Another look at the EU Cookie Law

Remember the EU Cookie Law? A few weeks ago there was excitement about an apocalypse due on the 26 May when the EU Privacy and Communications Directive took effect, requiring website owners to ensure users are informed of the cookies set during use of their site.

The doomsday prophesied in some unscrupulous quarters didn't occur, needless to say, and the sun rose that morning. Since then things have become somewhat clearer about precisely what designers need to do to meet the Directive's requirements.

In an earlier blog post - A view of the EU Cookie Law - I offered my interpretation of the Directive, in which I quoted extensively from an interview on the Econsultancy website with Dave Evans, Group Manager for Business and Industry at the Information Commissioner's Office (ICO), the UK body responsible for enforcing the legislation.

In that interview it appeared to me that Evans was saying that it would not be necessary for websites to require explicit opt-in from users for the serving of cookies. It would be sufficient for designers to make greater effort to inform users what kinds of cookies a site is setting, and how those cookies can be switched off if required. In most cases an enhanced privacy and cookies policy would be sufficient, readily accessible from any page of the site (the obvious place is the footer).

Since then Econsultancy have published another interview with Evans - ICO blog: updated advice and guidance on changes to the EU cookie law - which makes that even clearer. As with my previous post I quote notable parts of the interview below.

In a nutshell Evans says the requirements of the Directive boils down to this:

The main point to get across is why cookies are being used, for analytics or whatever, I think most web users just want to be reassured that nothing untoward is going on. This is more important than listing the different types of cookies in detail.

I think many web users haven’t a clue about what cookies sites use, and many are simply not interested.

Evans is quite clear here that ICO's requirements for adherence to the Directive are rather minimal: just make sure that users know cookies have been set, and what their purpose is. In most cases he says there's no need for opt-in popups and widgets:

There are things you can do to ensure that you are gaining valid consent. For example, if sites make it clear that they are using cookies, and continued use of the site means that you are accepting this, then this is a valid approach.

It doesn’t have to intrude on the user experience, and a lot of sites I have seen are getting the message across without putting obstacles in front of users.

I think a lot of people have assumed that you must get opt-in consent by the guideline or the ICO will come and get you, but this is not our approach.

He goes on to say that the adjustments some larger companies and organisations have made to their sites to inform users what cookies they are setting are helping everyone by making users more aware of the existence and purpose of cookies:

[M]any smaller retailers may rely on the work that the bigger, more visible e-commerce sites are doing to educate customers about cookies.

These smaller businesses could take a softer line as the education work has already been done i.e. as users are used to the fact that sites like the BBC and John Lewis set cookies, they expect it from every site.

The law does require more of sites that use cookies in a way that users might consider unreasonable, such as distribution of their browsing behaviour to third parties:

If sites are doing something different from the norm with cookies, perhaps using consumer data in a way that some would worry about, then maybe warnings need to be clearer.…

We’ll be looking at the feedback and complaints we receive from web users, for example, if there are any particular issues in individual sectors that raise cause for concern. This feedback will tell us how serious an issue this is for web users. If there are relatively small numbers of people complaining, there may be no need for further action.

However, if there are concerns about organisations which have taken a softer approach, then we would expect them to go further. The proof of the pudding will be how consumers continue to use websites. If they see cookie information, know where to find it if the need it, and carry on using sites as normal, then there may be no issue.

So ICO itself is still deciding on what sort of cookie setting might contravene the law. Over time test cases will emerge that will serve as examples of what not to do. What is clear is that for the great majority of websites minimal action is required: inform users that cookies are being set, tell them what they are, let them know how to switch them off, and make that information easily accessible. Nothing more and nothing less.