On the 26th May 2011 the EU took the decision to change the way that websites use cookies, laying out a set of regulations which all European websites are required to comply with. A year’s grace period was given to allow Euro web-users time to get to grips with the new cookie policy and implement the required changes. This grace period will expire on Saturday 26th May 2012, so it is more than time to get your cookies sorted!

In response to the EU changes, the UK based ICO (Information Commissioner’s Office) have compiled guidelines for all UK sites, to ensure that everyone is compliant by the deadline. These guidelines are not entirely clear and can be a bit confusing. If you’re not certain what your next step should be, read on for our guide to getting cookie compliant.

Why the change?
Cookies are small text files which collect information from visitors to your website and store it for later use. There are many reasons why cookies are used. Some cookies have very basic functions which help remember details like a visitor’s shopping cart contents whilst other cookies keep track of information such as user’s demographic or the information a visitor has previously viewed on the web.

So some cookies are good for users, some cookies are good for websites and some cookies fall into a grey area between the two. It is the more ‘predatory’ variety of cookie which gathers lots of information from visitors in order to aggressively tailor advertising towards them, which the EU is targeting with this new policy.

Another reason for the crackdown is the lack of user awareness out there. Research has shown that the vast majority of internet users do not have the first clue about cookies, what they are, what they do and how to turn them off. 

As many internet users’ understanding of cookies is limited, the more aggressive cookies are able to take information from visitors without their knowledge or consent. This is exactly what the new legislation is hoping to tackle.

Cookies: The good, the bad and the grey
If you’re going to implement a compliant and responsible new cookie policy, you’ll need to perform a thorough cookie audit of your website. Find out which cookies you’re using and then assess whether their beneficial to your visitors or to you. If you discover you are using cookies which are not useful to users but are very helpful to you, you will need to either remove them or start providing information and requesting permission as we’ll explain later.

As a broad rule of thumb, the ICO categorises cookies into the following groups:

  • Category 1: Strictly Necessary

These are ‘good’ cookies. They are vital to the operation of a website and to the experience of the user. They store things like shopping basket references, anti-forgery tokens and user account sessions. The new regulations will not affect your use of these cookies.

  • Category 2: Performance

Category 2 and 3 cookies are grey areas in terms of whether they’re in the interests of the user or the site owner. Category 2 cookies help with the performance of your site. They store information which will show a particular version of a site to the relevant visitor etc. You’re not likely to need consent but you should mention these cookies in your website’s terms and conditions.

  • Category 3: Functionality

These category 3 cookies store information from visitors to your website which can be used to remember user settings such as colour and font preferences. They can also be used to analyse web usage which will help you to develop your website and online marketing strategy. In terms of SEO and PPC advertising, Google Analytics cookies are defined as category 3. You will need to attain the permission of users before you can download category 3 cookies to their browsers.

  • Category 4: Targeting/Advertising

These are the ‘bad’ cookies which the EU and the ICO are trying to regulate.  If you’ve ever browsed for shoes online and then found that every subsequent site you visit displays adverts for your favourite shoes then category 4 cookies are at work. Unfortunately for affiliate websites, their cookies work in this way too.

These cookies keep track of users’ browsing histories and allow websites to provide specifically targeted advertising. For many this use of cookies seems like an invasion of privacy. You absolutely must notify visitors if you are using these cookies and must obtain their permission before they are used. 

The Analytics problem
For any website hoping to boost its web presence and traffic through search engine optimisation or pay per click advertising, changes to cookie law are a concern. Google Analytics relies on all visitors using category 3 cookies to provide them with vital information like:

  • Where your site is viewed from
  • What technology is used to browse your website
  • When and how regularly previous visitors return
  • Your most popular pages
  • & lots of other indispensable information

More than 15 million websites use Google Analytics and this 15 million includes more than 60% of the top 10,000 websites on the net. If forced to ask permission from visitors before using Analytics cookies, many users may choose to opt-out. This could seriously affect how reliable and useful any analytic data is. This, in turn, could be detrimental to the development and online marketing of your website.
Should I be worried?

The ICO has threatened to fine websites up to £50,000 for every non-compliant cookie, but before you freak out, remember the scale of the operation. There are millions of websites out there and there are far bigger fish to fry than small online businesses. ICO are much more likely to be looking out for repeat offenders and large companies who wantonly flout the new guidelines. Unless a complaint it made against you, you are likely to be safe, especially if you have made some effort to educate your visitors in a clear, easy-to-access terms and conditions section.

Of course, here at Designer Websites, we are expert website developers, not legal experts. If you want to make sure your approach to new cookie regulations is watertight, get an experienced legal advisor on side.

How do I get cookie compliant?
So now you know all the ins and outs, it’s time to decide how you want to approach these cookie changes. After your cookie audit, if you have found any cookies of category 2 or above, it is smart to take action. Either remove the cookies you do not need or make some changes to your website.

Here are a few examples of how other sites have done it…

  • The ICO themselves have used a very simple opt-in policy (opt-in is more compliant than opt-out) and a link to more information. No invasive cookies will be used on this site until the visitor accepts them.
  • The BBC and John Lewis have met the ICO halfway by adding very comprehensive cookie information and guidance on their websites – yet there is no clear or immediate information or options available.
  • BT has taken the changes very seriously. They offer reams of immediately accessible information as well as an up-front choice about whether users want to use cookies or not. These options are, however, opt-out. Cookies will be used unless the visitor actively chooses otherwise.

There are many problems with up-front choices and notifications. They can look so scary that people may simply bounce from your website, or people may choose not to use cookies which will be detrimental to your Analytics. If you are going to go down this route, we’d recommend split testing a few options so you can see which have the best results.

If you’re not going to use a pop-up or immediate cookie system, we’d recommend making extra-sure your terms and conditions contain a thorough run down of the cookies used on your site, along with all the information required to let users know how they work, what they do and how to turn them off.