- Tell people that the cookies are there
- Explain what the cookies are doing
- Obtain visitors’ consent to store a cookie on their device
“The information needs to be upfront – without information people can’t give consent,” said Simon Rice, the ICO’s principal policy adviser for technology, in a recent BBC article. Those who fail to implement its rules properly could be fined up to £500,000.
Even though the UK legislation came into force in May 2011 many sites have yet to add a feature asking for users’ consent. 95% of 55 major UK-based organisations were still not compliant with the cookie law at the end of last month according to a survey done on behalf of KPMG.
The move has proved controversial with many companies stating the cookie law is not a positive development. The ICO’s own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.
Since March a pop-up message on its home page has told
first-time visitors that unless they take up an offer to change its settings, then they have consented to its “allow all cookies” default rule. “So far, we can see that customers are generally choosing to keep the cookies that we use to provide the best experience on our webpages,” a spokeswoman said.
Is implied consent enough?
At a recent WAW Website Analytics Wednesday event, Dave Evans of the ICO on the E-Privacy Directive, aka EU Cookie Law, went on to say
“Provided clear information is given about their activities, we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
According to webtrends the first part of the statement is very important at it refers to implied consent. The ICO expects website owners to take the lead in educating users on the how, what and why of the data they collect. So, if you are a website owner using first party cookies for analytic purposes only, then you can expect the ICO to leave you alone, but only if you have taken positive steps to inform and educate your users, e.g.:
- Conduct a cookie review and remove any unnecessary cookies from your site
- No legalese, no jargon, no inflammatory terms (e.g. use ‘measure’ not ‘track’)
- Explain why cookies benefit their experience
Remember the legislation came into force in May 2011 so by now you should have already completed the above. If you have done so but are still unlucky enough to have a complaint made against you then the ICO may well reject it on the grounds of implied consent.