As a web designer in the UK, the new EU Cookie Law is something I’m (sadly) having to deal with!
[Editor’s Note: If it can happen in the UK, it can happen in the United States.]
I’ve been looking at a number of compliance methods and I’ve found one, that I think is the best out there.
Cookie Consent is a nice bit of code, being released for free, under a GPL license by silktide, the same web software company who created the No Cookie Law site.
From the site:
Cookie Consent is a JavaScript plugin that we created for websites to comply with the cookie law. You can install this on your site easily with just a few lines of code. Users will be shown a message which drops down [or up] from the top [or bottom] of the screen asking them if they want to allow cookies.
I really like just how customisable it is – you can either link to the js & css hosted by Cookie Consent, or you can download and host the files yourself. This means you can also customise the design to fit the design of your site. You can also specific what types of cookies you need consent for and even put holding text in for elements which the cookies haven’t been given consent for yet (such as ‘disqus’ comments or ‘social’ buttons).
Another very clever feature is the ‘Allow for all sites’ button on the bar, which if you visit another site also running Cookie Consent, it knows you’re ok with cookies and so you’re not shown the consent bar!
You can see it in action already on my site: JPC-DESIGN.
So if you’re needing a solution for the EU Cookie Law, then have a look at Cookie Consent.
If you’re a UK/EU web designer/developer:
What are you using to get compliant?
[Image via Pam Roth]
James Cooper says
UPDATE!!! It seems that ‘analytics’ cookies might not be such as issue.
Since this post was written, I’ve discovered a very good guide to the cookie situation by the ‘international chamber of commerce’ (http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf). Their advice (and they’ve worked with the UK Government on this) is that analytics cookies are ‘performance cookies’ and as such consent is implied. So no banner is probably needed…
If you have a good (and easily viewable) privacy policy that outlines what performance/essential cookies you collect and why – and how to disable cookies in your browser should you wish – you’re probably ok!
So I’ve created a good privacy policy that I can use on all the sites I look after. Have an (easily viewable) link to the policy page in the footer, etc. and you could/should be ok.
Seems this is the route which the likes of BBC, Aviva, NHS are taking…
For more advanced cookies, like targeted ads, then a solution like ‘cookie consent’ would probably still be needed.
Such a mess!
Eric Dye says
You’re such a pro! Thanks James!
James Cooper says
And if anyone’s looking for a nice cookie icon to use on your site to point to the cookie policy (as I’m doing), then this is a good one – in a variety of sizes: http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Apps-preferences-web-browser-cookies-icon.html
Pete Finnigan says
Thanks for your interesting post and also the link to the ICC pdf paper.
I am intrigued by the fact Aviva, BBC, NHS etc have not implemented consent banners/buttons/etc and rely on users to remove the cookies via the browser but the ICO says in its clarifaction is not acceptable. I am guessing that this is maybe driven by the 1st/3rd and intrusiveness level of cookies to derive how strong the need us to ask for consent as indicated by the law; i.e. essential no ask, third party intrusive advert tracking to simply serve up sales; you must ask. Do you think that these example sites you give are simply on the non-intrusive end of the spectrum or is it that they like others suggest in various blogs and papers have found a year is no where near enough to sort this mess out?
If for instance you visit aviva.co.uk it sends 30 cookies to your browser – at least in my locale and my browser it did. This seems a lot and thats just one page visited.
I have read a lot on this subject over the months since the law came into being and then was deferred and its a mess. The most annoying thing is the lack of clarity and simple rules, simple fixes that ideally dont cost anything or not much. I run a small company and i have spent far too much of our time and effort looking into the law, reviewing all our sites, drafting policies and testing various solutions so that we can finally go live with a list of cookies/policy and solutions when its all tied together BUT i have a day job to do to earn money to live and spending my time on this is not ideal.
Thanks for your insight.
James Cooper says
Pete, thanks for your feedback.
I’ve found the ICC pdf by far the most useful and helpful information in all this mess! Having practical real world situation and even wording was great! (And the quotes from the ICO on the ICC blog post about their guide is also very encouraging: http://www.international-chamber.co.uk/blog/2012/04/02/launch-of-icc-uk-cookie-guide/)
I think you’re quite right about the 1st/3rd situation (especially with analytics – which are what most of mine are…) and some sites like: http://uk.virginmoney.com/virgin/ are taking the ‘we use cookies – so there’ approach (they tell you, but you can’t opt out)!
A year could have been enough time, had the law been worded more sensibly, and some guidance about compliance also been given!
Following the advice in the ICC pdf and also the ICO guidelines (http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx – is actually a pdf!) I’ve audited the cookies on my site (pretty much only session analytics and are anonymous and unintrusive) I’m going for the ‘telling the user exactly what you’re using and how to turn them off’ route by using a ‘Cookies & Privacy’ link on each page of the site – with a small cookie icon to give it more attention. In the wording as well as explaining what cookies are/do and what cookies are used on the site, I also give links to http://allaboutcookies.org, any third party privacy policies and how to opt out of google analytics.
The ICO has suggested that it will only start investigation upon ‘complaints’ and won’t go hunting for un-compliant sites (probably just as well as it looks like most government won’t be compliant come the 26th!).
I’m guessing we’ll see over the next year (or probably more!) how this law will work in practise… And as most EU countries haven’t even started looking at the law yet, goodness knows how it will work in the end!
Pete Finnigan says
Hi james,
Thanks for your reply and also the link to Virgin money.
Actually before i move on i made a mistake with my visit to aviva.co.uk last night, in a hurry to write a message here i forgot to include the session cookies so there were actually 34 cookies downloaded from visiting one web page!!! – Wow!!!
I read the ICC blog post differently to you. They are not saying the government (ICO) has worked with them; they say they worked with industry experts and they go on to say that the ICO welcomes the document and that its a good starting point from which to work *towards* full complaince.
I think that if you have audited cookies, tried to cover the spirit of the law – i.e. telling people what your cookies are and how to turn them off in the browser and why you use them then having a consent button is not needed at this time. It is clear very few sites out of a large sea of sites absolutely will not comply. A very small percent have probably fully complied – i.e. informative audit, policy and a full ask for compliance solution. a small (bigger that the first group) have probably done an audit and done a virgin/bbc/aviva/nhs solution but the biggest bulk probably have done nothing. Its good that the ICO will not pursue unless complaints come in; its sensible.
The ICO make clear (I think) that consent still has to be acheived with a button or whatever (they mention even email in the doc you linked to!) but if you have made efforts, audited, provided clear information I dont think they are going to do anything now about it; now.
My view is that provided you do what you suggest now you should be safe (i am not a lawyer and this is my own personal opinion BTW); for now; in five years time who knows?
I like the virgin approach; its nice, clear, simple BUT its probably not compliant with the ICO as i read the law in that there is no way to stop the cookies other than the old way, block in the browser. I “assume” as you did this is a good solution for now but maybe not in years to come.
Again, what a mess, and thanks for the links and the insight.
Kind regards
pete
James Cooper says
The ICO have released v3 of their guidelines: http://bit.ly/LLE47w (pdf) and it does seem that for analytics, ‘implied consent’ and a good notice/policy might will do the job – and that’s the approach I’m taking!
Wolf Software says
We have created and released an entire suite of consent solutions, both free and commercial to allow website owners to request consent from their users.
http://demos.dev.wolf-software.com
James Cooper says
I’ve seen you commenting on most blog posts about this subject – I wondered when you’d get to sharing your solution on here 😉