Is your website ready for 26th of May?
EU Cookie Law
In line with recent changes in European legislation, UK law now requires website operators to ask for a website user’s permission when placing certain kinds of cookie on their devices for the first time. Where consent is required, the law states that it should be “informed consent”. This increases the onus on websites to ensure that visitors understand what cookies are and why website operators and others want to use them.
Over 90% of websites in the UK use cookies.
A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites the cookies are then sent back to the website on each subsequent visit.
If you have a static website you may find that it doesn’t need cookies to help run it but if you are using a Content Management System then it will almost certainly be using cookies
As the owner of the website you are liable and certain actions need to be taken to prevent you falling fowl of this new law. The ICC (International Chamber of Commerce) has produced a Cookie guide which can be down loaded by CLICKING HERE. It explains in detail what needs to be done to safe guard your website against breaking the law. At first glance and if you start searching Google for more information you may start to panic, but it is not all doom and gloom YES certain modifications will need to be done to your website but in the majority of cases this is very minimal and remember EVERYONE is in the same boat and after the initial couple of browses around the internet everyone will be used to seeing warning about cookies.
What to do?
The cookies have been split into 4 categories which are listed below, you may or may not know which category your website falls into, if not call us on 0203 355 3625 and we will be happy to go through everything with you.
Category 1: strictly necessary cookies
Notice for users
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.
NB these cookies enable services you have specifically asked for.
Guidance for website operators
User consent is not required for the delivery of those cookies which are strictly necessary to provide services requested by the user. However, it is important to give users the opportunity to understand these cookies and the reasons they are used.
The ‘strictly necessary’ category is narrowly defined in the UK due to the wording of the law. The view of the ICO is that only a small range of activities can be categorised as ‘strictly necessary’ and the use of the cookie must be related to a service provided on the website that has been explicitly requested by the user.
Category 2: performance cookies
Notice for users
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
NB these cookies collect anonymous information on the pages visited.
Guidance for website operators
Web analytics that use cookies to gather data to enhance the performance of a website fall into this category. For example, they may be used for testing designs and ensuring a consistent look and feel is maintained for the user. They may also be used to track the effectiveness of ‘pay-per-click’ and affiliate advertising, but where the same cookies are used for re-targeting they must be included in category 4 as well.
This category does not include cookies used for behavioural/targeted advertising networks.
Category 3: functionality cookies
Notice for users
These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located.
These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
NB these cookies remember choices you make to improve your experience.
Guidance for website operators
These cookies are used to remember customer selections that change the way the site behaves or looks. It might also include cookies that are used to deliver a specific function, but where those function includes cookies used for behavioural/targeted advertising networks they must be included in category 4 as well as this category.
Category 4: targeting cookies or advertising cookies
Notice for users
These cookies are used to deliver adverts more relevant to you and your interests they are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
NB these cookies collect information about your browsing habits in order to make advertising relevant to you and your interests.
Guidance for website operators
The view of the ICO is that the person setting the cookie is primarily responsible for compliance with the requirements of the law, which in this case may be a third party. However in practice, operators of consumer-facing websites may be best positioned to obtain consent. Where third-party cookies are set through a website, both the third party and the website operator will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this.
Where third-party cookies are involved, chains of responsibility can become complicated, but it is important to ensure that website operators and third parties work together to provide the user with as much information as possible in order to allow the user to make an informed choice as to whether to accept cookies from the third party. Website operators will not necessarily be aware of the exact type of cookies placed on their websites by third parties. This means that website operators and third parties must work together to ensure that the first party has complete information about the cookies used on that site and expressly agree the way in which consent to third-party cookies will be obtained from users and communicated to all parties.
Targeting or advertising cookies are placed for the benefit of website operators, either by third parties at the direction of website operators or alternatively by website operators using third-party functionality on their website. Careful analysis of your cookie audit will be required to establish the correct position.
Website operators should be aware that targeting or advertising cookies may be used for a range of purposes such as market research and analytics generally as well as online behavioural advertising. It is up to website operators that use category 4 cookies for such other purposes to develop their own statements and consent methodologies, adapting the principles and the wording in the guide accordingly.
Consent wording
Website operators should also provide for withdrawal of consent previously given by users to the use of each category of cookies. There is no prescribed form or process for this. But here is the ICC’s recommendations.
Category 1: strictly necessary cookies
For those types of cookies that are strictly necessary, no consent is required.
Category 2: performance cookies
These cookies only collect information about website usage for the benefit of the website operator, consent for use of these types of cookies may be obtained in any of the ways outlined earlier in this guide, for instance in the terms and conditions of the site or when the user changes the settings for the site. The method used will depend on the nature of the website, and the precise function/use of the cookies involved.
Obtaining consent by functional use: Immediately after the notice, place the words:
“By using our [website][online service], you agree that we can place these types of cookies on your device.”
Category 3: functionality cookies
As these cookies are site specific and are linked to user choices for using a site, consent for use of these types of cookies may be obtained in a number of ways, for instance when the user changes the settings for the site or selects an option, e.g. language or country. The method used will depend on the nature of the website, and the precise function of the cookies involved.
One option would be to use the same method as category 2: Obtaining consent by functional use: Immediately after the notice in Part 2 above, place the words:
“By using our [website][online service], you agree that we can place these types of cookies on your device.”
Or you may wish to opt for a different method. Obtaining “function” or “setting” led consent: At the point where the user selects the function or setting, add the following words:
“When you choose this [option][setting], you agree that we can place [customisation cookies][icon] on your device.”
Category 4: targeting or advertising cookies
These cookies collect the most information about users, so where the website operator is responsible for setting a targeting or advertising cookie it is important to obtain a clear informed consent from the user to their use. It is the party setting the cookie that is required by law to obtain the consent of the user but this is not always practical. Where a third party sets targeting or advertising cookies with the permission of the website operator, the website operator may be best placed to get consent for its use, even though it is the third party who is setting the cookie.
The ICO’s Guidance says that each party must play their part and it is up to the website operator to ensure that the relationship with the third party is clear. It is up to individual companies to decide the most appropriate method of obtaining consent, dependent on the purpose for which the category 4 cookies are to be used and the specific circumstances they find themselves in. What is absolutely clear is that whatever mechanism is used, the user should be given a clear, informed choice.
If you have any questions regarding this article or need help in making the changes to your website call 0203 355 3625 or email us your questions by Clicking HERE