A view of the EU Cookie Law

The possibility of being landed with a £500,000 fine is preposterous, the likelihood of your having to pay any fine is very low, you still have plenty of time to get this right, and you should just relax and take a moment to enjoy the peaceful scene above.

That's my considered view regarding the EU Privacy and Communications Directive, the 'EU Cookie Law', which comes into force on 25 May. I'm not going to provide a comprehensive introduction to the law here - there are already hundreds of good online resources available. I thought I'd just write a little post to explain why I don't think the law is going to be difficult to implement, and why I think the very simple solution I've put in place for my own site will suffice.

What is it?

A very brief recap. Last May the EU introduced a new privacy law requiring that all EU-based website owners must be much more upfront about the information their sites record about their visitors. Specifically, websites must make it clear what cookies they are setting, and let visitors block them easily.

The body responsible for enforcing the law in the UK, the Information Commissioner’s Office (ICO), has the authority to fine proprietors who wilfully ignore the law. This is where the £500,000 figure comes from: that's the maximum fine ICO can impose for serious data protection breaches.

That's basically it. If you are looking for a clear, succinct explanation I suggest taking a look at the excellent summary by Silktide, which includes an engaging video.

What are website owners doing about it?

Most haven't done anything yet. As I discuss below, ICO haven't specified an approved mechanism for securing cookie consent, and it seems that most website owners and their designers are sitting back and waiting to see whether a standard implementation emerges. Many of course are hoping to continue to sit back for some time to come: just hoping that the law is withdrawn and that the issue quietly disappears.

But others have acknowledged the law is here for the foreseeable future, and a few implementations have started to appear. The most drastic involve asking the user to click a box to grant consent to the setting of cookies as soon as they enter the website. A prominent message is displayed at the top of the screen explaining that cookies are to be set, and requesting the user to click to grant permission. There's a variation: sometimes the checkbox is displayed within a dialog box that pops up like an advertisement.

The ICO website takes the first approach. On visiting the site for the first time you are presented with a box at the top of the screen inviting you to opt-in to allow the setting of cookies:

Opt-in notice on ICO website

The message is accompanied by a prominent link to the ICO privacy notice where there's a brief explanation of what cookies are, and a table listing the cookies the site will set if permission is granted.

I like the detailed privacy statement. I think it is a simple matter of courtesy to make clear to users precisely what information is being recorded about them when they visit a website. Website proprietors and designers haven't done a very good job of highlighting this information till now - myself included - and the cookie legislation has served to bring that complacency to light.

But I don't like the opt-in box. I don't like it as a website user, or as a designer. I don't want to have to check a box like this each time I visit a website. And I don't want to have to add such a facility to all of my client's websites. They certainly don't want to pay for the time it would take me to do so.

It's the fact that the law can be interpreted as requiring this sort of opt-in mechanism that is fermenting such anxiety and anger within the industry. Just take a moment to consider an internet in which every EU-based website asked you to opt-in to allow the setting of cookies. Intolerable.

Not surprisingly there's evidence that many visitors won't provide consent if so prompted: ICO saw a 90% drop in measured visits after placing the opt-in notice on its website.

There's a similar, but slightly less draconian approach, exemplified by the BT website. On visiting the site you are presented with a dialog box informing you that cookies have been set, with a link to an elegant little slider control allowing you to turn them off:

Opt-out slider on BT website

You can plug a similar solution into your own website. Edinburgh consultants CIVIC, for example, offer a jQuery Cookie Control which can be plugged into any website.

These solutions certainly look good, but they are still premised on the assumption that in order to meet the requirements of the law it is necessary to highlight the setting of cookies intrusively, as soon as the user accesses a site. Can you imagine being presented with these widgets every time you visit a new site? Users will soon tire of highlight boxes and popups, no matter how nicely designed.

Some sage counsel

It simply isn't going to be a sustainable solution. Fortunately, I think, it seems very unlikely that implementations like these will be necessary. Last week a very helpful interview with Dave Evans, Group Manager for Business & Industry at ICO, was published on the Econsultancy website. Evans is careful not to go into detail about the technical implementation of the law, but does make clear that ICO will take a reasoned and pragmatic approach to its implementation.

Everyone with an interest in the cookie law should read the whole interview very carefully. Here are a few quotes I've picked out as particularly interesting.

Evans says that the spirit of the legislation is essentially benign, and summarises it like this:

Organisations providing content are obtaining information about users and people have started to become more aware of the sophisticated techniques being used for internet marketing. The 2003 directive wasn’t doing enough to deal with this.

Organisations that collect information need to obtain people’s agreement, and you have to tell them what you want to do with it.

So the aim is to protect user privacy, and ensure that they are giving informed consent for using their information.

Considering the spirit rather than the letter of the law makes it less frightening: its essential purpose is to ensure that websites obtain 'informed consent' for the setting of cookies. Evans goes on to stress that the ICO does not regard 'all cookies are equal, and our enforcement approach will bear this in mind'. He says:

For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.

The first question we will ask is: have you tried to sort this out yourself? If they don’t want a particular cookie, then they could use browser settings or security software to get rid of it.

It’s highly unlikely that organisations will get into trouble because of one cookie or just a few complaints, but we would seek to address any potential issues with the company concerned.

So, if your website sets analytics cookies, calm down. You just need to make it clear to the user that the site does so, and that the user can block the cookies using their browser's security settings. This is a very important point: ICO is saying that the kind of intrusive opt-in mechanism discussed above isn't necessarily essential for compliance. He goes on, and it's worth quoting this at length:

Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary. It could, in some cases, be seen as an essential part of the relationship.

Organisations can help themselves by informing people and providing decent information about cookies. For the last eight years or more, this has been hidden away in privacy policies which only a minority of internet users ever read.

Therefore, can you be confident that your users know about cookies? In the medium to long-term, if lots of websites are more transparent about cookies and privacy, then users will become more informed and it will be easier to assume knowledge.

If we can operate on the basis that, since a website has made efforts to inform customers, and through this collective education process, people understand how and why online businesses are using their data, a website could claim with some justification that since we made it clear, and they are still using our website, opt-in consent may not be necessary.

It will take time to get to the point where most web users are aware of this, but this clarity of information may fill that gap for some websites. It may eventually become an implicit part of the relationship that websites gather and use analytics data.

Here Evans quite rightly highlights the poor job the industry has done in making it clear to users what information is being collected about them. We need to make a greater effort to document the cookies we are setting and why, ond make sure that users can find that information easily. If that becomes standard practice users will be able to access websites confident in the knowledge that they can easily find a clearly worded privacy page where they can find exactly what information the website is recording. If that page also provides clear instructions as to how the cookies can be blocked, then the purpose of the cookie law has been fulfilled. There's no need for explicit opt-in if this simple practice becomes standard. Just make sure you document your cookies, and let users know how they can turn them off:

If it looks like an organisation has put enough information there, and it is clearly visible, such that it wouldn’t be likely that users would miss it, then it’s unlikely we would take that further.

Evans is asked about the elaborate interface put in place by BT, and makes it clear that he doesn't expect smaller organisations to implement similar solutions:

It looks perfectly fine, though I’ll hold back on passing judgement as it has only just been rolled out. We know how much time and effort BT has put in though, and we also appreciate that this is beyond the capabilities and resources of some companies.

The interview concludes with some useful comments on ICO's capacity to enforce the legislation, and the 'punishments' at its disposal:

We have a team of investigators, but we won’t necessarily be trawling the internet looking for abuse of the directive. In time, we may choose to look at particular sectors to see how they are informing users, based on the information we have received.

Enforcement won’t be driven by individual complaints though, and how we deal with this may well depend on the response from business. For example, if someone says, 'we’re not doing anything about this', then we may pay them more attention.

All of our enforcement actions are likely to be in the form of negotiations. If people listen to our advice and are prepared to take steps towards compliance there shouldn’t be a problem.

However, if businesses deliberately stop short of total compliance, then there is a risk.

Allow me one final quote, which nicely encapsulates the overall message:

There are lots of gaps here, and we want people to fill them with good practice. We can then point to examples of this and everyone will have a greater understanding of what is required.

I realise I've ended up quoting most of the interview. But it really is that useful. There's another article I read recently that makes a fine companion piece to the Evans interview: The EU Cookie Law and its 'punishments' by Heather Burns of Idea15 Web Design is a clear sighted deconstruction of the myths that have developed regarding the alleged punishments ICO is supposedly set to visit upon website owners on the stroke of midnight on 25 May. In particular that £500,000 fine. Speaking of the scaremongering to which the law has given rise she says:

But what those sound bites don’t tell you is that those figures represent ICO’s maximum penalty fines for all of the forms of data protection under its remit – not just the cookie law; that the financial fine is actually the fourth and final stage in an exhaustive warning process; and that the breaches which constitute a 'severe penalty' are not even on the same radar as the issues presented by the cookie law.

An analogy might be that we are being warned not to commit a civil offence under threat of the penalties issued for premeditated murder.

If you haven't done so already, please read the full article. If you are a designer send the link to your clients.

A measured implementation, for now

So in light of all this what steps should we take to acknowledge the new law? I certainly believe that it shouldn't just be ignored. It isn't going to go away, and the legislation's underlying spirit seems to me to be benign. We have an obligation to tell our users what information we are collecting about them, and why, and to tell them how they can block that information if they so wish.

Let me briefly highlight two websites that I think are doing it right, doing a good job of letting users know what data they are collecting, but without all the fuss of pop ups, checkboxes, dialog boxes, flying widgets and so on.

One is the Econsultancy website. At the top right of each page on the site there's a link to their 'Privacy and cookie policy':

Link to cookies policy on Econsultancy website

It isn't obtrusive, it fits neatly into the site's design, and it is clearly visible. The link leads to a Privacy Policy that makes it clear what cookies are, how they can be blocked, and what cookies are being set by this particular site.

The BBC website offers another example. In this case the link to cookies is in the footer:

Link to cookies policy on BBC website

That seems to be clear enough: it's exactly where the user might expect to find such a link. This leads to a BBC Cookies page very similar to that on the Econsultancy site. Again, all very clear.

I humbly submit my own implementation, which follows the BBC in putting the Privacy and Cookies link in the footer, leading to a page that outlines the cookies I've set - very few in this case - and how they can be disabled.

If my reading of the Evans interview is right I don't think any more than that is required. If I'm wrong, and I do need to do more, then I'll do it if ICO come knocking on my door. But until then I'm glad to say you won't find any annoying popups on lucentwebdesign.co.uk, or - unless they ask for them - on my clients' sites.