How the new ‘cookie’ law affects small business website owners
Rebecca Grainger, June 2012

If you’ve spotted pop-up windows on your favourite websites about ‘cookies’ over the last couple of weeks and are wondering what it’s all about, you’re not alone. It’s all to do with a change in the law that requires website owners to gain the consent of their customers before storing any information about them.

In this article Rebecca Grainger, director of Goldilocks Marketing, explores what this change in the ‘cookie law’ means for small businesses with websites.

What’s a cookie?

Ever wondered where the information on visits to your website comes from? Or how your website greets your customer by name? These, and many other things, are possible down to a little piece of code behind your site called a cookie.

The Information Commissioner’s Office (ICO) defines a cookie as “a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites.” In other words, when a customer visits your website, a file is put onto their computer. The next time that customer visits your website, their computer (or mobile phone) recalls that file, telling your website ‘who’ the user is.

Whilst it sounds a bit Big Brother, the ‘who’ is in inverted commas above for a reason. As Google says “cookies do not identify people, but rather they are defined themselves by a combination of a computer, a user account, and a browser”. Often on small business websites the information stored is minimal. Typically the information is used for analytical purposes, for example to track how many visits a website gets and what each user looks at. They are also sometimes used to aid the website user so they don’t have to enter their details every time they visit your website. For example, if I email you via a contact form once, the next time I want to use that form my computer will suggest my email address in the form saving me time and effort.

Does my website use cookies?

You will almost certainly have at least one cookie on your website. For example using Google analytics code to track how many visits your website inserts at least three cookies.

Facebook and other social media ‘like’ buttons and accessibility features are types of cookie. Online shops all have essential cookies contained within them to ‘remember’ what an individual has selected to buy.

If you’re unsure what cookies are used on your site, you don’t need to be a web developer to find out. See below for details.

The law and how it has changed

At the end of May 2011, EU law relating to how website owners use cookies and similar technology changed. Consequently the UK introduced amendments to The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

Our UK law now says:
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Since this is actually an amendment of a law that has been in place since 2003, the chances are you are already meeting part (a) of the above. The rewording applies to (b), the issue of consent. The previous version said you must provide the option for people to opt out of cookies being stored on their devices, where it now states you must obtain consent to store a cookie on a user or subscribers device.

Getting consent from your customers

The amendment actually happened last May, but website owners were given a year’s grace to comply. During this grace period there was debate over how exactly a website owner must gain consent from its users. At one point I thought every time I visited any UK website, I’d have to tick a ‘consent’ box before I could view it – a pain as a web developer, but even more so as an avid internet user.

Luckily new ICO guidance says website owners can usually rely upon ‘implied consent’, providing your users understand what cookies you have and why you use them. So basically you have to give your users clear information about what cookies are used for and, in them continuing to use your website, they are indicating their consent.

The ICO suggests that explicit consent (ie a tick box for a user’s acceptance) would be better where sensitive personal data is being collected.

Exceptions

There are two notable exceptions to the requirement to obtain consent. These are where the use of the cookie is: (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

So, where a cookie is used to ensure that when a user of a site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page. This cookie is strictly necessary to provide the service the user requests (taking the purchase they want to make to the checkout) and so the exception would apply and no consent would be required.

Before you jump for joy because you’re an online retailer, though, beware… Your site probably contains other cookies, such as analytics, so you must still provide your customers with information about your cookies you use and gain implied consent for these.

What does this mean for website owners?

As a website owner, you need to work with the person setting the cookies (ie your web developer) to ensure your users are well-informed about cookies and that valid consent is obtained.

Failure to comply with the regulations could bring a fine of £500,000. The ICO stresses it wants to work with website owners to comply whilst educating website users, so will not be actively monitoring website except where complaints have been received (possibly in part because a number of high profile government and privately-owned sites have missed the deadline). However they say they will take an interest in sites where the website owner has done nothing to be compliant with the law.

What to do now…

Website owners should follow the recommended ICO review process (summarised below). Make sure you document your review and amended procedure, and keep this documentation in a safe place:

1. Review
You need to review all cookies and similar technologies used on your website. Check what you have and how you use them. Consider if they are strictly necessary – it’s a good time to remove any technology you do not need or make use of.

If you need to see what cookies your website uses (and if you want to change your personal cookie usage when looking at other websites):
In Internet Explorer, you’ll find this under tools-F12 developer tools. This will open up the developer tools screen which has another menu towards the bottom of the browser window. Click cache > View cookie information.

In Firefox the option is under tools-options. In the pop-up window choose the ‘privacy’ tab and click ‘show cookies’. Select your website from this list. If you cannot see the ‘show cookies’ button, change the ‘history’ drop-down to ‘use custom settings for history’.

2. Assess how ‘intrusive’ the technology is.
Whilst there is no actual definition of intrusiveness in the regulation, a common sense and human approach suggests that if you are collecting and storing personal information about an individual then that is more intrusive that keeping track of their nearest town for example. Think about it from your customer’s perspective – how would you like a company storing that information about you?

Basically, the more intrusive your technology is, the higher the priority for obtaining well-informed consent is.

3. Decide methods for obtaining consent
Once you know how intrusive your website’s cookies are, you can decide upon the appropriate method for obtaining your users’ consent. For example, collecting personal and identifiable data should require an opt-in, tick box consent, where using analytics alone to monitor visits may only require ‘implied consent’.

The regulations distinguish between cookies that are ‘Strictly necessary’ for a website to function; those necessary for a site to monitor its ‘performance’; cookies that add ‘functionality’ such as remembering a password; and ‘Targeting Cookies’, which collect several pieces of information about users’ browsing habits.

Many websites belonging to small businesses track both an individual’s activity on a site, such as what page they started on and which pages they looked at, and an individual’s details (for example their email address). Both pieces of information are used individually and the purposes of both are to improve a customer’s experience of the website. In this case, I’d argue both information on its own is not intrusive and that clearly stating the website stores both pieces of information only to improve the user’s experience of the site should be adequate for implied consent.

If, however, a business ties these pieces of information together to identify who, specifically, was looking at what. I would say this is highly intrusive, and should obtain an opt-in method of consent.

4. Provide clear information to your website users
Tell your website users what cookies you use and what you use them for. You can provide them with an option to opt out of cookies (with instructions on how to do so), or advise them to stop using the website immediately if they do not agree to have their information stored in this way.

In most cases (ie where the cookies used are not intrusive) you can provide this information in your website’s existing terms of use and privacy policy. However, it is good practice to alert your website users to changes to the policies so that previous users (who have already implied consent to your previous policy) are informed of the changes. A message on your key landing pages (ie home page and any other popular pages) along the lines of: “Our privacy policy has changed. These changes are about the use of cookies on our website. Please read our updated privacy policy [link]” should do the trick.

The future

Users of modern browsers already have plenty of control over their consent to use cookies via their browser. However many are not aware of this control, or even why they would need it. Part of the objective of this amendment to the law is to raise public awareness of cookies to protect their privacy. The government is working with browser providers to give users more control, taking some responsibility away from the website owner (but with it some functionality of their websites). This may be the future for cookie consent – possibly good news for consumers, bad news for web developers and website owners?

Useful links:

About Cookies: a website provided by Out-Law, part of international law firm Pinsent Masons

A useful blog on how to determine what cookies your website uses.

A good example from the government of a cookie info page

A Google developer page about Cookies and Google analytics

Article for web developers from Net Magazine