Not heard of the EU cookie law? Neither had I until this week. But any business based in the UK has until 26th May 2012 to start asking user’s permission before their site creates cookies. But what does this mean for bloggers who aren’t necessarily in control of the cookies their sites create?
Upon hearing about this new law I did a little research. I discovered that:
• the law doesn’t just apply to business sites; all websites need to be compliant;
• those websites need to ask a user’s permission before any cookies are created;
• WordPress, for example, creates cookies for comments, social sharing and so forth;
• Google Analytics, for example, creates cookies before the website even loads;
• there’s no off-switch for those cookies; bloggers can’t go cookie free.
It’s an ugly little picture, isn’t it? Blogging platforms create cookies whether we want them to or not and, if we want to use any analytics, some cookies will be created before we even have the chance to ask permission. With the ICO, who is responsible for enforcing this law in the UK, making it clear they can impose fines of up to £500,000 for non-compliance, you could forgive bloggers for being a little concerned.
In the words of the great Mr Douglas Adams: don’t panic.
Looking at the ICO guidelines, they seem to be taking a fairly calm approach to the new law. For instance, in respect of analytics cookies, the guidelines state:
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
And they also state:
The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes it difficult to obtain consent before the cookie is set. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.
This seems to suggest that a blogger could probably get away with their blog creating a Google Analytics or WordPress cookie before asking permission.
We should also remember that bloggers are not really the intended targets here. This law has been passed to stop things like the Facebook cookie that tracks your browsing even after you’ve logged out. As long as you’ve made a reasonable effort to comply with the legislation, the ICO probably won’t be coming down on you. In fact, they’ll probably never check our sites for compliance! And by the time they do, the platforms we rely on will have reacted. They’ll be making it possible to create all of those cookies after we’ve gained permission.
So after all the fascinating research, I took a few simple steps. I installed the EU Cookie Directive plugin which displays a small window asking permission to create cookies. I checked how well this worked by using the free cookie audit tool at CookieCert. I also created a small page explaining what kind of cookies are used on this site. I decided it would be best to be as open and honest as possible without overwhelming any casual reader. What do you think? Did I do a good job?
As for this legislation, I’d love to hear your take on it. Is it a good idea to seek permission to create cookies? Or are they so integral to the Internet that it’s akin to asking if we want to see the search bar every time we visit Google? And what action will you take on your own sites?
Update: The ICON have updated their guidelines to say that implied consent is now perfectly acceptable. This means it’s now permissible to have a notice to the effect that cookies are in effect on a site and that a user accepts this by continuing to use the site. This should relieve the worries of a lot of bloggers!