Changes to UK Law regarding cookies
UPDATE 29th May 2012. The latest version of the ICO guidance has a new section that says implied consent is fine. The key paragraph is:
For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set. [my emphasis] Source, p8 para3
UPDATE 18th May 2012. The one year hiatus on fining non-compliant websites ends next week on the 26th. The current state of play is that very few websites are compliant. According to theregister.co.uk The majority of [government] department websites will not be compliant with the legislation by [the] date. Moreover it looks like we may have an exception for google analytics:
The watchdog has already intimated that a single breach could be sufficient to trigger the levying of a fine. However, it has also admitted that it is not likely to take action against website operators that use data analytics cookies, which measure the number of users of websites and how those individuals use them, if those operators have failed to meet the standards for consent for those cookies.
UPDATE 19th October 2011. No real change since last update. Of all government websites I've looked at only the ICO have attempted to comply to the rules. And then with the caveats I mention below. So I'm still thinking we wait to see what the big boys do. I would like to think that the Government would sort their own house out before going after businesses, but the cynical part of me doubts it.
UPDATE 25th May 2011. Today is the last day before the new rules come into effect. The UK government have said they will not be prosecuting failure to comply for 12 months, and the EU says they'll sue the UK government if they fail to act on complaints. (Reference). ICO have made changes, but still set the session cookie without permission, which I understood to be against the rules, but if they have had a change of mind over this most of our problems go away. Also a lawyer has decided it's impossible for him to advise what needs to be done to comply.
UPDATE 11th May 2011, After reading the advice below customers believed that putting extra notes in the terms and conditions will be sufficient, it is not. You have to actively get permission. Someone needs to click a thing that says they agree, and it can't be buried in terms and conditions.
Here's the main points for existing Artumi Systems customers:
- Users must say they will allow cookies to be stored on their machine before you send them a cookie.
- If cookies are used you must state how they are used on the site. I have provided some example text below, that you can amend as you see fit.
- All the sites Artumi systems has built have automatically turned cookies on for every user. The main use of them is to detect repeat form submissions in all forms, such as a "Contact Us" form. This means if someone presses submit twice the right thing happens, whether that is just adding one item to a shopping basket, or just sending one email.
Basically, every customer is likely to be affected.
When is the deadline?
It's very close. 26th May 2011. I only learned about this on 9th May 2011, which is when the advice was published by the ICO.
Can I ignore this?
That's a tough call, on the "Yes" side of the argument:
- No one else is doing it, yet.
- Although the ICO is able to serve penalties up to £500,000.00 to people who make unwanted marketing phone calls, there appears to be no such penalties for breaking these guidelines as yet.
- The law is deranged, users may turn off cookies via their browser settings. The fact the cookies are turned on could be interpreted as implicit permission. Though the guidelines (link below) talk about this not being considered sufficient it is arguable.
- No one is likely to check small sites, except maybe commercial competitors.
- It may be that browsers will be updated in the near future so that users can provide more fine grained permissions about what they will allow cookies to do, and we can dispense with all this. On the other hand, people are still using Internet Explorer 6 which is over 10 years old, so the time it would take for everyone to use a feature of a browser that hasn't been written is going to be measured in years.
On the "No" side of the argument:
- It's the law
- Competitors could report you.
- There will eventually be penalties that the ICO can impose for a failure to comply, according to a quote from the Press Release
Essentially I think this is a business decision.
How will this effect my Customers/Users?
That depends. If you turn off analytics, and alter every form on the site so that it warns you it's going to turn on cookies if you use the form, you will probably be OK.
We should expect to see lots of notices about "Cookies" appearing on websites in the near future, which many users will simply not understand. They may become scared and leave the site.
Also, once we have had permission to store the cookie we will want to store a cookie that lasts as long as possible, so that the customer is not asked again, whereas in the past we allowed the cookie to be deleted when the browser was closed down, except for google analytics cookies.
If you are paying for a support contract I will conduct a review of how these issues affect your site and propose a solution. If you do not pay for support please contact me if you would like to do something about this.
I would wait to see what big sites do, like eBay, or Amazon. They are likely to find the most customer friendly way of complying and we can then follow their lead.
Where can I read more about this?
Example Cookie Usage Policy
Use examples below like a pick and mix..
For Google Analytics Users
For people with "Contact Us" type forms
Cookies allow us to deal with accidentally repeated submissions when you fill in one of our forms.
For all sites
We do not permanently link your cookies to any personal information you provide. So each time you visit the site your identity is not known to us.