The Cubeworks 4-point Cookie Action Plan
In advance of the new EU ‘Cookie’ Legislation coming into force in May 2012, there has been much speculation and non-specific information bandied about, regarding what you ‘may’ or ‘may not’ be required to do in order to comply with the new rules. For example, there is a lot of confusion about the extent a visitor to your website will need to ‘opt-in’ to you tracking them via Web Analytics.
So, to help unravel the myriad of information, my aim here is to be as direct as possible, and give you the key facts you need to know:
- A Cookie is a file that is downloaded to your browser whenever you visit a website. It is often used to capture information about you (for example your internet/IP address), or detect settings on your computer so that the content of the website you’re visiting is displayed in a particular way. It can also track every click you make on a page.
- Analytics; embedded YouTube videos; Slideshare presentations; any kind of widget; social log-in buttons and many other items, all use Cookies.
- This law does not apply to just Cookies, however, but to all forms of online tracking devices used to gather information on the user.
- Cookies used for essential functions are excluded from the new legislation, for example: when used to remember the contents of a ‘shopping basket’ or personal preferences set by a user themselves.
- Where tracking is non-essential, the user must be asked to give their consent on your website – this is only required the first time the user visits your website. This is potentially a very big change for most websites, as it means interrupting the user on your website and asking them to ‘opt-in’.
- In addition, remembering & storing users’ preferences which they have not selected themselves manually, or collecting statistical info also needs consent.
- You have to explain within your website what all those Cookies are for, and what each one/type does.
Current industry opinion is there will be an exception made for Web Analytics (Google Analytics being the most widely used) as data is anonymous and ‘non-intrusive’, so it’s unlikely the Information Commissioner (ICO) would take any formal action in these cases.
However, this isn’t the official line yet. Worryingly there is startling evidence that when you explicitly advise the user that you are using Cookie-based analytics software and then give them an ‘opt in,’ this significantly impacts your stats. As we noted on the Cubeworks blog, when the ICO implemented ‘optin’ themselves, they showed a drop of up to 90% of tracked visitors.
Cubeworks are currently looking at ways of making Cookie ‘opt-in’ as unobtrusive and easy as possible, the important thing being to tailor a solution to your site that is best suited to your users.
In the meantime we can suggest a 4-point action plan to help you become compliant.
The Cubeworks 4-point Cookie Action Plan:
1. Conduct a Cookie audit (this includes other forms of gathering user data).
2. Detail what type of Cookies are used by your website and what they do.
3. Document remedial action & technical solution for each type of tracking – having a plan is going to be essential if the ICO come knocking, even if it is not implemented.
4. If you choose, implement the remedial action recommended.
It’s ultimately up to you whether you implement the changes or not to adhere to the rules, but there could be heavy penalties if you don’t – up to a maximum of £500,000. If you would like Cubeworks to assist, I suggest getting your plan in place in earlier rather than later as there will be a rush in the lead up to May. Things may change again between now and then around legislation, so keep an eye on comments of this post and our Blog for any updates.