The Papertree Digital Blog

Follow us on twitter Visit the Papertree Digital website
Craig Faulkner

What Craig is talking about



The cookie crumbles

Updated | 6 months ago

Tags: Cookies, Privacy

Lots of websites use cookies. A cookie is a tiny file that is downloaded to a user's computer when they visit a website. It stores information about that user's session so that when someone clicks from one page to another, the website knows it is the same person and can display content relevant to that user.

Without cookies, websites would be immensely cumbersome. They would have to pass information from one page to the next every time a link is clicked. This could be terribly unsecure. Cookies are, by and large, far more efficient and secure.

Cookies are particularly important for online stores. Without them, you wouldn't be able to buy anything. Every time you clicked onto a different page, the store would forget who you are and empty your shopping basket.

Unfortunately, there's always somebody that wants to spoil the party. No, I'm not talking about the ICO. I'm talking about those that use cookies for unscrupulous purposes.

Tracking cookies track a user's browsing habits. They can be fairly innocent-perhaps simply enabling an online store to show you products similar to ones you've already looked at on the same site-but they're sometimes viewed as an invasion of privacy. They could, after all, be use to tell a company what you do on the internet, which you may or may not be happy to share. Some less scrupulous marketing types might use that information to bombard you with unwanted advertising.

A year ago, the European Union decided on some new rules to govern the use of cookies on websites. They called it the e-Privacy Directive. All twenty-seven members were asked to adopt these rules, but only Denmark and Estonia agreed to comply fully. The UK's version of the measures were put into place by the ICO, but companies were given a year to make sure they were compliant. That deadline was 26th May 2012.

What are the new rules?

Well, basically the idea is to protect the privacy of internet users and allow them to give 'informed consent' to having their information used via cookies on websites.

It's a noble goal, but it's not without its technical flaws. As mentioned above, the vast majority of websites use cookies. In the majority of those cases, cookies are essential to how the website works. Stopping them from working would effectively break the website. In many cases, if a user were to choose not to allow a website to use cookies, the website would have no choice but to turn that user away.

Thankfully the ICO have produced a snappy 30-page guideline document that sort of tells you what you're supposed to do. I use the term 'sort of', because it's not the clearest document in the world. In essence, the ICO are keen that you do something, but isn't specific on what that something should be. Thankfully their website offers a little more advice, but it's perhaps still open to interpretation.

In essence, if you are using cookies, you are required to let visitors to your site know. You're also required to tell them what you're using cookies for.

So what do you need to do to make sure your website complies?

The first thing everyone seems to recommend is to do a cookie audit. This means clicking through every page (or at least every section) of your website and identifying what cookies are used. If you use Firefox, you can download and install the Firebug and Firecookie extensions and run them while you click through the pages. These extensions will tell you what cookies each page is loading and provide a good starting point.

The next thing to do is tell visitors about those cookies. The most common strategy here is to modify your website's privacy (and cookie) policy. In it, you should detail what cookies your website uses (list them if you need) and, importantly, what they are used for. Your wording needs to be straightforward and not confusing. Remember your audience. Some of them might not be very computer literate. Note that you should, where possible, include information on both your own cookies and third party cookies that are used on your site (such as those used by tracking code like Google Analytics). You don't necessarily have to have a detailed understanding of how third party cookies work, but you should acknowledge that they're used.

The important thing here is that your privacy policy needs to be visible. It's all well and good putting lots of useful information in it, but if people can't find it, you're still not complying with the regulations. In order to give 'informed consent', your visitors need to know that there is something they need to consent to.

The next step, therefore, is to publicise this information. There are a number of approaches that you could take to implement this. We've trawled numerous sites and found several different approaches. Any of these should suffice, but all require you to have a detailed privacy/cookie policy on your website.

  • Simple notification. Your website should include a simple, clear and obvious notification that the site uses cookies and include a link to the policy that details how they're used. Other than this, your site can function exactly as before. In most cases, this is probably the most sensible approach. The information is readily available and the obviousness of the notification uses implied consent: if the user continues to use the website, they're consenting to the use of cookies.
  • Consensual notification. A handful of sites have adopted an approach whereby visitors have to actually do something before they can proceed. In most cases this involves ticking a box to indicate that they accept the use of cookies for the website (which includes a clear link to the privacy policy so the user can make an informed decision). Failure to accept the use of cookies prevents the user from using the website, either by hiding or disabling navigation or by simply preventing access to the main site. This is probably overkill. While most people who want to use your site are likely to click to accept the cookies that go with it, there's always a chance it could dissuade the more casual visitor.
  • Hybrid consensual notification. This is kind of a combination of the above. There is a clear notification on the website, but once the visitor has accepted the use of cookies (again, usually by clicking a tick box or a button), the notification disappears. The visitor can still (more or less) use the website as normal without consenting, but the notification will remain.

Some websites are going with the extreme route of having pop-ups or areas of their home page with dedicated messages about cookies, with reference to the updated privacy policy, that require a user to tick a box, thus obtaining informed consent. An interesting irony here is that the website would probably need to use a cookie to capture consent like this, but since it would only be on the condition that consent is given, technically it complies with the law. You can adopt these routes, and I'm sure the ICO would be thrilled, but it's not entirely necessary.

Perhaps the best approach in the majority of cases is to go along the implied consent route, which the ICO are happy with. To do this, the information about the use of cookies needs to be available in the privacy policy as before, but it should be made clear on the site that cookies are being used and are required (with details in the privacy policy) and that continued use of the website assumes implied consent for the use of such cookies and information for the purposes of providing the services on the website.

There are limits to what implied consent will cover. It means you can only use information collected via cookies for the purposes required in order to serve the website to your visitor. It does not, however, allow you to capture that information for purposes outside of that scope. For that, you would need additional explicit consent, but you should probably first ask yourself whether you really need that information.

Beyond the scope

One thing it's worth noting is that this regulation does stretch a little beyond websites as well. Email marketing can be affected. Many people using email marketing tools to send out email may be able to get tracking data on those emails that tells them the number of times an email has been opened and what links are clicked. It can potentially tell them who performed these actions as well.

There are separate laws covering email marketing that this article isn't going to go into, but providing you're adhering to these-i.e. you're getting consent to email people in the first place-then you're more or less covered anyway. A consideration, however, is that you might want to add a note anywhere on your site that someone can sign up to your mailings (or within the relevant privacy policy) that your emails may be tracked for effectiveness.

In summary

The new EU cookie law and its UK derivative have the honourable intention of looking after website visitors. Admittedly, the implementation is flawed, to the point where the governing body can't provide clear guidance as to how to adhere to it. It is, however, a law and website owners need to take note. Unless a site is deliberately flaunting the law, it is unlikely to face legal action, but the ICO is keen to ensure that all site owners have a plan in place to achieve compliance within a reasonable time frame.

Consensus suggests that you should do the following if your website uses cookies:

  • Update your privacy/cookie policy to detail what cookies you use and what you use them for.
  • At the very least include a clear and obvious notification on your website that you use cookies with a link to said privacy policy.

In the longer term, browser manufacturers are looking at ways to further improve the way users deal with website cookies. We'll wait to see what that means, but in the short term, the onus is very much on the websites to make sure that they provide clear information on how they use the data they collect.

Incidentally, my favourite kind of cookie, not to mention my reward for writing this article, has chocolate chips in it.



The following links (to third party sites) are provided further information. You may or may not find them useful.

ICO guidelines:
Useful article:
Cookie Monster:

This article has no comments.

Leave a comment...

The bloggers





Sign up to the Leaf

Our monthly helping of digital goodness straight from the soil.