ‘grace period’ in web analytics. Ominture and WebTrends among many others follow the same procedure.
- __utmz Cookie
- Cookie __utmz monitors the HTTP Referrer and notes where a visitor arrived from, with the referrer siloed into type (Search engine (organic or cpc), direct, social and unaccounted). From the HTTP Referrer the __utmz Cookie also registers, what keyword generated the visit plus geolocation data.This cookie lasts six months. In tracking terms this Cookie is perhaps the most important as it will tell you about your traffic and help with conversion information such as what source / medium / keyword to attribute for a Goal Conversion.
- __utmv Cookie
- Google __utmv Cookie lasts “forever”. It is a persistant cookie. It is used for segmentation, data experimentation and the __utmv works hand in hand with the __utmz cookie to improve cookie targeting capabilities.
Cookies off by default
Thankfully if you are concerned Civicuk have created code including a wordpress plugin for opt-in cookie control.
This appears to be a good stop gap solution until customised solutions can be built for sites on an individual basis.
Be aware that disabling cookies by default will make it looks as if your site has lost visitors. The ICO website lost 90% of its traffic in analytics when it applied the cookies off by default rule because only 10% of visitors opted in.
The financial times and others have included a notice on their website informing visitors of their use of analytics tracking cookies and giving instructions on how to use their browser settings to opt out or disable cookies.
I personally like this solution as it educates the visitors in the tools that they are using to browse the website, gives a global solution across all websites to the problem, rather than on a site by site basis and puts the power firmly in the hand of the vistor.
If you are concerned and wish to speak with us around about a cookie audit and creating a custom solution for your business and website please phone our office: 0191 233 2119
or email Jo and myself (Kev) at email@example.com