Complying with the EU cookie law (e-Privacy Directive)

This has been law for the past year and we have been in a 12 month buffer in which the ICO stated they would not enforce the new law, http://www.ico.gov.uk/cookies . This law is very broad reaching and in our opinion poorly drafted and therefore flawed causing a small rant on the Motionlab blog in May 2011 http://www.motionlab.co.uk/blog/the-ico-ignore-their-new-law-regards-cookies/2011/05/. The scale of the law when read in some light places large organisations, such as Google on the wrong side of it and Motionlab as many others had hoped that during this 12 months we would see some big players take a stance, but instead many have simply remained quiet, we believe Google has barely even acknowledged that the new law exists and they are probably the largest under its scope.

So where does this leave us?

As the finer points of enforcing this law are still being deliberated it has been left up to the web community as a whole to devise ways of being compliant, leading to different styles of popup / opt-in being implemented by those who are panicked by the lack of complete guidance offered by the ICO.

We understand that many of our clients do not want to annoy the end-user with a popup if possible.

Unofficially, off the record, and definitely NOT legal advice - we believe the law is at best difficult to enforce in its present state without a test case and we also believe the ICO will have to bring a legal case against a big player to prove the legitimacy of the law

But the law is aimed at you the website owner and being now engrained in EU law means we should all attempt to be compliant.

You want do something towards being compliant:

In April the International Chamber of Commerce stepped up to the mark with their own interpretation of how to implement the law: http://www.motionlab.co.uk/icc_uk_cookie_guide.pdf, this has not been endorsed by the ICO, but they have commented that it is "A step in the right direction towards being compliant".

In the closing days of the grace period the ICO finally stepped in with some guidance that can be read here: http://www.motionlab.co.uk/cookies_guidance_v3.pdf

The shortened version:

- Categorise the Cookies your site uses into these 4 categories: 1.Strictly necessary, 2.Performance, 3.Functionality and 4.Targeting/Advertising cookies. Note: As a rule a completed website from Motionlab will only use category 1 and category 3 cookies, until you as the Website owner have Google/Ad tracking or affiliate networks incorporated. our cookies are ‘usually’ called PHPSESSID and CAKEPHP.

Make sure the terms and conditions on your website explain what cookies you use and how you use them, clearly and under a marked area specifically for Cookies, this can be on its own page or under a clear heading on an existing T & Cs page. Motionlab have developed a tool for our clients that will automatically audit the cookies on your website and produce a ‘cookies’ specific page on your site. The cookies page on our website was produced by this tool: http://www.motionlab.co.uk/cookies

The ICO latest guidance goes to lengths about 'implied consent' for your websites cookies, leaving it up to you as the website owner to decide if your cookie use should require the user to actually click to accept their use. The ICOs opinion is that if the cookies are required for a function requested by the user such as a login or a basket for products then the acceptance of the cookies can be implied by that action. But the spirit of the law is that yourcookie use shouldn’t be hidden amongst your terms and conditions, and as such should be easily viewed by the user. For many of our clients a clear link to a cookies page as demonstrated on www.motionlab.co.uk would be sufficient.

But if you use what the ICO deem as ‘intrusive cookies’ to track user behaviour through affiliate or advertisement networks or other purposes, or you simply want to be sure you are compliant and don’t believe a popup will affect your user experience, you may wish to actively ask for acceptance of your cookies. To help you do this Motionlab has developed a small popup, http://www.motionlab.co.uk/cookies-popup.

On your site this would only show once regardless of the user clicking OK.