We've covered the impending EU 'cookie law' a number of times on this blog, but we've yet to see many practical examples of implementation.
This is because online businesses are not going to add any interruptive messaging to their sites until the last possible moment, and perhaps not before they've seen what their rivals are doing about it.
(UPDATE, 18 April 2012: Our new report, The EU Cookie Law: A Guide to Compliance, explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, and includes examples of how websites can gain users’ consent for setting cookies. Do check it out.)
One way a website may gain consent is through the use of a Modal Dialogue box. This could be shown on the homepage or on each page where a visitor has not opted in to Cookies the site sets.
Depending upon how the site functions, visitors may not be able to interact with the site until they opt in or if they choose to cancel, the site will have to work as well as it can without cookies.
It's a simple, and enforced call to action which spells out the reasons for cookies (to enhance usability).
The user cannot browse the website until they have dealt with the dialogue box, and is therefore intrusive, and likely to increase bounce rates.
Sites may choose to display a translucent status bar at the top or bottom of the website which could be set to appear only on the homepage or on all pages.
It remains visible until a user has opted in to cookies from the website.
It's less intrusive than the dialogue box, and does allow users to continue browsing the website, even if they ignore the message.
The layer may obscure and detract from some of the content on the website.
In addition, because it's easy enough to continue browsing, the user may never opt in, and the site will be unable to deliver any personalisation, or to track that site visit via analytics.
A warning bar could be used in a similar way to the Status Bar. This appears each time the site wishes to set a Cookie allowing a visitor to accept that Cookie or all Cookies for the site.
The Information Commissioner does suggest that as users become more aware of what and when Cookies are set then in the future this may be sufficient to demonstrate consent.
This style of functionality is probably likely to be incorporated into web browsers.
Like the status bar, it's less intrusive and allows the user to continue to browse. It also has the advantage of informing the visitor which cookies the page is using.
It has the same disadvantages as the status bar: the user may not opt in at all, and it does obscure some content.
This is not a mechanism of gaining consent, but is an example of how websites may choose to amend or create visitor preferences.
Where a visitor is signed in, websites may show a user a list of cookies the site uses allowing them to enable or disable each one in turn.
The same functionality could be given to non-signed in visitors but would itself require a cookie to store these preferences.
I asked Matt about the approaches shown here.
Are these examples sufficient to show compliance with the cookie law?
For websites obtaining consent for first party cookies from their domain, these methods should comply as they are asking the user to give their consent before storing a cookie.
Which do you think is the best of the three options?
My personal view is that either two or three is best as it is less intrusive to the user but gives a continual call to action.
Method three is good as it gives the best awareness by telling a user when a cookie needs to be set again.
My personal view is that browsers may in the future recognise certain types of cookies and allow you to set these in your preferences, i.e. always allow Google Analytics, prompt me to set rules for unknown cookies.
I would recommend that all methods need planning to communicate any changes to users as early as possible and to ensure the type and level of intrusion of each cookie is identified and covered by the policy.
Are there still some grey areas here?
Yes, third party cookies. That is, those from a different domain. Technically the owner of the site setting the cookie needs to gain the users consent and in such instances that is not the site the user is on. This could cause confusion for the user.
Then there are potential issues around Facebook Applications, these are hosted externally to Facebook. These apps may set their own cookies and so technically require consent.
A user may have already 'connected' with the app through Facebook and may be confused if they see further non-Facebook branded consent dialogues or messages.
There is also much debate also about what is essential. At the moment, the regulations say this is for cookies which relate to content delivery, encryption or shopping baskets where, without them, the site would not function.
The ICO makes a good point that the PECR make no distinction between the different types of Cookies (First or Third) and how intrusive they are. However, if a cookie is used to provide security or in content delivery optimisation, it may be exempt.
We would suggest that best practice for sites using third party cookies is to ensure that you are clear and open to a user about how advertising platforms will be used.
Econsultancy is currently helping a number of European companies navigate the road to compliance, so do if you'd like some help.