For a while now I’ve been on the trail of a solution to the “EU Cookie Directive” which in it’s most basic form means that any cookie which your website uses that is not used for an essential service (eg. controlling a shopping cart) must have “direct permission” of the user before it can be implemented. For many this would mean we need permission to track analytics, this is not an essential function of a website.
Before we begin we need to consider the question…
What is a Cookie?
For most users of the web cookies go unnoticed, or are a nice snack alongside a brew. But in terms of the web a “cookie” is a small piece of code a website sends to a browser to store little snippets of data, it can be anything from what is in your shopping cart to which web pages you’ve visited to what you search for or which websites you are shown.
Now there are two types of cookie, first party and third party. First party are those dropped by the website itself, these are generally under this directive accepted as being fine. Third party are those which are used by the website but come from another service such as Google Analytics and NOT the website itself.
To understand the law we need to think about…
Where did the EU Cookie Directive start?
It appears that the EU Cookie Directive was born of user complaints about third party cookies being used to serve adverts across the web, the most popular service for this is Google Adsense.
And that is why the EU wants websites to collect permission for those non-essential cookies. Basically if your website can work without those cookies (analytics, adverts etc) then you must collect permission for those cookies being used.
But the website still works so…
What’s the problem with the EU Cookie Directive?
The problem comes in a few forms. First, how do you collect permission without hindering the website experience for your visitors? Second, can you get use implicit permission or do you need explicit permission, and is this for some or all types of cookie? Third, will this make for an uneven playing field in the UK, Europe and across the world for business, will your business suffer due to this directive?
The answers are fairly hard to come by. The reason for the failure to give a direct answer here is that we just don’t know the answer. The Cookie Law was written by what appear to be technically inept people, lawyers who don’t know what cookies really do. This means the law is so broad and unclear of “what you need to do to comply” that each country is approaching the law in a different way and some EU countries are ignoring the law. What is also unclear about the law is whether websites served from servers outside of the EU must comply directly, so for say Google.co.uk will that need permission for anything but search and then be impossible to collect info about which search you’ve used and therefore it will damage that business? If so that website will be served from US or other servers and may avoid the law giving it upper-hand on its competitors, as suddenly it doesn’t need to comply?
Using the above example it’s easy to see why lots of businesses are crying out for guidance on this matter, are businesses about to take a hit for implementing an explicit solution asking for permission whilst other businesses in that niche market are not implementing anything?
The Solution the the Cookie Question?
However the above solution does not gain permission of the user in an explicit way, alone.
The explicit permission is at the top of ICO.gov.uk where you will see a tick box asking for your permission to track you. This is one possible solution.
Another solution is a pop up box solution, the type used by AllAboutCookies.org (another great resource for further reading on this directive). There are others of a similar elk to AAC’s solution provided by Wolf Software, but that implementation is simple and fairly easy to follow.
There are other solutions also that are not pop up’s and not just like ICO’s. However, wolf software does display a few different ways you can implement explicit solutions. Do take a look, there is no real one-size solution to this problem.
Finally, I want to finish on a little tip. It is doubtful that ICO or DCMS will implement this law in all its power even once 26 May rolls around. The law became law in 2011 and ICO gave the UK 1 year to find a solution, since then the above solutions have appeared. Across Europe others have appeared but none as clear as the above. Also many EU countries as mentioned above have given grace or ignored the law.