On the 26th May 2012 an EU directive known as the Cookie Law comes into force in the United Kingdom.
Cookies?
The directive, which is designed to protect online privacy, requires websites obtain consent from visitors before using cookies (or similar systems) to store information about them. Although this a good thing in spirit, in practice, the law will do little to actually protect people. This video might help explain better than I ever could:
[youtube=http://www.youtube.com/watch?v=arWJA0jVPAc&w=460]
The Law
But the law is the law, so what can we do to become compliant? The good news is that, apart from one small exception, I believe most of our customer’s websites are already compliant. For example, most of our WordPress sites use a cookie to keep you logged into the administration area, but these are exempt from the law as they are strictly necessary for the functionality of the site.
Unfortunately, the aforementioned small exception is Google Analytics. Analytics, something which we implement on all the sites we build as standard, is a popular system for collecting web site statistics, and can be a valuable tool in understanding your audience and their habits on your site.
The Solution
So what can we do about this? There are four approaches:
- Remove the Anaytics code from the website.
This is quick and easy to do, but it means you’ll no longer have access to statistics they provide. - Request permission to use Analytics from the user.
Via the use of a dialogue box or banner on the site, this option would make the site compliant, but would make the statistics provided by Analytics unreliable as it would only track the people who give permission. - Update your privacy policy to gain implied consent.
This option hopes to sidesteps the law via a combination of stating that Analytics is strictly necessary, along with clear information on the site’s privacy policy about exactly what Analytics is, but would mean that your Analytics statistics remain unaffected. - Do nothing and hope that Google provide a solution.
The simple fact of the matter is that Google will have to do something about this sooner or later, but as of this time, they’ve remained tight-lipped on the subject.
Personally, so far as this site is concerned, I’m inclined to go with the third option, but I’m not a lawyer, so please don’t take that advice as the ultimate solution to the problem. Instead, I recommend that all of our customers take legal advice, then get in touch to discuss what you would like to do.
Update (31st May 2012)
It would seem that there has been a bit of a U-turn regarding the Cookie Law, and what the requirements for a website to comply are.
The advice given previously suggested that you needed explicit consent (i.e. a pop-up asking for permission) from users to assign them with cookies, it now appears that implied consent (informing users that cookies are used on the site) is enough. You can find more information on the ICO website.
So far as I can tell, this means that the third option I suggested above is the best route of action, so if you’ve not yet done anything about your site and the cookies that it uses, you should still update your privacy policy with full and complete information on the cookies that your site uses, Analytics or otherwise.