UK Website Cookie Regulations

UPDATE: For the latest on the Cookie Laws, be sure to check out this post on the AmbITion Scotland blog.

Since this article was posted, the ICO has updated the guidelines for compliance with the new law regarding cookies and internet privacy. Website operators should download the updated guidelines here and decide on the best way to gather permission from their users for the use of cookies.

Contributed by Cameron Leask of Escrivo Internet Consulting.

Follow @escrivo

Over the past few months, you might have read about new privacy regulations to control the use of website cookies. These came in to force on 26 May and almost certainly impact you if you operate a website. Amongst other things, the updated regulations cover one of the least visible and most widely used, and most misunderstood web technologies – Cookies.

What changed?
The Privacy and Electronic Communications Regulations (PECR) were updated to increase privacy website visitors. Previously the regulations required websites to tell visitors about the cookies used and to give information about how to “opt out” – this was usually done in the Privacy Policy on the website. The revised Regulations require websites to provide clear and comprehensive information about the cookies that their website uses, and to obtain consent from visitors prior to storing a cookie on the visitor’s computer.

Who is affected?
Cookies are an important part of most modern websites. Many helpful website features require the use of cookies – including analytics services, “remember my preferences” options, social media buttons, flash movies and more. As a result, this new legislation will touch most of the UK’s website operators in some way.

What is a Cookie?
A website cookie is usually stored as a small text file on a user’s computer b y their web browser (Internet Explorer, Firefox, Google Chrome or similar). They can be set to expire when you close your browser, or to be stored until a defined date and time. Cookies are set for a particular domain. Your website can only set cookies for your own domain, but in some circumstances you might want to include content hosted by a third party in your web page (a common example would be embedding a social media plugin or a video “widget”) – which would allow the third party website to create cookies for its domain too.

A typical web page with a Facebook “Like” button, a YouTube video and Google Analytics might create up to a dozen cookies on the visitor’s computer.

How do cookies work?
A website can send one or more cookies to your browser every time you request a web page. Websites can also create cookies by running JavaScript code on your browser (the JavaScript is part of the web page you requested and can create and retrieve cookie values.) Your web browser sends all the cookies for a domain (such as xyz.com) back to the website each time you request a new page. If the page includes a request for content from a third party domain then the relevant third party cookies will be sent to the third party’s website:

Most modern browsers allow users to decide whether to accept cookies, but rejecting cookies can make a website unusable if it depends on cookies to operate.

So what’s the problem?
In themselves, cookies are a perfectively legitimate technology. They are completely benign: they cannot be “run” and they are not viruses. However, because they can be used to track computer activity, they are frequently associated with privacy issues and spyware, and poor use of cookies can expose private information. The new regulations aim to improve a user’s ability to maintain their privacy by requiring every website operator to obtain consent, from every visitor, for every cookie used. (The irony is that the simplest way of storing this consent is to use a cookie!)

What you will need to do
The Information Commissioner’s Office (ICO) has made it clear that they will enforce the new regulations from May 2012, which allows for a period of preparation and planning beforehand.

The new regulations require you to do two things:

Provide visitors with clear and comprehensive information about the cookies your website uses and the purposes of the storage of, or access to, the information that they store and...

Obtain consent from your visitors for the use of those cookies
This means that by May next year, you will need to:

• Requirement 1: Know which cookies your website creates and
• Requirement 2: Be able to describe the data stored in those cookies, and its purpose, and
• Requirement 3: Obtain (and record) the visitor’s consent to your use of cookies

What you need to do now
As soon as possible, start preparing to comply with the new regulations by conducting a Cookie Audit to identify the cookies that your website uses and to assess their impact on the privacy of your website visitors. For most websites a Cookie Audit will be a relatively simple exercise but it’s a job that will probably need to be repeated periodically – perhaps annually, or more often if you regularly add new features to your website.

Based on the results of your Cookie Audit you can identify the data being stored and uses made of that data. From this information you might be able to remove some cookies that are not required.

The output of this process should be published on your website. In due course you may need to alter your website to request and record your visitors’ consent to your use of cookies.

Obtaining consent for our use of cookies sounds impractical; do we really have to do that?
The most logical place to obtain consent would be in the web browser software – but current browser privacy settings are “not sophisticated enough to allow you to assume that the user has given their consent” according to the ICO. However, you are still required to prepare to comply with the regulations.

Where can you get more help?
Visit http://www.escrivo.com/culturesparkscookies to learn more about how to perform your own Cookie Audit. We’ve also provided details of our own Cookie Audit service.

You may also want to speak to your website developer, to establish whether they can help.