Are you ready for the new cookie directive coming into force in 6 days time?

Are you ready for the new cookie directive coming into force in 6 days time?

Certainly I’m not!

Did you even know that from next Wednesday (25th of May 2011) it will be a legal requirement to get consent from your website visitors to use cookies? Heck, do you even know what cookies are? You wouldn’t be the only website owner that didn’t, yet chances are that the directive will apply to you and require you to take action.

got breakfast? [explored #148]
Creative Commons License photo credit: MahPadilha

Ridiculous?

I need your help to get me up to speed. When legal meets technical and throws in marketing considerations to boot, confusion is a certainty. From my research so far, this EU directive is definitely not breaking that rule! Even the ICO (the UK government department responsible for enforcing this) admits that there is lack of clarity.

I’ve done a bit of reading up so far (ICO guidelines, the optimistically titled DMA guidelines and some nice posts from Steak Media)

The word “rediculous” seems to be included in every conversation relating to the directive. This is highlighted perfectly by Dave Naylor’s parody.

Like it or not though, its coming. Being an EU directive we can expect the UK government to take it’s enforcement duties seriously, even if no other member state bothers.

The confusion has it’s upside, namely it creates an acceptance that website owners are not going to get it absolutely right. The ICO have made it clear that they will treat those who can demonstrate that they have made a concerted effort very differently to those who bury their head in the sand.

Better late than never

Over the coming few days in the run up to the directive coming into force, I’m going to be seeking to get to grips with it and come up with my own opinions as to what needs to be done. We will be developing and executing a plan for Attacat as well as helping our clients to get into shape and will be sharing our views.

I have a seed of a plan in my head for creating a common sense resource for all of us trying to comply with the directive. We even have a simple tool in the pipeline which we will make available free of charge. Hopefully this will help you develop your own plan as well as encouraging those with greater knowledge than us to critique our approach.

I hope it is a journey you will join me on (by subscribing to this blog and adding your comments). I’m not a lawyer, privacy campaigner or a developer so if you are I hope you will share your knowledge. If you are a website owner we’d love to hear what you are doing about the directive and for you to contribute your opinions. If you are from the ICO even better!

Help please

So how can you help at this point? I’d like to know:

  • What resources have you found that I should read?
  • What, if anything, are you doing about it?
  • What questions need answering/what are the grey areas?

Leave a Reply

Your email address will not be published. Required fields are marked *

7 thoughts on “Are you ready for the new cookie directive coming into force in 6 days time?”

  1. Dan Frydman says:

    Well done Tim – it’s going to be great to have a solution to this – even if it’s one that puts site owners minds at rest that it’s been addressed.u00a0nnWe’ve been led down the path of legal requirements for site before – notably W3 accessibility compliance levels, Companies House company information and more recently PCI DSS (credit card company) compliance. u00a0nnIn reality I think the laws at EU level are only there to beat up the big companies who take advantage. u00a0Securing better accessibility from FTSE 100 companies has a trickle down effect on best practice. u00a0The same is true for other legislation.nnI don’t expect us to be implementing terms and conditions changes on cookies next week (I’ll be on holiday) and I don’t think it’s worth adding any statements until there are recommendations from the UK authorities. u00a0nnWhen best practice emerges then we’ll see some of the big players make their moves and we can follow the lead of those that the online community judge have got the balance right.nnThere are far too many things to highlight on sites, the changing status of cookies is not a banner I expect to notify anyone of above money based calls to action.

    • Tim Barlow says:

      Thanks Dan. u00a0nn”the changing status of cookies is not a banner I expect to notify anyone of above money based calls to action”nnThis has to be one of the biggest grey areas to be investigated – just what does “getting consent” mean. u00a0I quite like the idea of trying to formulate a scale of “risk of not complying” to different situationsnn”I don’t expect us to be implementing terms and conditions changes on cookies next week (I’ll be on holiday)u00a0″nFrom what I’ve read so far doingu00a0somethingu00a0is probably better than nothing. Is anybody going to be chasing this up before you get back from the beach? I very much doubt it and they will inevitably start at the top of the pyramid.nn”notably W3 accessibility compliance levels, Companies House company information and more recently PCI DSS (credit card company) compliance.”nnOh good, lots of nice things for me to get my head stuck into once the ICO have accepted my recommendations :)u00a0

  2. Ali Syme says:

    Well we have a lot of cookies…a lot…a lot…a lot. Google Analytics – that has a cookie. The website is eCommerce so needs to keep a session open so that’s another. There’s a recommendation engine that needs one, remarketing tools that need their own and an affiliate network that needs one.nnIf you were to get a prompt every time a site wanted to add a cookie to your computer (as some have tried) you’d have to go through a lot.nnWe’re not worried because it’s a customer service issue for us. We don’t take too much information – just enough to make sure the customer has an easy journey through the site – and we offer opt outs on ads and a 30 day cookie period maximum so we don’t hold on to information.nnWe’re going to get a page dedicated to privacy and cookies – explaining how to erase cookies, what the ‘opt out’ actually means to them (since it’s just another cookie) and probably a link to some genuinely good impartial guidance on the actual regulations (if you can call them that).nnOur customers will be informed about how to get rid of our cookies, how to disable ours, how to opt out of ads if they don’t mind the cookies themselves and what we actually do with that information and how us having it makes their journey better.nnI have no resources at which to point – in fact your post is the most useful resource I’ve found! – but we’ve been looking at this since March and aren’t worried. For us, IAB opt-out guidelines and the responsibility to the browser is the most important thing so the first step is to inform, and then act on any issues from then on.

    • Tim Barlow says:

      Hi AlinnYour approach sounds very thorough and is exactly what the current regulations require us all to do (but in most cases don’t). u00a0However come Wednesday I am not sure it would comply as you make no mention of getting consent. u00a0That however simply highlights the over zealous nature of the regulations IMHO.

    • Tim Barlow says:

      Forgot to ask Ali. u00a0How did you go about finding out what cookies your site uses?u00a0

  3. Paolo Ciarrocca says:

    I think that the overwhelming majority of websites will remain largely unaffected by all this. They will probably only need to add a paragraph in their terms and conditions and/or privacy policy (and let’s be honest most sites don’t even have those).nnHonest websites only use cookies that will fall in the “strictly” necessary category or are pretty much privacy neutral.nnDishonest websites will ignore all of this and relay on the fact that ICO hardly ever enforce anything when it comes to the web. Have you ever heard of a medium/small website for not complying with any of the existing regulations, such accessibility & data protection?

    • Tim Barlow says:

      Hi Paolonn”Honest websites only use cookies that will fall in the “strictly” necessary category or are pretty much privacy neutral.”nI’m really not sure about this – very few cookies fall into the strictly necessary category though it wouldn’tu00a0surpriseu00a0me if the ICO broadens this definition in due course. u00a0I’d define Attacat as an honest website yet we have Google Analytics, Share This and various other bits and bobs which I’d describe as standard but not necessarily privacy neutral.nnI think more than a para in T&Cs is required as that does not gain “consent”. u00a0Agree though about dishonest websites. u00a0nnI have heard of small companies being had up by data protection and advertising standards.

Like the Brain? Sign up for the packed-full-of-tips monthly newsletter