EU Cookie law – is your website compliant?

It’s not long now until the EU cookie law, the EU Directive on Privacy and Electronic Communications, comes into effect.

On 26th May 2012, all UK websites will need to comply with the new directive. According to a report by consultancy KPMG, issued this week, 95% of UK companies have yet to comply.

That’s a pretty poor show really, seeing as the directive came into force in May 2011 (even if the Information Commissioner’s Office did give us all a year’s grace to sort things out!)

But it’s more worrying when you realise that these companies are therefore risking fines of up to £500,000.

What do you need to do?

For you to comply, it’s no longer enough to just state whether or not your site uses cookies and how you use the information you collect – if indeed you are even doing that anyway – many websites aren’t and didn’t even have a privacy policy!

So now, to ensure that you’re compliant, you need to:

  • Undertake an audit of the cookies that your site places on your users’ computers – you can do this for free using Attacat’s free Chrome toolbar extension; and
  • Find out what information is taken from users of your website and decide whether it falls within or without the directive.

If you’re using cookies that are affected by the directive, you will then need to:

  • Tell people that the cookies are there;
  • Explain what the cookies are doing – this is the hard bit, but I love Attacat’s cookie policy wording, which they say you can use; and
  • Obtain their consent to store a cookie on their device.

Some solutions for your website

If you’re using a CMS like WordPress, Drupal or Joomla, then your site will almost certainly be using a number of plugins or modules that will be storing cookies on your users’ computers.

Here are some solutions for you to consider:

  • CookieCert Cookie Consent Tag: this comes as a WordPress plugin or as some code you can add to your site.  It places a consent bar at the top of your site and also provides a link to your site’s unique page on CookieCert.com which details the cookies found during a cookie audit of your site, which in turn allows you to demonstrate your compliance. It looks good so I tried the plugin, but it wouldn’t work for me. Configuring the code-only option is simple, but I didn’t add it to my site because I couldn’t find any instructions about exactly where to put it. I wasn’t sure if it had to be on each page, or if it should go in header.php or footer.php, or somewhere else. And I couldn’t be bothered to faff around testing it or trying to figure it out.  I also couldn’t find any contact details for this company, and they offer “certification” for $195, so all things considered, I decided to steer clear.
  • Cookie Control is a neat little icon device that sits on your site – at bottom left or bottom right – and then pops up to ask the user for consent, along with giving links to your privacy policy and to details about how a user can change their browser settings.  You can download some code, and there’s also a WordPress plugin, a Drupal module (and a Magento plugin “coming soon”).  I have installed the WordPress plugin on a couple of my sites (including this one – did you spot it?) and it works well. [Edit: 24th May 2012 – I’ve since removed it after two of my clients complained they didn’t like it popping up! Not sure what I will do now. And only two days to go!!] [Another edit: 26th May 2012 – The deadline day is here, so I had to do something! I have added a top bar to explain that the site uses cookies, and have linked it to a comprehensive cookie policy that now sits outside of my previous privacy policy. It it’s good enough for the BBC and for McDonald’s, then it’s good enough for me!]
  • EU Cookie Directive is a simple WordPress plugin that displays a banner at the top of your website. You can configure it with your own message (and colours too if you know some CSS and how to edit it).  I tested it on a couple of sites and it works well, but I don’t like it as much as the nifty Cookie Control plugin.
  • The EU Cookie Law WP Plugin is also a WordPress plugin, but it costs £10 – or £25 for a multisite license – and I really can’t see the point in paying for something you can get elsewhere for free!

 

Further reading:

 

Photo credit: Gary Tamin

 

Categories

18 Comments

  1. Another highly useful solution used throughout UK sites is eVisit Analyst’s cookie-free analytics system- eVisit Analyst 8.

    This helps websites retain accurate analytics data which is often lost through web visitors declining cookies.

    For more information visit: http://www.evisitanalyst.com/eva8/?evacid=kr

  2. NickT says:

    I’ve been looking into the Cookie Control you’ve used, but did you know that your page still creates cookies, even though I haven’t consented? My understanding, although limited, is that the Cookie Control takes care of asking the user for consent, but on it’s own it’s fairly useless as WordPress still creates cookies, unless it gets updated to take the Cookie Control response into consideration.

    • NickT says:

      Furthermore, using the Attacat Cookie extension for chrome, apparently, 22 cookies are set by your site before I even have the chance to click ‘I am happy with this’ in the Cookie Control popup.

      • Claire Kerr says:

        Thanks for the feedback Nick. I didn’t think to check after I’d installed it if it was indeed doing what it’s supposed to be doing!

        Back to the drawing board, I guess! Anyone else have any good solutions?

        • Sandie says:

          Hi Claire,

          Cookie Control is essentially a mechanism for delivering an opt-in box and explanatory text to your users. It isn’t a full solution in itself, as you need to establish what elements of your site are using cookies, and hook them up to Cookie Control as appropriate. Civic’s Cookie Control site is actually very good, I’d urge you to take another look at it 😉

  3. NickT says:

    I think the problem is that all these ‘solutions’ require some effort from the developers, not just for WordPress, but Drupal, Joomla etc. The Cookie Control add on is nice, but what it fails to mention on the WordPress page is that it provides JavaScript functions that can be used by the code that sets the cookies. So while it successfully lets the visitor choose whether to ignore or set cookies, the core wordpress/drupal/joomla code needs to be edited to take this into account. I noticed the Drupal download page mentions this in a note to developers, but the wordpress page doesn’t, and I think it’s a little misleading, as it sort of indicates that you can install it and it will solve the problem. I’m putting together a Joomla extension that will work with Cookie Control, but I’m yet to work out how I can then get the Joomla code to pay attention to the option chosen by the visitor, and tell it to not create the cookies. Good luck finding a solution.. this is a nasty change enforced on a lot of unsuspecting people.

  4. Bob the Brit says:

    At the end of the day – probably May 26th – I suspect that the ICO will have to deal with some recalcitrant big boys… not least Google whose analytics cookies are ubiquitous.

    By using something like Cookie Control I suggest that we smaller web publishers will have shown clear intent to comply with the legislation. The ICO is more likely to look kindly on those who have made clear attempts to comply than those who choose to ignore it.

    • Claire Kerr says:

      Hi Bob. I actually can’t wait until 26th May to see how many new checkboxes and pop-ups I’m going to have to tick to just browse around. I think it’s going to cause a bit of a stir and plenty of resentment amongst users – not least me 😉

      Of course, the other school of thought is that mostly everyone will ignore it (or not know about it anyway), making the legislation pretty much unenforceable. Which would be nice.

  5. Wolf Software says:

    We have created and released an entire suite of consent solutions, both free and commercial to allow website owners to request consent from their users.

    http://demos.dev.wolf-software.com

    • Claire Kerr says:

      Thanks. I dumped Cookie Control because two of my clients complained about it popping up! I’ve today seen the BBC News‘ new cookie notification at the top of the page. I like that. I expect it was all coded in-house rather than being an easy bolt-on that the likes of me and other small companies could use, but I liked the approach and the fact that they’d styled it to fit their site’s branding.

      Your software is all very technical for non-techies. Do you have any WordPress plugins that will do it all easily?

      • Tim Barlow says:

        Hi Claire

        Interestingly the BBC is not getting opt-in they place an analytics cookie before you say yay or nay. New guidance from the ICO today is also looking good for a less strict interpretation of consent.

        Thanks also for featuring our audit tool. Would be keen to get your thoughts on the new version just released at http://www.attacat.co.uk/resources/cookies – the new functionality now automatically creates a cookie information page and does some classification of cookie types within that.

        • Claire Kerr says:

          I’ve given up trying to find a fully compliant solution. Instead, I had a good look round the web today and I’ve chosen to imitate the BBC and McDonald’s and plenty of others by adding a notification bar to the top of the website. It’s not perfect, and it ruins my branding a little by covering the top element of my site, but it’s less obtrusive than some of the other options, and it’s a solution of sorts.

          For anyone interested in doing the same, I used a WordPress plugin called Easy Heads Up Bar.

          I watched your video about the upgraded Attacat audit tool – looks fab. I’ll just whizz off and update my Chrome extension and update my cookie policy. Thanks very much for providing such a great, free tool.

  6. Jeff says:

    Hi Claire,
    Thanks for your very interesting article.
    As a web designer and developer I decided to take a radical approach to this new EU law invented by a bunch of incompetent technocrats. In polite terms:
    “Just ignore them and their useless laws”
    From what I understood, this law applies to sites hosted within the European Union countries. What about if I use a US based hosting company or any other one outside the EU. Not concerned anymore? That’s good, I will host all of my sites outside EU!
    What is going to happen to a site hosted within the EU that uses cookies? Are they going to arrest the site owner? Jail him/her ? Seriously speaking. They’re going to ring to your door and say “Sir, Madam you are under arrest because your site is using cookies”.
    I wish I could see this. That would make my day!
    No seriously. There are more important things in the world than discussing and inventing silly laws about site cookies. I bet this law will never be enforced and, in 2 months time nobody will talk about it anymore.
    Just one last word. Of course the EU parliament site uses cookies. Have you seen a cookie consent policy somewhere on their site? Of course not! What a joke.
    Jeff

  7. Claire Kerr says:

    Hi Jeff. The ICO’s last minute change in their guidance means that website owners can now use “implied consent” as a valid form of consent to receive cookies. This has no doubt helped immensely and seems to have calmed many fears about needing to implement drastic, surfer-deterring measures.

    But I agree with you – it’s absolutely a silly law!

  8. “But I agree with you – it’s absolutely a silly law!” – the best summary :)

Leave a Reply