The UK’s implementing guidance requires web sites to:
- Explain what the non-essential cookies are and what they do;
- Obtain consent to store non-essential cookies on the visitor’s device.
Disclaimer: this post, which is targeted at a UK audience, is not legal advice.
What kind of cookies are considered essential?
These are the ones that keep you logged in to a web site, or keep your items in your shopping cart, or keep your language preference stored. You do not need to explain them or gain consent for them. Non-essential cookies include things like third party advertising beacons, social media connections, and analytics cookies. (You could always use cookie-less analytics.)
What is the best way to comply?
A simple information notice – “Cookies” – which links to your cookie disclaimer, placed discreetly into your header or footer, will do. You can also combine your cookie disclaimer with other policies in a “Terms and Cookies” link. Your disclaimer can simply be a data table listing what the cookies are and what function they serve. If you are offering an opt-out for potentially intrusive cookies, follow this example, which uses a simple button placed inline within the text of the Terms page.
You do not need to use special plugins, scripts, or third party services to meet your cookie law obligations. Nor do you need to use pop-ups, drop-downs, or overlays which request – or even demand – cookie consent. You do not have to reject site visitors who decline to grant their cookie consent by redirecting them to an external site.
(And whatever you do, don’t do this. Wait 10 seconds and then move your mouse. Ouch.)
What should I include in my disclaimer?
In your cookie disclaimer, you should advise your site visitors to grant their consent the responsible way – through their individual browser settings. After all, people have had control over their cookie preferences through their browsers since 1998. Why should you have to put in extra work because people can’t take personal responsibility? You can also suggest using browser add-ons like Disconnect.
The authors of the cookie law took the dreadful position of treating cookies as the source of a problem. They got that wrong. Cookies are merely carriers of information. The problem with cookies lies in what people choose to do with the information stored in them. If your site’s cookies have no impact on privacy, or if you collect analytics but never look at them, your cookie compliance strategy will be much shorter and simpler than the strategy required for a site which relies on advertising revenue or data collection.
Reality bites… into cookies
We all know what the cookie law requires on paper. That being said, we also have to measure our obligations to the law by the actual impact that it has had on the public since it went into effect in 2012. That impact has been wildly different from what the EU and UK governments had predicted.
In the United Kingdom, the cookie law is administered and enforced by the Information Commissioner’s Office (ICO), the independent government agency responsible for issues pertaining to data protection, consumer privacy, and information security. When it comes to the cookie law, ICO are not parking wardens. They are not patrolling the streets of the world wide web looking for British web sites to ticket and fine for cookie law violations, nor do they work to quotas or targets. ICO can only respond to specific cookie law complaints filed by the public through their formal reporting procedure. And, what ICO’s disclosed figures have shown so far is that the cookie law complaints they receive are about anything but privacy.
As I predicted well before the law came into effect, the cookie law is being misused as a griping mechanism by people with ideological complaints, personal grudges, and axes to grind. Businesses are reporting their competitors for “cookie law violations” to try to get one up over them; disgruntled customers are reporting businesses for “cookie law violations” in revenge for bad service or personal gripes; people are reporting politicians they don’t like for “cookie law violations” as a form of slacktivism; and people riding a privacy high horse are filing long-winded and ranty complaints that don’t actually say which web site they are complaining about.
Add that knowledge to the fact that to date, no British web sites have had any action taken against them for cookie law issues – in fact, only two sites across all of Europe have been slapped for cookie law issues – and you have much ado about nothing. After all of the panic and scaremongering, the cold hard fact is this: if a site you operate is reported to ICO for an alleged cookie law issue, there is a 90% chance that the complaint is about you personally or your business, and not about any violation of privacy you might be committing. To their credit, ICO have openly stated that the vexatious, personal, and time-wasting complaints they receive in the name of the cookie law go straight into their corporate recycling bin. They frankly have more important privacy issues to deal with – as should you.
If a lack of public interest mortally wounded the cookie law, Ed Snowden’s revelations inflicted the fatal blow. It should not fall to site administrators to shoulder the burdens of paying lip service to online privacy when every keystroke we make is recorded by a five-nation surveillance apparatus. Let’s make sure the EU hears that message loud and clear when the law is reviewed in 2015.