Your Options for Getting Cookie Legal

There has been plenty of advice around in the last few months about what the cookie law means, and what website owners should do about it.

However, until now that advice has largely fallen critically short.

Back in May the ICO gave some guidance about what to do, which amounted to:

• Figure out what cookies you’ve got that need consent.
• Put mechanisms in place to obtain consent.

Almost everything I have seen written about the subject so far has focussed exclusively on the first point – working out what cookies you’ve got.  In the vast majority of cases this is followed up by an offer to provide a ‘Cookie Audit’ – by the people offering the advice, at potentially great expense.

Even the use of the term ‘audit’ is taken directly from the ICO’s guidance.  Not very creative then.

What I have seen very little evidence of, especially from major players, is any kind of answer to the inevitable question of ‘And then what?’

And Then What?

So you have a list of cookies that need consent, what are your options for obtaining it?

The law requires that you have to obtain consent for the use of cookies. Accepted definitions of consent mean that it should be based on information about what the cookies do, and it should be obtained before setting the cookie – for more information, see my earlier article about defining consent.

Global Consent

The simplest approach, and one that is going to work for the vast majority of websites, is to ask for consent for all your cookies as soon as people arrive on your site, which means your home page and any other possible landing page (which could be all of them).

There are almost certainly some cookies that your website will set on every page – particularly those used for web analytics, or any social media buttons that appear in header and footer areas in your standard pages.

This means that you will need to block these cookies by default and then use some kind of on-page mechanism to get consent.

The rollover that we use at the top of our site, and the device that the ICO use on their website, both follow this pattern.

That on-page mechanism can be unobtrusive like ours, and allow browsing without consent, or it could potentially take over the whole page – stopping people from viewing your site until they have consented.

This whole page approach may seem radical and high risk – and won’t suit many sites, but if the ability to track visitors is vital to your business model – it could make perfect sense.

In our ‘global consent’ solution, once consent has been recieved, a cookie is set to record this fact – and then the message can be removed.  As the user browses the site, each pages checks for the presence of the consent cookie, and this then prevents the message being loaded for each new page visited.

The global consent approach is probably the simplest solution both for visitors to get used to and website owners to implement. For visitors it offers consistancy, and as the obtaining of consent becomes more common, as consistant approach helps build confidence in giving their consent.

For website owners it can mean adding some very simple script into their core page templates to automatically put it on every page.  For well built sites using an existing script – it could be a few minutes work.  If this sounds like it may meet your needs, you can register your interest in our solution.

However, some sites won’t set cookies on all pages, or set some cookies only for certain types of visitors, so they might consider an alternative.

Selective Consent

Some cookies will lend themselves to obtaining consent on very specific pages in your site.  A good example being cookies to remember whether someone has logged in to a part of the site.

In this instance you may choose to get specific consent for that cookie, at the point at which they log in.  This could be done via a message with a tick box on the login page, or it could be put in your terms and conditions, which you then ask people to signify agreement to as part of an initial registration.

You should make it clear though what people are consenting to.  If they are asked to consent to the login cookie only, this cannot be extended to consent for all other cookies on your site.  This would be in breach of the regulations.

This technique will work any time you want to set a cookie to remember something specific about a visitor, including things like preferences for personalisation of their experience.

These two aproaches together are likely to be workable solutions to becoming cookie legal for the vast majority of websites, but there is something else you should be aware of.

Unstoppable Cookies

Both of these approaches assume that it is possible to not set the cookies in question until consent has been obtained.  However, the reality of web technologies is that some cookies will be more difficult to stop being set without consent than others.

For example a lot of websites use content management systems that set cookies just as part of their normal processes for displaying pages.  In some cases, you will not be able to change the way your system works to prevent this happening.

However, don’t worry too much about these.  They are almost all session cookies, which are deleted when your visitor closes their browser.  This means they can’t be used to hold any data that anyone might be concerned about, and they don’t pass this information on to other sites – so the impact on privacy is minimal.

Regulators should know about these kinds of cookies, the ICO themselves acknowledge they have one on their site, and therefore they will most likely take a lenient approach to these.

As long as you tell your visitors about these cookies, and take action about the ones you can control relatively easily, then you are as compliant as anyone can reasonably be asked to be.

I hope this is useful, if you have any comments or can think of alternative scenarios – please add your thoughts or questions and I can pick up on any issues in future articles.