Changes to UK Law regarding cookies

UPDATE 31st Jan 2013. ICO announce changes to how they will use cookies on their own site which means This stupid cookie law is now dead. Our policy of "wait and see" has been effective.

UPDATE 29th May 2012. The latest version of the ICO guidance has a new section that says implied consent is fine. The key paragraph is:

For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set. [my emphasis] Source, p8 para3

So we can now get away with a "This site uses cookies click here" kind of message.

UPDATE 18th May 2012. The one year hiatus on fining non-compliant websites ends next week on the 26th. The current state of play is that very few websites are compliant. According to theregister.co.uk The majority of [government] department websites will not be compliant with the legislation by [the] date. Moreover it looks like we may have an exception for google analytics:

The watchdog has already intimated that a single breach could be sufficient to trigger the levying of a fine. However, it has also admitted that it is not likely to take action against website operators that use data analytics cookies, which measure the number of users of websites and how those individuals use them, if those operators have failed to meet the standards for consent for those cookies.

UPDATE 19th October 2011. No real change since last update. Of all government websites I've looked at only the ICO have attempted to comply to the rules. And then with the caveats I mention below. So I'm still thinking we wait to see what the big boys do. I would like to think that the Government would sort their own house out before going after businesses, but the cynical part of me doubts it.

UPDATE 25th May 2011. Today is the last day before the new rules come into effect. The UK government have said they will not be prosecuting failure to comply for 12 months, and the EU says they'll sue the UK government if they fail to act on complaints. (Reference). ICO have made changes, but still set the session cookie without permission, which I understood to be against the rules, but if they have had a change of mind over this most of our problems go away. Also a lawyer has decided it's impossible for him to advise what needs to be done to comply.

UPDATE 11th May 2011, After reading the advice below customers believed that putting extra notes in the terms and conditions will be sufficient, it is not. You have to actively get permission. Someone needs to click a thing that says they agree, and it can't be buried in terms and conditions.

There have been changes in the law that affect how website may use cookies. Cookies are often used for tracking customers through a site, or across a range of sites.

Here's the main points for existing Artumi Systems customers:

Users must say they will allow cookies to be stored on their machine before you send them a cookie.
If cookies are used you must state how they are used on the site. I have provided some example text below, that you can amend as you see fit.
If you need to use cookies for some essential function, like a shopping basket, you are exempted for that use, but not for others. So if you are signing into Facebook, they don't have to tell you about the cookie that keeps you logged in, but they will have to tell you about the other purposes the cookie is used for, like generating stats, or making those "Like" buttons, that you may have seen, work.
All the sites Artumi systems has built have automatically turned cookies on for every user. The main use of them is to detect repeat form submissions in all forms, such as a "Contact Us" form. This means if someone presses submit twice the right thing happens, whether that is just adding one item to a shopping basket, or just sending one email.

Basically, every customer is likely to be affected.

When is the deadline?

It's very close. 26th May 2011. I only learned about this on 9th May 2011, which is when the advice was published by the ICO.

Can I ignore this?

That's a tough call, on the "Yes" side of the argument:

No one else is doing it, yet.
Although the ICO is able to serve penalties up to £500,000.00 to people who make unwanted marketing phone calls, there appears to be no such penalties for breaking these guidelines as yet.
The law is deranged, users may turn off cookies via their browser settings. The fact the cookies are turned on could be interpreted as implicit permission. Though the guidelines (link below) talk about this not being considered sufficient it is arguable.
No one is likely to check small sites, except maybe commercial competitors.
It may be that browsers will be updated in the near future so that users can provide more fine grained permissions about what they will allow cookies to do, and we can dispense with all this. On the other hand, people are still using Internet Explorer 6 which is over 10 years old, so the time it would take for everyone to use a feature of a browser that hasn't been written is going to be measured in years.

On the "No" side of the argument:

It's the law
Competitors could report you.
There will eventually be penalties that the ICO can impose for a failure to comply, according to a quote from the Press Release

Essentially I think this is a business decision.

How will this effect my Customers/Users?

That depends. If you turn off analytics, and alter every form on the site so that it warns you it's going to turn on cookies if you use the form, you will probably be OK.

If you want google analytics, or if there is another technical requirement for your site to use cookies, this could impact your customers quite badly.

We should expect to see lots of notices about "Cookies" appearing on websites in the near future, which many users will simply not understand. They may become scared and leave the site.

Also, once we have had permission to store the cookie we will want to store a cookie that lasts as long as possible, so that the customer is not asked again, whereas in the past we allowed the cookie to be deleted when the browser was closed down, except for google analytics cookies.

What next?

If you are paying for a support contract I will conduct a review of how these issues affect your site and propose a solution. If you do not pay for support please contact me if you would like to do something about this.

I would wait to see what big sites do, like eBay, or Amazon. They are likely to find the most customer friendly way of complying and we can then follow their lead.

Where can I read more about this?

Here are the guidelines and here is the Press Release.

Example Cookie Usage Policy

Use examples below like a pick and mix..

For Google Analytics Users

We use cookies to track how you move through our site and how often you return, we use this information to provide a better experience in the development of this site. This information is provided to Google as part of their Google Analytics programme.

For people with "Contact Us" type forms

Cookies allow us to deal with accidentally repeated submissions when you fill in one of our forms.

For eCommerce

We use cookies to keep track of what it is you are purchasing.

For all sites

We do not permanently link your cookies to any personal information you provide. So each time you visit the site your identity is not known to us.