The recent implementation of changes to EU directives into UK law has been the subject of continued debate, panic and uncertainty. Those of us who must understand and implement the particulars of these new regulations into client websites have been feverishly researching what needs to be done, and peeling away the layers of speculation and fear mongering to find out exactly what it means for your website.
I would like to make it clear to clients that, at this point, you should not panic. A grace period of one year has been granted to website owners and operators and until that period is up no enforcement will occur. We will not be rushing to implement invasive, permission gathering banners on your website, nor will we be sitting idly on the sidelines. Read on to find out the what and why.
For the purpose of this article, I will talk about "Cookies" in particular. Cookies are a method of storing snippets of information within a visitor's browser which can then be retrieved later to identify them, determine if they are logged in, present them with previous items of interest. Cookies are almost essential for maintaining a logged-in users session and whilst there are alternatives these are much less secure. Cookies, for better or worse, are effectively essential, although they are commonly "abused" by marketing and analytical companies to track your progress throughout and sometimes even between websites.
Cookies are not the only thing covered by this regulation. The directive it is based upon doesn't even mention Cookies directly but rather states that it applies to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user". The UK implementation of this directive makes a similarly worded, but practically identical assertion.
In the case of "abuse", the cookie stored on your computer is most commonly nothing more than a simple unique ID. This ID allows visits to a website, or group of websites including the same advertising or analytical service, to see what pages you've visited. Information such as how long you spent on a page can often be inferred, too, and the pages you visit can be analysed to figure out what you might be interested in.
Unless you're the only user of your computer, and the specific browser that you use, this doesn't really mean much- a profile will be built up that might include the interests of your whole family, and this information is, for the most part, completely anonymous. It usually constitutes nothing more than a handful of numbers that allow targeted advertising and, more importantly, improvements to the user experience of the websites you visit. A cookie can't tell an advertiser exactly who you are, and they can't retrieve personally identifiable information from your computer by reading cookies.
Your IP address, however, can reveal your city, your internet provider and, with the right knowledge or leverage, exactly who you are. So this war on cookies means very little in terms of internet privacy. But, as flawed as it might be, we've got to pay attention to it.
So what does this mean for your website?
First and foremost, the oft-misquoted law addresses only Cookies, or information storage, which is not fundamental to the core functionality of your website, or which has not been explicitly requested by the user.
The EU directive itself states: "[the regulations] shall not prevent any technical storage [removed technical exemption] strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user"
The UK implementation of this, again, is functionally similar but goes to extra lengths to highlight its use of the word "explicitly." In essence, it means that information stored on, and retrieved from the users browser should be absolutely essential and should not include, for example, user tracking, involuntary storage of "recently viewed items" and other useful, but non-essential functions of your website.
Clear-cut essential functions include saving and retrieving a cookie to maintain items in a users basket, or saving and retrieving a cookie to determine that a user is logged in. The former of these examples is actually explicitly mentioned in the UK implementation of this directive and can, thus, be considered the only absolutely clear-cut exemption that we're aware of.
For all other functionality, the decision about whether or not a particular snippet of stored data is essential lies with the website operator, and the lack of clarity in this particular aspect of the regulations means that many questions still surround the use of third party cookie-dropping tools such as Google Analytics.
The ICO.gov.uk website, which has already implemented a "Cookie Permission" banner, is an important example to web-masters and web-build agencies because it actually uses Google Analytics. I have observed in this case that the Analytics tracking code is NOT included in the website until permission is explicitly given by the user. If we were to be proactive and implement these directives immediately, then we would naturally have to follow this example in all of our clients' websites- posing a very real threat to information gathered from Analytics.
What does gaining the user's permission actually entail?
In the case of the ICO.gov.uk website, which should be heralded as a prime example of how to proactively implement these regulations into your website, a banner is presented at the top of the page which informs the user that an essential cookie has already been set. It also provides a link to the privacy notice, which now includes a detailed breakdown of what each cookie does. This constitutes "informing the user" and an abbreviated form of this message would be required to draw attention to the more detailed privacy policy.
A checkbox entitled "I accept cookies from this site," and a corresponding "Continue" button provide the end-user a means to provide their consent. Once consent has been provided a cookie is saved to ensure the message is no longer displayed, and all cookie-dependant functionality on the website is enabled.
This method of informing the user and gaining their consent is perhaps the most sensible and non-invasive, pop-up windows would be a very poor solution by contrast and would send users fleeing from your site, or simply bully them into accepting.
Are there other, more seamless, ways of gaining the user's permission?
In a word, yes. Browsers have had the ability to reject cookies for a long time, but this rejection is not fine-grained enough to be appropriate, nor does it have sane defaults (most browsers simply accept all cookies by default) and is not well presented to users. The ICO have made it clear that the Government is working with browser vendors to come up with a catch-all solution which prompts a user to set global cookie preference within their browser of choice, and perhaps also more permissive settings for specific trusted websites. Because of this, the UK legislation covers permission explicitly given by the browser or other third party software.
In the ICOs "Advice on the net cookies regulations" document, they state: "In future many websites may well be able to rely on the user’s browser settings to demonstrate that they had the user’s agreement to set all sorts of cookies." However, this will only apply to users using the future versions of these browsers.
However, there's one problem with this method. Users who continue to use any browser version available today will not be indicating their consent, and thus your website will ultimately still have to implement cookie notices, which would be displayed only when browser-level permissions are not provided.
How we propose to address these changes.
The literature from the ICO, the underlying EU directive and the UK law itself are all exceptionally fuzzy about exactly what must be done to address these changes. At the moment there are still many questions surrounding the law and exactly how various service providers will deal with it.
Google, for example, may ultimately add functionality to their Analytics tool which prevents it from setting cookies until user permission is indicated by your website. This means that Analytics functionality will not be totally compromised, and that at least some metrics will still be gathered. Without cookies, however, analytics cannot identify "unique" visitors, cannot easily track a users' progress through your website, and as a result is significantly less useful.
As far as making changes to your website is concerned, we propose to take a back-seat approach and wait for a few months to see what changes. We will not, however, be inactive during this time, and will be actively monitoring the landscape and pushing service providers to offer cookie-less alternatives to their tools so that the impact of these regulations is as minimal as possible.
To show that we are not simply flaunting the regulations, changes will have to be made to privacy policies as soon as possible, including a more up-front approach to notifying users about what cookies are being set, by whom, and what they are being used for. Your existing user base will have to be notified of these changes, and be given the option to accept such changes.
We will not, at this time, be implementing any explicit permissions requests into clients' websites, simply because they currently pose a very real risk to conversions and an even greater risk to the analytics information which is vitally important to the SEO side of our business.
Rest assured, however, that when our position on this changes, we are developing a strategy for implementing these messages across all of the websites we manage in a consistent and user-friendly manner, which should adequately inform and gain consent from your users.
Further reading:
Post by Further search marketing.