{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

Call it what you like, the ICO e-privacy law, the cookie directive, or to give it its proper name, Directive 2002/58/EC, but on the 26th May 2011, the law regarding how online business can use cookies for storing information on users’ devices changed.

What does that mean for you? It means ensuring you’re compliant with the new law and avoiding a potential fine of up to £500,000.

You have my attention, but what’s a cookie?

In technology terms, a cookie is file which gets downloaded on to a device when a user accesses your site. Cookies allow a website to recognise a user’s device and store information, which can be used to analyse customer behaviours, this can be anything from log-in details and browsing history, to shopping cart contents.

So what’s changed and why does this apply to me?

In a nutshell, it used to be enough just to state somewhere on your website how you used cookies, and the steps customers could take to remove or stop them. Under the new regulations, you now have to actively seek out permission from the user to store cookies on their device, be it mobile or desktop.

The majority of cookies are simply used to ‘remember’ information about customers, but businesses must now take steps to audit their cookie usage to understand and categorise them according to their level of penetration.

OK then, so where do I start?

The best way of doing this is to ensure you have an expert, who has the tools and techniques to: 

  • Identify and analyse what type of cookies you are using, your current policies for obtaining consent from your customers and how you are using them
  • Grade your cookies as essential, non-essential and non-intrusive, non-essential and intrusive, or obsolete
  • Produce a cookie usage audit report – this will outline what each cookie is for, how intrusive it is, whether it is first or third party, how to get more information on it, and what to do about it
  • Produce a cookie usage statement to add in to website’s privacy section – this will outline what each cookie is for and how to get more information on it
  • Give general advice on how to ensure your website is compliant with the ICO directive as defined at the time of the audit

So I’ve done my audit. What now?

Well, first of all, don’t panic. The government recognises that with this kind of change in the law, a ‘phased’ approach must be taken before it can be enforced.

If for any reason a complaint about cookie usage was levelled against your business, you will be able to demonstrate with the results of your audit, that you have understood the change in the law, and are taking steps to ensure you become compliant with it.

The Government is giving leeway of a year to implement changes to websites, but it’s vital for any business to begin the auditing process immediately to satisfy the initial requirements of the new law.

Nick Jones

Published 28 July, 2011 by Nick Jones

Nick Jones is MD at I Spy Marketing and a contributor to Econsultancy. You can connect with Nick on LinkedIn or follow him on Twitter

5 more posts from this author

Comments (13)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

lawrence shaw

thanks Nick, at last someone putting out sensible messaging around this subject, rather than just moaning about the changes.

I would add a note of caution to the 'self grading' - for instance retailers may consider a cookie essential.

'to offer appropriate linked items'

Selling a HDMI lead with a new LCD isn't essential to its operation, and anything that tracked / made this happen could be considered a breach.

We are finding it can take 20-26 weeks to sort out key sites, one of the headaches is getting third party suppliers to answer questions about what they do and why.

We've produced a '5 stage methodolgy' around planning and sorting out sites. If anyone wants a copy, drop me a mail (info(a)cookiereports.com)

Cookie reports offers audits, for econsultancy users we would offer 30% discount.

almost 5 years ago

Avatar-blank-50x50

lawrence shaw

thanks Nick, at last someone putting out sensible messaging around this subject, rather than just moaning about the changes.

I would add a note of caution to the 'self grading' - for instance retailers may consider a cookie essential.

'to offer appropriate linked items'

Selling a HDMI lead with a new LCD isn't essential to its operation, and anything that tracked / made this happen could be considered a breach.

We are finding it can take 20-26 weeks to sort out key sites, one of the headaches is getting third party suppliers to answer questions about what they do and why.

We've produced a '5 stage methodolgy' around planning and sorting out sites. If anyone wants a copy, drop me a mail (info(a)cookiereports.com)

Cookie reports offers audits, for econsultancy users we would offer 30% discount.

almost 5 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

hi, Nick, how are you?

I think it may be useful to add an important note to this: The law is not being enforced until May of next year.

Companies should know this before deciding whether to spend lots of time/money I think.

dan

almost 5 years ago

Avatar-blank-50x50

Jennifer Davis

Having read this article, I spoke to a number of people at my current company and some whom I've worked with in the past. I asked them if their company websites would be complying with the new cookie laws.

Every one of them so far has replied with a firm "no". It seems that the threat of a £500,000 fine isn't enough to scare businesses away from using cookies. They all believe that this law simply cannot be enforced on such a massive scale.

I wonder if the law will simply be met with a country-wide refusal to comply with it. My only concern is that a few companies will be made an example of; hopefully those who do will be able to afford the blow.

(I would like to add that while I understand the spirit in which this law has been introduced, I am definitely opposed to its implementation.)

almost 5 years ago

Avatar-blank-50x50

Matthew Oxley

The frustration I have here is that the law has probably devised without any real consultation with the industry.

Although a 'phased' implementation may sound sensible, it's difficult to see how even this could work out. There's doesn't appear to be much middle ground for the law to recede to, that wouldn't render it entirely irrelevant.

What we'll likely be left with then, is a full retreat (the law is repealed, or the interpretation being that current browser settings are a sufficient 'opt in'), or a situation of almost uniform non-compliance as Jennifer has alluded to.

Both of those situations are a poor result for the Consumers and the industry alike.

almost 5 years ago

Avatar-blank-50x50

Nick Jones

Hi all apologies for the delayed response, have been travelling.

@Nick - you are right, but our view is that the time for businesses to act in terms of auditing current site cookies and amending/adding a cookie usage statement to the privacy statement is now. It needn't be a time consuming or especially expensive exercise but will provide evidence that a business has understood the directive and is providing information to users in the vent of a complaint. Its a question of future proofing current activity rather than jumping into potentially expensive and damaging wholesale changes.

Hope that makes sense.

almost 5 years ago

Avatar-blank-50x50

John Astorga, Web Marketing at St. Jude Medical

Excellent article than you for sharing!

Being a medical device company in the US with European country specific websites where can I find more information? Specifically, what countries does this impact?

almost 5 years ago

Avatar-blank-50x50

Nick Jones

@John Astorga - send me an email and I can send you the relevant info

almost 5 years ago

Jayne Reddyhoff

Jayne Reddyhoff, Director at Zanzi Digital

Nick

I appreciate your advice on carrying out an audit, which seem like a common sense thing to do.

However, your article still does not answer the questions I and others have about what we (or our clients) actually have to DO to make our websites compliant.

And what about Google Analytics?
I have read so many confusing/conflicting articles on this topic and I am none the wiser. Some people have said it’s only about 3rd party cookies and that Google doesn’t use those. Some have suggested that Analytics will become all but worthless.

Any idea where I can get definitive answers and find out what we actually need to do to be compliant?

almost 5 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

hi, Jayne,

I've spoken to a few solicitors, attended a few events dedicated to the cookie legislation (thrilling eh?!), and spoken to lots of hands-on web analysts (& analytics companies) about this.

The overwhelming response - and the implication of the 12 month pause on enforcing this law - is that site owners should 'wait and see'. The assumption is that the rules will change, OR that more sensible guidelines will be produced in the early part of next year. For me - this is *the* single thing everyone should know about the cookie regulations.

I personally think it's a shame the ICO couldn't explicitly say "wait and see", as this seems to have sprung a little cottage industry of companies scaremongering about the cookie regulations without making much mention of the 'no enforcement until 25th May 2012' clause, and the fact that things may well change before then.

If you want to jump through the hoops of complying in the meantime, the ICO's own site offers a model for doing this (see http://www.ico.gov.uk/). They feature a box at the top of the each page within which you must check an 'I accept cookies from this site' agreement before they place any cookies on your machine. In a stroke of genius, Vicky Brock of Highland Business Research put in a freedom of information request to the ICO to see what impact that had on their tracking - the results of that can be seen here: http://www.flickr.com/photos/vickyb/5859873960/in/photostream

If I ran a large site likely to be affected by this, the step I'd take toward complying would simply be to write down a bullet-point plan for "What we'll do if guidance is not updated next year". The plan would look very similar to this great blog post from Steak: http://www.steakdigital.co.uk/blog/2011/05/update-how-to-be-ready-for-the-eu-cookie-law-new-ico-guidance/

I hope that's useful rather than more confusion!

dan

almost 5 years ago

Avatar-blank-50x50

Joanna Chmielewska, Head of Analytics & Conversion at I Spy Marketing

Hi Jayne,

Nick is currently on holiday. I head up the Analytics & Conversion department here at I Spy, I thought in Nick's absence I may be of some assistance.

To answer your question about what you need to do to make your site compliant, the ICO haven't nailed it down yet, however, they do talk about a few different techniques which are covered in this document http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf.

Have a look at page 6 to 8 for details.

Regarding Google Analytics, these cookies will be classified as non-essential and non intrusive (assuming that you follow Google's terms and conditions and do not collect any personally identifiable information). Therefore users will need to give explicit consent to accept GA cookies, which means that those who don’t won’t be tracked. It’s hard to speculate right now on how this will affect the viability of analytics solutions in the future, as the ICO still have more work to do on defining exactly what compliance means.

So to answer your question about getting definitive answers, at this stage all the ICO are looking for is evidence that website owners are making steps to achieve compliance. The practical solution to this is to carry out a cookie audit on your website, or if you haven't got an expert in house or find an agency that may be able to assist.

Thanks,

Joanna

almost 5 years ago

Avatar-blank-50x50

Joanna Chmielewska, Head of Analytics & Conversion at I Spy Marketing

Hi Jayne,

Nick is currently on holiday, I am I Spy’s Head of Analytics & Conversion so thought I may be of assistance in his absence.

To answer your question about what you need to do to make your site compliant, the ICO haven't nailed it down yet, however, they do talk about a few different techniques which are covered in this document http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf.
Have a look at page 6 to 8 for details.

Regarding Google Analytics, these cookies will be classified as non-essential and non intrusive (assuming that you follow Google's terms and conditions and do not collect any personally identifiable information). Therefore users will need to give explicit consent to accept GA cookies, which means that those who don’t won’t be tracked. It’s hard to speculate right now on how this will affect the viability of analytics solutions in the future, as the ICO still have more work to do on defining exactly what compliance means.

So to answer your question about getting definitive answers, at this stage all the ICO are looking for is evidence that website owners are making steps to achieve compliance. The practical solution to this is to commission a cookie audit on your website, which of course we’d be happy to help with.

Please get in touch if you need further details.

Joanna

almost 5 years ago

Avatar-blank-50x50

Nick Jones

@Jayne - Our Head of Analytics tried to post this yesterday but didn't go live for some reason..

To answer your question about what you need to do to make your site compliant, the ICO haven't nailed it down yet, however, they do talk about a few different techniques which are covered in this document http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf.
Have a look at page 6 to 8 for details.

Regarding Google Analytics, these cookies will be classified as non-essential and non intrusive (assuming that you follow Google's terms and conditions and do not collect any personally identifiable information). Therefore users will need to give explicit consent to accept GA cookies, which means that those who don’t won’t be tracked. It’s hard to speculate right now on how this will affect the viability of analytics solutions in the future, as the ICO still have more work to do on defining exactly what compliance means.

So to answer your question about getting definitive answers, at this stage all the ICO are looking for is evidence that website owners are making steps to achieve compliance.

almost 5 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.