The EU Cookie Law a month on
Although the EU Cookie Law officially came into effect in the UK in early 2011, companies were given one year to comply. The law requires that websites owned and accessible to European audiences obtain consent from a user before placing cookies or tracking technology on the user’s device.
The Data Protection Directive (on which the UK Data Protection Act of 1998 is based) defines consent as, ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
And according to the Information Commissioner’s Office (ICO), ‘consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent’.
In lieu of the recent implementation of the EU Cookie Law, I’ve picked out a few websites that are in full compliance with the law and a few that are definitely not. While it’s still early days, it’s worth noting that 95% of companies have yet to comply. It’s also worth me pointing you in the direction of a post that will answer a lot of questions: Q&A on EU Cookie Law Compliancy. Whether you are in compliance with / in breach of the law, is a lot more complicated than it actually sounds. It’s not just the fact that not all cookies are considered ‘equal’ in the eyes of the ICO, but also, if you’ve been seen to educate/inform people that your website uses cookies, you might be able to argue your way out of a fine.
Regardless, let’s take a look at who is doing what and what better place to start than with the ICO itself – the very people who are responsible for upholding information rights, promoting data privacy for individuals and openness by public bodies.
The’ve gone for something straightforward:
‘The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice.’
The BBC have taken a similar approach:
‘We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we’ll assume that you are happy to receive all cookies on the BBC website. However, if you would like to, you can change your cookie settings at any time.’
The main difference between the ICO and the BBC’s approach is that in the case of the ICO, you first have to accept the agreement before the website will place cookies on your computer. With the BBC however, you do not have to click continue. If you continue browsing the website and ignore the cookie alert, you have as good as clicked an agree button to have cookies placed on your computer.
The BBC offers you the option to disable cookies – though most users probably won’t do this for the additional hassle it means. The ICO however offers you the choice to accept cookies – again, users will be more likely not to do so, especially if they do not understand what cookies are used for or if they simply do not see or read the statement.
The BBC have opted for ‘implied consent’, a perfectly valid form of consent. The ICO have noted that the key to implied consent is that, ‘when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.’
Now, in comparison take a look at these websites:
Thomson Holidays has chosen a distinctly more discreet statement. There is only a tiny link at the top of the screen to direct users to the Thomson Holidays cookie law policy – ‘new statement on cookies’. For a user that is unaware of the cookie law, this is not clear at all. What it actually means is that a user has not consented to allow the company to place cookies on their browser. Until the website changes their statement so that the user understands what will happen before proceeding, this company could still get caught out by the ICO.
Currys website is similar, though it’s even harder to find the link to their cookie policy as it’s all the way down in the footer area. Again, the same issue applies: the user has not consented to have Currys use cookies. Until there is consent or at the very least, implied consent, their website is not technically in compliance with the new EU Cookie Law.
Just in case you can’t see it, i’ve marked it out in red.
Other websites that have done the same as Thomson’s Holidays and Currys are: hmv.com, waitrose.com, tesco.com, boots.com and so on. The list is long and it’s surprising how many of the big companies have not done quite as they were told.
There are also companies that are doing things a little differently.
Look at wowcher.co.uk
When you enter your email address to accept offers, you are agreeing to accept cookies.
The Telegraph has made their cookies policy very bold. And like the BBC, if you continue to use/browse the website, you will be accepting cookies. However, in the case of the Telegraph, once the message disappears, you can still easily find out about the cookies they will be placing on your browser by clicking on the link in the top left hand corner.
The Financial Times website has probably placed the boldest statement of all. Of course, they can afford to. SMB’s that took an approach like this might see a big dip in site visitors. Before you can read any of their online content, you have to agree to close the FT Cookie Policy box which displays. By closing the box you agree to accept cookies. If you do not agree, you can disable cookies or change your settings by clicking on specific links within the box.
Of course, while some companies have made very clear statements about their use of cookies and others much murkier statements, we’re still at the beginning of the process and will likely see changes, especially as more and more companies comply with the law or find ways through its slightly murky waters.
Look out for our next blog post which will explain what steps you can take to ensure that you comply with the law. If you’d like to speak to one of our team with regards to EU Cookie Law compliancy, fill out our enquiry form on the contact page or give us a call on 08450 740068.