Latest UK guidance for EU cookie law

New detailed guidance for marketers released by the Information Commissioner (ICO)

Value/Importance:

As of 27th May 2012, the new “cookie law” which is part of the 2011 amendment to the Privacy and Electronic Communications Regulation 2011 is now in force. There was a dramatic change in guidance from the ICO just before the new law came into force stating that “implicit consent” is the main requirement now. If you’re involved with managing websites we recommend you download the new PDF from the ICO, read our short summary below or read the Guardian announcement.

In a separate post we’ve taken a look at examples of how UK companies are complying with the UK cookie law.

Recommended links:

Summary of 25th May 2012 recommendation from the ICO download

The big change in Version 3 of this document is the additional detailed guidance on implied consent. The previous guidance in December 2011 explained that “implied consent” wasn’t acceptable and explicit opt-in was required:

In a softening of the stance from the ICO in May 2012 just before the law was introduced it seems that implied consent is acceptable:

The next page in the new guidance shows how implied consent can work – moving from one-page to another where there is a prominent message “above-the-fold” can be taken as implicit consent:

We think this implementation on The Guardian is a good example. Some cookies are initially placed and this message is removed and additional cookies are placed when the user navigates to another page. We think this is compliant under “implied consent” and it doesn’t interfere with user experience:

So overall, we think the new guidance is positive for marketers since it acknowledges the practicalities of implementing changes given that existing technology serves cookies and users often won’t click to give explicit consent.

18th May 2012 recommendations

David Smith, deputy commissioner of the ICO recently announced clarification of what is required from UK businesses at a press conference and gave details on the action they will take. In summary, Smith explained these steps the ICO will be taking:

  • The ICO will send out 50 letters to owners of the UK’s largest websites asking them to show how they are asking for user’s consent to use cookies
  • Evidence of taking action is most important, for example: completing a cookie audit, making an action plan and updating privacy statements so they are clear
  • No immediate fines are planned – evidence of taking action is most important
  • Sites outside the EU such as Facebook, Google and other businesses don’t need to comply.

Our summary of the detailed December 2012 cookie guidance

Through 2011 we have written updates on this new privacy law, specifically how it affects cookie use on websites and how it affects analytics – that post showed an alarming drop in recorded visits when cookie opt-in was implemented by the ICO. The guidance when the law was initially introduced was limited, so with the grace period not so far off now in May 2012, the new much more detailed guidance is welcome and it is much clearer. I’ve picked out 4 of the main things which are important:

1. You must obtain consent for cookies

Note that many still don’t adhere to the original 2003 PECR law…

2. There are exceptions

Exceptions on the left may help retailers, but opt-in to analytics and third-party advertising is required and there is no current general method for this – these cookies operate under opt-out currently.

3. Browser settings don’t help

We blogged in November that the new W3C Browser settings could help with compliance for this law. But unfortunately not…

4. Review the implementation example

Wireframes with ideas on implementation are now provided. It seems that pop-ups or footer bars may be the most practical option with the ICO suggesting that cookies could be set on the second page view – that’s easily said – not so easy to implement in practice since most sites and analytics set cookies on the first page view.

Here, for reference is the full guidance published in the ICO post:

Marketing implications of the new guidance

The date to be aware of is 26th May 2012 however the information commissioner has said in a recent blog post that:

“There will not be a wave of knee-jerk formal enforcement action taken against people who are not yet compliant but trying to get there”.

So there is not a threat of legal action if you are following the advice to achieve compliance. Interpreting the guidance, this suggests that by this date you should have:

  1. Audited your current use of cookies.
  2. Updated privacy messages on your site to reference use of cookies.
  3. Implemented or be working on implementing a method of offering opt-in to cookies.

Of course 1 and 2 are relatively straightforward, it is 3 that is challenging! Here you are very dependent on integration with third-party systems – cookies are essential for offering login.

We’d be interested to hear about solutions to 3 that are available or you are working on as a client or a vendor/agency.

  • James Gurd

    Hi Dave

    Thanks for keeping a close eye on this law.

    I’m know I’m not alone in thinking that this is creating unnecessary cost and over-complicating something that only a small % of people are concerned about. It will potentially make people think their privacy is being invaded when in reality data is being collected to help improve user experience and content relevancy.

    It’s the visible asking of people to click on “I agree” or “No thanks” that worries me – you are inviting people to think there is something wrong and opt-out without necessarily understanding the benefit of allowing cookies. The data from the ICO website demonstrates this.

    What is the Smart Insights take? Do you think there is something positive in all this? Yes if it means people who show no regard for privacy are brought to task. But I can see big negatives for studious optimisers who rely on data to improve the quality of the website and ROI. If you don’t have the tools to do this intelligently, there is a risk to online profitability which in turn means less investment in the user experience and online service.

    Thanks
    james

    • http://twitter.com/DaveChaffey Dr. Dave Chaffey

      Hi James, thanks for your thoughts. I think it’s very hard to see the positives in this.

      Although there is more detailed guidance in this update, as you say, there will be a lot of expense to implement for little benefit for business. For the consumer it will detract from their experience and what they’re trying to do. Most will just ignore privacy messages judging by the data we featured in our previous post on the ICO.

      I’d like to think it will make consumers view cookies with less suspicion, but think it will just scare them more. The reality is most think their life history is contained within the cookie rather than a single ID, that perception isn’t going to change…

      The big question is how many companies will make the effort to comply? Very few I suspect by the 12th May – unless implementation is underway it’s going to be hard to achieve for larger sites. The excuse to wait for the changes to browser settings is too strong.

      Looking back at the PECR 2003 regs there was the requirement to provide opt-out to cookies and I think most companies aren’t compliant with this! It’s going to be interesting to see who the ICO goes after since this is what will really drive adoption.

      I’m most interested to see what the likes of Google and Facebook do – are they really going to seek opt-in for cookies for their millions of UK users from the 26th May and are they already doing this in the EU states where the law is already live? I can’t see it!

  • Anonymous

    Hi Dave and James

    Thanks for this write up and the subsequent discussion.

    IMO what we’re seeing is a knee-jerk reaction to privacy concerns. There has been a failure to think through the implications of the law changes. In a failing economy, we digital marketers need all the intelligence and data we can get to boost sales.

    Ultimately I feel frustrated by this law and hope that the big players (Google and Facebook) will lobby for a more practical and commercially oriented set of guidelines.

    Best regards

    David Sealey

    • James Gurd

      Hi David, Paul

      Thanks for joining in the discussion.

      David – I agree that it is a knee-jerk and ill-thought through project. It smacks of people in ivory towers making decisions with no real understanding of implications, or indeed cost vs. benefit.

      If the ‘average’ customer was given the choice of absolute privacy so no web owners would ever know that a visit had been made to their website or handing over non-private data to enable better service, improved product offering and a better online experience…..what do you think he/she would choose?

      I’m with Dave in thinking that this will simply create false concerns. It will make people think “hang on a minute, what info are they taking from me” and the inevitable media coverage will stoke the fire. Just look at the IC’s website – I find it an annoyance and distraction.

      What would happen if all web owners refused to buckle? They couldn’t take everyone to task, there isn’t the resource to cope although pedants will be pedants.
      I think your comment about the big brands is poignant – let’s wait and see….

      Paul – based on the ICO interpretation, yes, GA will require opt-in for the cookies. Analytics is not considered essential (it’s not core to customer service whereas using cookies to store basket contents to facilitate the order process will fall into the exception category) as it is a perceived benefit to web owners to be able to collect this data. It’s not exactly a crystal clear definition.

      In all likelihood, small websites won’t be investigated as it’s the big brands that will draw the most attention. However, it would be irresponsible to advise people to ignore the legislation – the challenge is to protect yourself but do it in a way that doesn’t alienate customers.

      thanks
      james

      • http://www.facebook.com/people/Peter-Bell/591113783 Peter Bell

        There is a counter argument here. Maybe I’m one of the few but the move to explicit opt-in consent can only be a good thing in the long-run. It is dangerous to assume us digital marketers know what’s best for consumers. My acid test is that if you can explain how all cookies are beneficial to your Mum/Granny and she agrees with you, then maybe I’m wrong. But my Mum does want a nice internet experience but isn’t comfortable with adverts using her data without her say so. In reality, there are two areas where cookies are okay behind the scenes and when not. Firstly content cookies, if they help you shop more easily and save time logging-in, not many people will have a problem here. But with advertising cookies, people have a big problem with this and their ignorance is no defence for guys like us to keep serving advertising based on personal data in this way.
        To hold my hands up, I run performance marketing agency where explicit opt-in is at the core of all our lead generation campaigns so maybe I’m biased but at least I can prove that every person consented to advertising in the first place.

        • http://twitter.com/DaveChaffey Dr. Dave Chaffey

          It’s good to hear one voice looking at the upside! Even if it doesn’t help your cause Peter.

          It’s what I was suggesting in my note.

          I like your “Granny test”. Saw an interesting piece in Marketing Week on Privacy segmentations which I’ll post next week – shows most are relatively unconcerned. but there are many that are(19% are “walled worriers”.

        • http://www.civicuk.com Mark Steven

          Never thought I’d say this, but I’m inclined to agree.

          Having gone through the process of developing a compliance solution for our clients, auditing a few sites and adding some conditional statements to things like Google Analytics to test for compliance, I’m persuaded that actually its not such a bad piece of legislation.

          It can loosely be interpreted as, “Thou shalt not drop junk onto your beloved user’s computers, particularly if it invades their privacy”, and I’d applaud that.

          What we’ll see is a greatly reduced dependence on cookies. Opt-in solutions, (even ones as good as this: http://www.civicuk.com/cookie-law) won’t help, as the majority of users opt out. The result: anyone serious about creating “non essential” functionality, must find a better way of doing it.

          So if products like Google Analytics are to remain relevant, they’ll need to be re-engineered to go server-side.

          Affiliate marketers and advertising networks will need to identify some other metrics to measure performance, and some other way of tracking users from site to site may need to be found if ad networks want to keep serving tailored content to users (although I’m not sure I’d want this).

          So, it’s a peculiar legal intervention into our conduct on the web, but not a bad one.

          • http://twitter.com/DaveChaffey Dr. Dave Chaffey

            The latest example I’ve seen of cookie compliance: http://www.sweden.gov.se/sb/d/574 shows the web is not going to be so beautiful by the end of 2012 – via http://www.twitter.com/priteshpatel9 – see http://universityusability.wordpress.com/2011/10/09/swedish-governments-cookie-opt-in-banner-has-severe-impact-on-their-google-analytics-data-collection/ – 80-90% drop in reported traffic.

            Your Cookie Control solution is more elegant than most, but agree we need to face-up to the reality of reducing dependence on cookies or waiting for improved browser controls.

          • http://www.civicuk.com Mark Steven

            Wow – that’s a particularly ugly solution!

            My instinct is to attempt to design “non-essential” cookies out altogether, thereby removing the requirement for intrusive notifications.

            This is a little easier for my company, Civic, as a lot of our work is on Government sites that don’t rely on affiliate marketing or advertising.

            Really the only “non-essential” cookies that I need to find solutions for are Google Analytics, and I’m on the lookout for a server side analytics solution that will return to a combination of IP address tracking and heuristics to identify unique users. I gather from their forums that http://www.piwik.org may be working on something, but I’d love to see Google step up and extend GA – which would be much less disruptive for my clients.

            Going in to “thinking out loud” mode here….

            I’ve not checked how services like this one (Disqus) use cookie, but it would be easy enough to tweak them so they only drop cookies following a user interaction such as clicking on a ‘Post’ button.

            I’d also like to see a widely adopted iconography, which is why we developed the Cookie Control logo. If such an icon is promoted universally, site owners could attach it to interactivity that will result in laying a cookie.

            As an example, the ‘Post as…’ button on a Disqus comment form, presumably results in some cookie dropping behaviour. If a recognisable cookie icon were embedded just to the right of such a button – a bit like an asterisk – it would signal to the user that interaction implied consent. Rolling over the icon would bring up a tool tip explaining what cookies would be deployed and for what purpose. The same tooltip could be deployed for the button itself, so recognition of the icon would not be necessary to achieve compliance, but a helpful aid in terms of giving the user a general impression of how the website is using cookies.

            The result could be unobtrusive compliance at individual script level.

            Would be good to know if anyone likes that idea, if so, we can develop it.

          • Stratos Samaras

            Pion from Atomic Labs might be a solution.

      • Me

        Maybe you should explain to your mum that she gets all the content for free on the internet because of advertising, if everyone blocks advertisements you would have to pay for all the free services we receive online. This law is outright a joke and I hope everyone ignores it.

  • http://twitter.com/pauldixey Paul Dixey

    good post, thanks. I am still not clear however how this will apply to the use of Google Analytics. Will an explicit opt-in be required to use GoogleAnalytics on my sites? Thoughts, comments, have any opinions been posted by Google on this subject?

    • http://twitter.com/TheCookieCrunch Cookie Collective

      The ICO guidance makes it clear that GA is covered by the law and will require consent.

      • Anonymous

        Thanks. Anybody seen any comments or statements from Google on this matter

        • http://twitter.com/AlWightman Alasdair Wightman

          Cookie Collective is technically correct in saying that the ICO see analytics cookies such as Google Analytics as covered by the law and in theory must require opt-in consent.

          However the latest guidance from the ICO does have some wriggle room. If you read the last two paragraphs (please see below) on the last page of the guidelines it clearly states that the ICO sees web analytics as one of the least worrying parts of ePrivacy particularly when it only collects non-PII data.

          Quoted from the latest ICO guidelines:
          “The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

          In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

          You can interpret this in many ways and it is up to individual companies/organisations/individuals who own websites whether to seek explicit consent for analytics cookies. The advice above seems to suggest that the ICO probably won’t come after you unless you are using cookies for more intrusive purposes i.e. they have got bigger fish to fry.

          • WolfSoftware

            We talked to the ICO at length about GA before releasing our plug-in and from what I was told there is no wiggle room for GA, get consent or do not use it was the basic message.

          • http://twitter.com/AlWightman Alasdair Wightman

            Wolfsoftware, I agree that is definitely the formal message I have received from the ICO.

            However the quote I have taken from the latest guidelines and opinion from some commentators (Ashley Friedlein with his latest piece: http://econsultancy.com/uk/blog/8515-cookies-compliance-my-take-on-latest-guidance-from-ico) seems to suggest that although the ICO would not be happy if a site owner is using GA or any other analytics tool that uses cookies and doesn’t seek explicit consent they would probably not take any action as they will have much more high profile type misuses of cookies to go after first.There is a big difference between interpreted as breaking the law and then being taken to court about it.

            When it comes to analytics cookies specifically, I suspect those site owners who rely heavily on analytics to aid their marketing will wait until after May 2012 to assess whether they really will be forced to do it or its another law that can be fudged. One only has to look at how companies have got away over the last 10-12 years with wildly different interpretations of email opt-in and opt-out rules to imagine what might happen.

            I genuinely believe some companies will take a considered risk not to implement the new rules and see what the real will of the ICO is.

      • WolfSoftware

        We have already created and supplied for free an ICO approved solution specifically for GA.

        http://cookies.dev.wolf-software.com

        free to download, simply to install and gives complete compliance for free.

  • Pingback: The Reaction to the latest Cookie Update – Digital Transparency – powered by Adversitement | Digital Transparency()

  • Ian Hannaford

    Hi Dave,

    Surely this effects so many sites that are using tools such as GA that it would be wise for Google to actually provide the implementation for this? This way it will provide a uniform approach and help breed familiarity.

    Last thing people want is to visit 10 websites in an hour and each one provide a completely different implementation!

    Also in regards to the consent who are we actually giving consent to with regards to the third parties. When a user agrees are they agreeing to ‘This site only tracking me’ or is the user agreeing to ‘Allow Google Analytics to track me across any site’ – It is Googles code that actually sets and tracks the user not the individual website.

    It will certainly be interesting in the run up to see what the “big boys” and eCommerce platforms do to implement this as it would surely make sense for other sites to follow suit.

    • http://twitter.com/DaveChaffey Dr. Dave Chaffey

      Hi Ian – I see what you’re saying – an opt-in to Google Analytics across all sites would make sense, but don’t think that will happen – instead Google introduced this last year in advance of the ruling:

      http://tools.google.com/dlpage/gaoptout

      But it’s opt-out, not opt-in so don’t think it’s valid in the eyes of ICO…

  • Anonymous

    Hi Dave.

    Working with a niche advertising network in the golf industry the law is going to cripple the business and the publishers many of whom are barely making enough to cover costs.

    This is a disastrous piece of legislation. I hear the big companies who employ hundreds of thousands in the EU will go to court on the matter. Is this correct? Do you know anything about that?

    I also know of many companies looking to relocate to Non-EU Countries and therefore not have to comply with the legislation. Do you have any advice on that?

    • Ian Hannaford

      This is a good question and is this relating to where the company is based or the server hosting the site?

    • http://twitter.com/DaveChaffey Dr. Dave Chaffey

      Hiya – I haven’t heard of those legal challenges yet. Anyone else?

      Relocating also seems extreme – at least until we see how the ICO tackles non-compliance – the latest wording above suggests there will be another grace period provided companies are taking steps.

      My understanding of these types of rules is that it’s where the service is consumed which is important – so I didn’t think relocation would help. Hence Google and Facebook et al have to comply too – their approach seems be to work with the browser manufacturers.

      • http://twitter.com/StevieCC Steve Corney

        Dave, I don’t see how the ICO or any other EU body have any jurisdiction over websites where the parent companies are not registered in, or have no physical presence in the EU. The initial advice from law firms was that it was the registered office of the website which mattered, not where the content was consumed.

        This makes sense as it’s implausible to see how a non-UK registered company, with a non-EU hosted site could possible be held to account for non-compliance.

        Are we going to block Facebook and Google URLs if they don’t comply? Are we going to hold them to account by saying they have premises registered in the UK? If so, that’s yet another sure-fire way this utterly stupid law will drive investment and talent away from the UK/EU.

  • http://spacetimecruise.blogspot.com Udipta

    Really useful overview. Almost forgot about this now that the focus is on SOPA.

  • http://twitter.com/TheCookieCrunch Cookie Collective

    Here is a leading opt-in solution for the cookie law: http://www.cookielaw.org/

  • WolfSoftware

    At Wolf Software we have created a totally compliant plugin for ALL cookies, which will work with javascript and NON javascript web enabled devices, including all mobile devices and smart TV etc.

    A demo is available at:
    http://jpecr.dev.wolf-software.com

    This will be on general release from Monday 19th Dec.

    • http://twitter.com/matthewpack Matthew Pack

      shocker – you guys are serious?

  • http://www.adamtudor.com/ tudoradam

    A great overview of the upcoming issues and workaround advice.

    I agree that the new legislation will be very problematic – it will annoy users as they are browsing the web, reduce visibility of tracking and performance tools, affect advertising, and the list goes on and on.

    However, getting permission from someone as you track, record, and serve them content based on their actions seems like a sensible thing to do. We don’t do this in high street stores (cctv consent?), but I suppose if this were tv channels that were being monitored to serve you more relevant advertising, you’d need consent first, and it makes sense.

    The only real solution to this is through the browsers – getting them to cover all of the issues off in one simple opt in on browser update / install. Can you really imagine having to opt in to each website separately on each visit? And if someone has cleared your cookies previously? I can see the annoyance being immense, even when just normally browsing the web.

    • http://twitter.com/DaveChaffey Dr. Dave Chaffey

      Yes Tudor, have to agree – the web is going to become an uglier place… So much for talk of “user experience”.

      I think dependence on cookies for analytics and personalisation will mean we will see a lot more pop-up windows – seems inevitable. The bars at the top/bottom will be ignored by most as the chart above shows, so companies will want to obtain consent.

  • Pingback: David Sayce | New detailed guidance for marketers released by the ICO()

  • http://twitter.com/markmhayward mark

    Working in/with a number of SMEs this is something that is really concerning, we dont have the knowledge to write our own opt out/in pop ups and we dont have the resources to bring in developers. Im hoping developers at CMS’s like joomla/wordpress will be working on a solution or Google will introduce something but if not this could be costly.

    Mark

  • Michael Oneill

    CookieQ http://cookieq.com fully complies with the guidance put out by all the EU regulators including the ICO.
    It handles 1st party and 3rd party cookies and HTML5 local storage.
    It now has a 3rd party intercept button to ensure 3rd pary content will not place cookies without visitor consent. We also recently introduced specific support for smart phones, a feature to allow 100% Google Analytics unique visitor count without cookies and the “refuse button” functionality asked for by the A29WP.
    With an off-the-shelf CookieQ button web publishers can become compliant in short order without expensive ad-hoc consultancy. All the visual features including banner HTML, CSS and button image are fully customisable.
    CookieQ has been working on an increasing number of sites since last May. Contact us for details.
    Go to our site and click on our safe Like button to see how it works.

    • http://twitter.com/matthewpack Matthew Pack

      that is super crazy
      my grandma is never going to understand that! ever…

  • Pingback: Do you have a website? - CIMSurrey()

  • http://twitter.com/mchapman mchapman

    AS HAS been said in many places, this law looks more and more ridiculous. It is neither appropriate nor sensible to try to bully websites, at considerable cost, to better manage cookies. And the cost to the taxpayer of implementing this poor legislation beggars belief.

    • http://www.smartinsights.com/ Dave Chaffey

      Thanks for saying it like it is Mark, we’re trying to be impartial, but I do think it’s impractical for many companies to actually change their systems to comply – that’s certainly the case with ours. We have agreed opt-in for members as they log-in, but for anonymous users it’s really difficult.

      We have reviewed our use of cookies and put time into explaining more clearly how we use cookies, but it is implicit consent – we won’t serve a pop-up when many others aren’t because we don’t want to destroy the user experience.

  • Damien Wright

    Just out of interest, when are we going to see how the Smartinsights website handle the problem around cookies? I know this is lazy of me but I was hoping that you guys would be setting the standards for best practice.

    • http://www.smartinsights.com/ Dave Chaffey

      Thanks for the comment Damian – we have taken initial action to audit cookies and update privacy statement, but we don’t want to make the user experience worse when others aren’t and the third-party services we use make it impossible to comply.

      I’ll be doing a post on how the FTSE 100 are complying on Monday which will highlight “best practices” hopefully.

      I’m not sure the concept of “best practice” exists at the moment since following it’s a balance of legal requirements against commercial needs for tracking.

      So we recommend a “wait-and-see” approach to see how the ICO acts.

  • Damien Wright

    It’s interesting how the BBC http://www.bbc.co.uk/ have tried to handle this. Whilst I like their approach I’m not convinced it is in compliance with this crazy EU law. I’ll be interested to see if the ICO challenges them.

  • http://digitalmotionweb.com/ Creative agency New York

    I’m glad this doesn’t affect us. It’s too much of a bother for site owners and businesses, with too little benefit for the end user.

  • http://www.saharaservice.com/?page_id=532 Washing Machine

    Organisations are learning the hard way of the consequences of mishandling people’s information – and others need to heed the lessons the Information Commissioner, Christopher Graham, warned today at the launch of the ICO’s 2011/12 annual report.Thanks

  • Linda

    When it comes to email marketing, a digital marketing law like this is reasonable. For cookies though, it just might be easier to get rid of them rather than trying to figure out a way to get a user’s consent. If only this were possible!

  • http://twitter.com/joey89924 joey

    the companies will want to obtain consent.
    TDA7377

  • Pingback: Le Aziende Di Internet E Le Reazioni Alle Norme Sui Cookies()

  • Mickey James

    This is really an excellent blog as well as its content.special
    needs trust attorney

  • hely fell

    The deep
    you dig into the topic and endow with us the perfect knowledge is
    appreciable.
    Goldiramaster

  • Albert einstien

    Definitely, what an
    outstanding website full of informative posts, I will surely bookmark this
    site.
    Monument
    Capital Group

Get FREE marketing planning templates

Start your Digital Marketing Plan today with our free Basic membership.

  • FREE fast start guides to review your approach
  • FREE digital marketing plan templates
  • FREE alerts on the latest developments

Get FREE marketing planning templates

Start your Digital Marketing Plan today with our free Basic membership.

  • FREE fast start guides to review your approach
  • FREE digital marketing plan templates
  • FREE alerts on the latest developments
Feedback Form
Feedback Form