After a year of anticipation and much debate the new EU Privacy Directive came into force this weekend. What does this mean for website owners in the UK? In short it means we must all be transparent about the cookies that are being used on our websites and the information they contain about our visitors.

The new directive aims to provide the customer with an awareness of what is happening as they are travelling across the web and information that is collected. As a result the aim is that every website must clearly display if it uses cookies and if so which cookies are present, the function that they have and what information is stored about them and obtain consent for cookies to be dropped. Failure to comply with the new legislation could result in a fine of up to £500,000 by the Information Commissions Office (ICO).

Not knowing where to start is often the most daunting part of any new project. In order to comply with the new legislation, first you must find out what cookies are currently in operation. The Internet Advertising Bureau (IAB) has outlined some simple questions that can be used as the basis of a cookie audit.

Cookie Audit Questions:

• Date – date the questionnaire was completed
• Business Area – the business areas that has completed the questionnaire
• Completed By – include the full name, job title, email address and telephone number of the person who has completed the audit
• Website Name & URL – If you have more then one website, multiple audits will need to be carried out. An audit for each website must be completed
• EU Countries the website is aimed at – Is the website for a UK audience only or does it cover the EU to?
• Does the website currently have a privacy policy? – If so include a link to the policy
• Does the website currently have a cookies policy? – If so include a link to the policy
• Does the cookie policy contain information on the individual cookies and how to switch them off?
• Does the policy contain privacy, cookie and security information?
• Cookie Name or ID – something that allows you to easily identify the cookie
• Cookie Purpose – what is the purpose of this cookie? Functionality, tracking etc?
• Targeted Marketing – does the cookie allow for targeted marketing/advertising?
• What data does the cookie hold? – does the cookie contain any personal data?
• 1^st or 3^rd Party Cookie?
• If the cookie is a third party state who the cookie belongs to
• Is the cookie temporary, persistent or flash?

NB functional cookies are deemed exempt from legislation. Functional cookies are cookies which make a website work, for example take items from the basket to checkout or cookies used within the checkout process. Analytical and marketing cookies are not considered to be a functional cookie.

Once the cookie audit is finished you will have a complete picture of those cookies that are currently in place. The focus of any action by the ICO is likely to be surrounding the intrusive cookies. Place your focus first and foremost of the most intrusive cookies and work down towards privacy neutral cookies. Take this opportunity to consider the following;

• Are all of the cookies necessary?
• Are there any old cookies that can be removed?
• Can any of the persistent cookies be made temporary cookies?
• What information is essential and what is nice to have?

The Cookie Legislation talks about making information on cookies clear on the website, it is not acceptable to bury the information in the privacy policy. In addition the ICO detail that ‘opt in’ consent should ideally be obtained prior to cookies being dropped. This would result in a check box needing to be actively ticked by the visitor in order to gain consent. The ICO implemented an opt in check box to demonstrate the opt in approach an as a result lost 90% of their Google Analytics tracking. It’s no surprise with a 90% loss of marketing analytics people have looked for another method of obtaining consent.

Up until this weekend companies have been cagey about the approach they are taking in order to comply with the legislation, it seems that the masses have opted for an ‘implied’ consent approach. One website that operate an ‘implied’ consent approach, which has been commended by the ICO is a company called Reddbridge http://www.reddbridge.co.uk/. Reddbridge clearly state that cookies are being used on the website and that by clicking on any part of the page means that the visitor is consenting for cookies to being used. Should they wish to opt out of cookies Reddbridge provide a link with information detailing how this can be done.

Which approach to take is something that can only be decided by you and what is right for your company. Here are some pointers that may help you make a decision;

• It is important to demonstrate that your company has made an effort to comply with the legislation, it is not acceptable to sit back and do nothing
• Keep records of emails, audits and meetings surrounding cookie legislation, these will help demonstrate the steps taken to comply with the legislation
• Information on cookies should be clearly visible on your website, it is not to be buried along with the privacy policy at the bottom of the page
• Remember the information on cookies has to be displayed on every landing page not just the homepage
• It is likely the ICO will initially focus their efforts on companies that have high level of intrusive cookies. They will be adopting a three strikes approach, should you’re site not be compliant after the third strike, it is at that point the ICO will consider implementing a fine
• Remember if you have made every effort to comply with the legislation it is unlikely, in the first instance, that you will be fined should the ICO find you’re not compliant

In summary regardless of whether you go for opt in or implied consent these five steps will help guide you through the process.

1. Complete a cookie audit
2. Minimize the level of intrusive & persistent cookies used
3. Construct a cookie legislation policy details cookies used, information stored and how to opt out
4. Make the cookie policy visible on site, preferably above the page fold
5. Keep records of the steps you have made to become compliant

We understanding that the changes in legislations may feel like a mine field, we are hear to help guide you through and make sure you get out the other side safely! Should you wish to speak to a member of the team about the Cookie Legislation in more detail please feel free to get in touch on: 01793 238697.

Useful Links & Sources

http://www.iabaffiliatemarketing.com/help-with-your-cookie-audit/

http://www.twylah.com/SEOsherlock/tweets/202750231153090560

http://www.guardian.co.uk/money/2012/mar/30/internet-cookie-crunch-online-shopping