After the dust settled: compliance with the “Cookie law”

The grace period for compliance with the updated Privacy and Electronic Communication Regulations ended on 26 May 2012. Here’s a look at what happened in the final days, and how people have been implementing compliance.

The way things stood, both in the letter of the law and in the guidance from the Information Commissioner’s Office (ICO) was that prior consent must be gained from visitors to a website before cookies could be set.

Gaining prior consent has wide implications including:

• The need to modify the behaviour of any code which sets a cookie, to check that this permission has been gained.
• The need to provide a clear and helpful message to users, with a mechanism of gaining consent.
• 90% of users don’t give consent for cookies to be set, when asked for this prior consent. While statistics can be gathered without use of cookies, one of the big tools used is of course Google Analytics, which requires cookies, so this has a serious impact on website analytics.

With only a couple of days to go before the end of the grace period, the ICO revised their guidance, in what generally seen as a sudden u-turn. While their updated guidance does make the point that explicit consent is the only way to “allow for regulatory certainty”, it also makes clear that implied consent can be valid.

Much of the UK web industry breathed a collective sigh of relief and implemented the far simpler approach of implied consent:

• Cookies could continue to be set using existing mechanisms, so it’s much simpler to implement.
• Users need to be given a clear notice that cookies are being used on a site (it’s sensible to allow users to dismiss this message so that they don’t have to see it every time… oh yes, we have to use a cookie for that!)
• Users need to be provided with clear information about what cookies are being set and what each is for.
• It is certainly helpful to also provide links to help about managing cookies in your browser.

We must keep in mind that implied consent is not always appropriate. The more “invasive” or “sensitive” a cookie is, the more likely it is that explicit consent should be gained. The other thing to keep in mind is that it’s very difficult to prove that implied consent was “specific and informed” – what may seem obvious to one user might not be to another – hence the fact that the explicit consent route is the safe one to take from a compliance perspective.

At Heehaw, we’ve been installing a plugin to our clients’ sites which supports either approach:

1. Explicit consent, showing a message to users until they dismiss it (or disable cookies), and providing a framework for only setting cookies once consent is given. There’s a demo at http://cookies.heehawdevelopment.com or you can try it for real on the Premium Credit site.
2. Implied consent, showing a message to users once each session (typically every visit – a session lasts for as long as your browser open), unless they specifically dismiss the message, in which case this preference is remembered for longer. There’s a demo at http://cookies.heehawdevelopment.com/implied.html or you can try it for real on the Pagan Osborne site.

If you’re taking a look at both of the demos, you can use the “clear acceptance cookie” link at the bottom and then refresh the page to replicate the behaviour as if you came to the site for the first time: the two demos both use the same acceptance cookie.

Need help or advice on this? Do get in touch :-)

Article by Bryan Gullan

I am Head of Digital Development at Heehaw. Career highlights to date include working on projects for The University of Oxford, The Nuffield Trust and, more recently, Citizens Advice Scotland. I'm a keen advocate of Open Source, with particular experience of Drupal.