If you have a website and have not yet read the Information Commissioner’s Office (ICO) guidance to the new EU cookie laws then we suggest you do so. Website owners / publishers have until May 26th 2012 to comply. The ICO has powers to fine website owners up to £500,000 for serious breaches!

This law isn’t going to go away and cannot just be ignored. The Information Commissioner has been clear that he will take a practical and proportionate approach to enforcing these rules where organisations are making the effort to comply, but if you are not…..

So, what’s the law about? You can get some good simple guidance form our friends at Roxburgh Milkins. Their blog about the new cookie law covers it simply and gives some good advice, but in simple terms:

• Cookies are small text files used by web developers to perform certain functions on a website. They are not anything like a virus but they can include some information about a user and their activity on a site. So because they can allow websites to track visitors and can be utilised by advertisers to target ad campaigns they can - perhaps, sometimes - be regarded as a privacy threat. Cookies are actually specific to the device a visitor is using to view the site - like the browser or mobile phone. Almost all websites use cookies in some way or another, and every page you visit in those sites writes cookies to your ‘computer’ and receives them back from it.
  
  
• So, now, any user has to be “provided with clear and comprehensive information about the purposes of the storage of, or access to, that information”.

Before the new law a website owner / publisher could ‘assume consent’ to cookies, place cookies on a user’s hard drive and collect data on the basis that the user had not opted-out. Now the website owner / publisher must expressly obtain any users’ informed consent and opt-in before using any cookies unless the cookie is ‘strictly necessary’ for the operation of the site. This is not a get out. It means that, for example, a cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket is allowed but that a cookie used to recognise a user when they return to a website is not.

The question is, what does this actually mean for you?

Well, firstly you have to know whether your site uses any cookies (and as noted above, most do in some way) and what those cookies are for and there are a number of things to consider:

• Client side cookies such as some used by Google Analytics can be found with relative ease using the details you can find in a browser or using a plugin.
  
  
• Server side cookies such as those used for a shopping basket will need your web development team to accurately list and identify these from the server side source code.
  
  
• 3rd party cookies such as those used for Google Analytics or by Facebook and Twitter utilities or other services you may have on your site have to be identified by them. So, for example Google has a whole section about Google Analytics cookies.
  
  
• Understand the degree to which each cookie impacts your website's visitors' privacy and consider how necessary each cookie is, whether any can be removed, etc.
  
  
• Decide how you are going to describe the cookies you use so that your site visitors can easily find the information to understand and give ‘informed consent’. The ICO privacy page may be a useful guide here.
  
  
• Decide on a solution for obtaining consent. The ICO gives some guidance on this from page 13 onwards of their Guidance PDF.

Post written by Richard Hill