If you have a website and you aren’t up-to-date on ‘cookie’ law, you must read this!
A privacy law that came into force last year demands that websites based in the EU which are using ‘cookies’ publicise this fact to their visitors and provide them with ways to opt-out. This almost certainly includes your website.
“Cookies?”, we hear you cry. These are little bits of text that websites drop into a folder used by a visitor’s web browser (Internet Explorer, Chrome, Firefox, Safari, etc). They allow information to be maintained while they’re on your site and, often, to identify the visitor as a returning user when they come back. Most businesses are dropping cookies to enable user statistics, with Google Analytics being the most popular third-party provider (that’s what we use). Getting good stats on visitor numbers, the pages they visit, the time spent on your site, etc, is invaluable, but now you have to be up-front about it.
A year’s grace was given to implement this law, but that expired on May 26, triggering the Information Commissioner’s Office having the power to impose fines up to £500,000 for infringers. Initially rather draconian requirements were demanded, insisting that users click a ‘yes’ or ‘no’ button to accept your cookies before they were placed on their machine.
Fortunately this has been softened somewhat with the ICO ruling that ‘implied consent’ is usually acceptable, whereby you tell users you’re using cookies, giving them the option to view which cookies and your privacy policy before proceeding. The ‘implied’ element is that if they continue browsing regardless, they are accepting your use of cookies.
Unfortunately we can’t tell you that you can simply push a button to make all of this happen on your website. There are various solutions, depending upon the technology that powers your site. It’s time to get on the phone to your web developer and get them on the case if they’re not already.
It’s early days and the ICO is likely to be understanding if they contact you on the issue as long as you can demonstrate that you are pro-actively working towards implementation. But there have been no test cases yet and someone, somewhere is going to be the scapegoat at some point. Right now there’s no reason to think that you can bury your head in the sand on this issue and hope it goes away.