How to comply with the law
Firstly, we would like to stress that at the moment there are no official guidelines on how best to adhere to the new law – this has been left open for interpretation by individuals and their websites so the guidance provided below is based on the information currently available, is subject to change and should not be considered definitive.
Furthermore, it's worth noting that there has not yet been confirmation as to what the penalties will be for failing to comply with the new law. Startups will bring you updates and news as and when we have them.
Asking for permission
This is essentially what everything boils down to – getting permission from the user before placing the cookie on their computer without misrepresenting its purpose or your intentions with the information that results from the cookie. So how can we ask for permission and what’s the impact likely to be?
If we use this as our guidelines there are a number of ways we can approach the problem depending on the number of cookies that your website uses. In the case of our website, Digital-clarity.com, we would be required to ask permission for Analytics tracking as soon as someone arrives at the website, so something like the solution below may be suitable:
This addresses a few problems
1. We have asked permission to add Analytics tracking cookies, explained how long they will exist for and that they cannot be used to identify the individual. We’ve provided the option to accept this cookie or reject it depending on how comfortable the user is with us collecting this data.
2. In the opening line we are linking ‘cookies’ to the corresponding Wikipedia page, should the visitor be unsure of what a cookie is.
3. To remember what the user has selected we must add a cookie (catch 22!) – but if they are not happy with this we give a final option to close the box.
Of course the issue with this is the box will appear on every page that the user visits – hardly ideal.
Now that’s probably not the most aesthetically pleasing way of solving the problem, but it gives you an idea of what is possible and this method should be suitable for one or two different cookies, but what if you need to ask permission for more – very likely if you run an e-commerce or service-based website.
In this example, we have managed to ask for permission, explain what each cookie/set of cookies is for and given the user the ability to choose between them or choose none of them – meeting all requirements the EU cookie law sets out.
Take note of the wording used in both examples above – you’re asking the user for something so it’s important to be nice about it and make it clear they have a choice. A formal tone of voice with little explanation of what they are able to choose is likely to put people off.
Disclaimer: We have no knowledge of which software Amazon.co.uk uses, which partners it works with or which cookies it may use – this should act only as a visual example and is not specific to Amazon.co.uk
Do I have to explain each cookie?
While you must provide information on all cookies you wish to create it is not necessary to do so next to a request of permission – linking to a privacy notice that includes the information is also acceptable. However, we do not believe this to be as effective and by hiding the information on another page you are making the visitor work – remember you want something from them not the other way around. It’s much easier to click ‘No’ then go and search for an explanation on another page.
The ICO has suggested that cookies vital to the correct operation of your website may not need prior permission before being added to a user’s computer, however this is not confirmed. Those that may fall under this category are shopping basket cookies, where the visitor must be able to store their items in a basket as they navigate through the website.
How big an impact will this have?
It’s fair to say that when given the choice many people would rather not allow you to collect data on their activities and so we must inevitably accept that there will be reduction in the amount of data available through your analytics package and all other third party tools. The ICO itself implemented a similar permission-based technique as explored in the above screenshots and the result was a 90% drop in visitors being tracked by Google Analytics – that’s nine in 10 who declined the cookie.
If you run a website that provides a service or sells products, the impact of this is potentially massive. As marketers as well as business owners, we rely on this data to make educated decisions on how to improve the website and to refine the conversion funnel to grow sales. With a 90% reduction in available data these decisions will be far from informed.
We must therefore make the permission process as effective as possible to drive the 10% of opt-ins up as high as we can.
What can I do in the short term?
Carry out an audit to identify all of the cookies that may be added to the computer of a visitor to your website, whether they are created by you or a third party such as an ad network. Where possible, you should stop these being created or limit their creation to only when they’re strictly necessary.
Where a cookie is required to allow you to achieve your business goals you must ask permission to add them, even cookies vital to the operation of your website – at least until the ICO can bring some clarification on the matter.
We would also recommend keeping up to date with the ICO and any announcements it makes which may offer more official guidance on the subject. You can find them at http://www.ico.gov.uk/.
To summarise, at the moment there's no clear directive on the best way to comply with the new law so everyone's in the dark, to a degree. It's worth keeping an eye on the big online retailers and website publishers to see what they are doing. Meanwhile, stay tuned to Startups for updates and announcements as and when they happen.
Written by Reggie James and Tom Collinson of Digital Clarity, a provider of
as well as search, social and analytics solutions.