Whether you are up-to-date with the ICO’s (Information Commissioner’s Office) new guidelines or don’t know your cookies from your shortbreads, you can find out all you need to know here to help you plan for your future.
So what are cookies?
Let’s start from scratch. Cookies are small text files which are sent from your web server to your visitors’ web browsers. These files are then used to collect information from your visitors and store it so it can be used later.
What’s the problem?
The key problem is that very few users understand what cookies are or what they do. This means that the vast majority of websites are essentially ‘taking’ information from visitors without their knowledge or permission. The percieved morality of this depends on whether or not the information taken is being used for the visitors’ benefit or for the benefit of the website’s owners.
For instance, some cookies are used to help guard against forgery. They can help users assemble and save a shopping basket or remember settings that users have chosen. These types of cookies are clearly in the user’s interests.
Whilst many cookies are helpful to users, others are very helpful to advertisers and website owners. Cookies can be used to show users targeted adverts that follow surfers across the net based on their previous browsing, leaving some to feel like their privacy has been invaded. These are the main types of cookies the new regulations are legislating against.
Google Analytics and cookies
Whilst some cookies are clearly helpful to either visitor or website, others fall into a grey area. One of the biggest problems with the changing regulations is just how helpful cookies can be for both parties. They make it possible for websites to assess performance, improve usability and boost business too. With Google Analytics on your side you can keep track of:
- Where people view your site from
- What technology people use to browse your site
- How often visitors return
- Areas of most interest on your website
- Along with so much more
Over 60% of the top 10,000 websites make use of Google Analytics, and it has been suggested that in excess of 15 million other sites make use of the tool. As Google Analytics relies on cookies to gather information about website usage, the change in EU regulations is a big worry for a vast number of sites. SEO and Pay Per Click teams are especially reliant upon good analytics to create effective online marketing campaigns for your website.
Are my cookies ‘good’ or ‘bad’?
The type of information cookies collect and how this information is used varies and will affect how you need to roll with the changes. Below you’ll find the different categories that cookies broadly fall into. Some of these are integral to the running of your website and these will not be regulated. Some cookies, however, are not essential and the new regulations will affect how you use them.
- Category 1: Strictly Necessary
These are cookies used for vital parts of websites. This includes information like anti-forgery tokens, shopping basket references and user account sessions. The new regulations will not affect the way that these are used and you will not need to have the consent of visitors to use them.
These cookies are used to assist performance. They help with tasks like showing a particular version of a site to the relevant visitor. Although you’re unlikely to need consent, these cookies need to be mentioned in the terms and conditions of your site.
- Category 3: Functionality
Analytics is the big one here. These category 3 cookies store information from visitors to your website which can be analysed to gauge usage and develop your website accordingly. This is the category you should be most concerned with when it comes to SEO and Pay Per Click advertising. These cookies will also remember customisable user settings like font and colour preferences.
ICO states that you should have the consent of users before these cookies are downloaded to their browsers.
- Category 4: Targeting/Advertising
These cookies are one of the main reasons people are nervous about cookie usage. They track visitors from site to site, collecting information which makes it possible for websites to display specific, personally tailored adverts – this is known as targeted advertising and many people are uncomfortable with it. You must notify visitors if you want to use category 4 cookies. You must also obtain each user’s consent before downloading them to any browser.
Awareness and consent are at the centre of the new EU e-Privacy Directive’s regulations. Extensive research has revealed that very few people actually understand how cookies work, what they’re for, what they do or how to opt out of using them. For instance, one study commissioned by The Department for Culture, Media and Sport, revealed that 37% of respondents had heard of cookies but had little or no understanding of how they work or what they do.
What does this mean for my website?
If you’re using anything higher than Category 1 cookies on your website then it is time to rethink how you use them. To be compliant with ICO guidelines you will need to do some of the following:
- Inform visitors immediately that cookies are in use on your website
- Give visitors the option to opt out of using cookies before proceeding
- Provide visitors with thorough information about which cookies are in use, what they do and how they are used
Many experts advocate split testing a few pop-up options in order to design an informative, cookie opt-in service with a high opt-in rate which causes the fewest bounces from your site.
What should I do?
Here at Liberty we aren’t legal experts; if you want to be absolutely positive you are sticking to the letter of the law, get your solicitor to look over the ICO guidelines. That being said, the ICO regulations document has the following to say about Analytics cookies:
“The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies to fall within the ‘strictly necessary’ exception criteria. This means that in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
As you can see, this is a very flexible statement which appears to state that those using cookies for purely analytical purposes are very unlikely to face any type of formal action, provided they supply clear information on their site about which cookies are being used and why.
If you are using cookies which are more intrusive, it would probably be wise to ensure you are completely compliant with the regulations. However, if you are using analytics cookies, you are very likely to be safe as long as you update your terms and conditions to ensure:
- Your users have easy access to information about which cookies you are using
- Your users understand which cookies are at work on your site and why
- Your users know they have the option to turn cookies on and off
- Your users know how to turn cookies off if they so choose
This is the way Liberty intends to progress; how you decide to work with the guidelines is entirely your call.
Another consideration is the fact that many experts are of the opinion that it is only big names and persistent, aggressive ‘regulation-flouters’ who are likely to face heat from the ICO. Many people from within the web industry believe the ICO is likely to make an example of a handful of large internet presences that make no effort to comply as well as those that repeatedly and unconscionably flout regulations and use invasive, aggressive cookies without warning visitors.
These regulations are going to be extremely difficult to enforce across the internet so, unless a direct complaint is made against you, a good, honest information policy regarding cookies is likely to stand small-to-medium enterprises in good stead.
What’s everyone else doing?
There have been a range of different responses to the changing cookie law across the internet. Some sites have done nothing at all, whilst others have expanded their terms and conditions to include an explanation of the cookies used on-site. Meanwhile, some sites have taken a more direct approach to ensure they are fully compliant with the new regulations. By and large it is the big brands and big names who have taken compliance most seriously.
BT, for example, have taken it to the extreme. If you look in their footer menu, you will see they have provided a clear, thoroughly informative pop-up and toolbar which gives each visitor all the facts they need as well as the opportunity to opt in or opt out of using cookies. They even allow visitors to decide whether they want to turn specific cookie types on or off. This gives users the choice to use any combination (or no combination) of:
- Strictly necessary and performance cookies
- Functional cookies
- Targeting cookies
Meanwhile, websites like the BBC and John Lewis have opted to meet the ICO halfway by providing very thorough help sections on the cookies used on their website. This at least shows willing, which is much more than many sites are doing.
Should I panic?
We wish we could give you a definitive answer here, but unfortunately all we can say is ‘probably not’. If you’d like to make sure you’re on the safe side, an informative and helpful guide to your site’s cookies is a very good move. Taking this step will not harm your website and also shows your visitors you are responsible and honest. If you do want to be as compliant as you can be, you may like to look into implementing a pop-up system to give users up-front, immediate information and options, yet compared to the majority of small to medium businesses online, this would be a fairly extreme response.
So how does the cookie crumble?
In summary, before the 26th May you should perform a thorough audit of the cookies you are using on your site.
- If you decide they are intrusive, either stop using them or (if you just can’t keep your hand out of the cookie jar) implement instant pop-ups which warn and inform users, then give them the option to turn cookies on or off.
- If your cookies are analytical, you might like to implement an instant pop-up strategy, although you are likely to remain compliant without it so long you provide all the requisite information somewhere on the site.
- If your cookies are for functional, user-centred purposes only, you are fine and can sit back and relax!