Without cookies, websites would be immensely cumbersome. They would have to pass information from one page to the next every time a link is clicked. This could be terribly unsecure. Cookies are, by and large, far more efficient and secure.
Cookies are particularly important for online stores. Without them, you wouldn't be able to buy anything. Every time you clicked onto a different page, the store would forget who you are and empty your shopping basket.
Tracking cookies track a user's browsing habits. They can be fairly innocent-perhaps simply enabling an online store to show you products similar to ones you've already looked at on the same site-but they're sometimes viewed as an invasion of privacy. They could, after all, be use to tell a company what you do on the internet, which you may or may not be happy to share. Some less scrupulous marketing types might use that information to bombard you with unwanted advertising.
What are the new rules?
Well, basically the idea is to protect the privacy of internet users and allow them to give 'informed consent' to having their information used via cookies on websites.
Thankfully the ICO have produced a snappy 30-page guideline document that sort of tells you what you're supposed to do. I use the term 'sort of', because it's not the clearest document in the world. In essence, the ICO are keen that you do something, but isn't specific on what that something should be. Thankfully their website offers a little more advice, but it's perhaps still open to interpretation.
In essence, if you are using cookies, you are required to let visitors to your site know. You're also required to tell them what you're using cookies for.
So what do you need to do to make sure your website complies?
The first thing everyone seems to recommend is to do a cookie audit. This means clicking through every page (or at least every section) of your website and identifying what cookies are used. If you use Firefox, you can download and install the Firebug and Firecookie extensions and run them while you click through the pages. These extensions will tell you what cookies each page is loading and provide a good starting point.
The next thing to do is tell visitors about those cookies. The most common strategy here is to modify your website's privacy (and cookie) policy. In it, you should detail what cookies your website uses (list them if you need) and, importantly, what they are used for. Your wording needs to be straightforward and not confusing. Remember your audience. Some of them might not be very computer literate. Note that you should, where possible, include information on both your own cookies and third party cookies that are used on your site (such as those used by tracking code like Google Analytics). You don't necessarily have to have a detailed understanding of how third party cookies work, but you should acknowledge that they're used.
- Simple notification. Your website should
include a simple, clear and obvious notification that the site uses
cookies and include a link to the policy that details how they're
used. Other than this, your site can function exactly as before. In
most cases, this is probably the most sensible approach. The
information is readily available and the obviousness of the
notification uses implied consent: if the user continues to use the
Examples: http://www.hsbc.co.uk, http://www.channel4.com/
There are limits to what implied consent will cover. It means you can only use information collected via cookies for the purposes required in order to serve the website to your visitor. It does not, however, allow you to capture that information for purposes outside of that scope. For that, you would need additional explicit consent, but you should probably first ask yourself whether you really need that information.
Beyond the scope
One thing it's worth noting is that this regulation does stretch a little beyond websites as well. Email marketing can be affected. Many people using email marketing tools to send out email may be able to get tracking data on those emails that tells them the number of times an email has been opened and what links are clicked. It can potentially tell them who performed these actions as well.
The new EU cookie law and its UK derivative have the honourable intention of looking after website visitors. Admittedly, the implementation is flawed, to the point where the governing body can't provide clear guidance as to how to adhere to it. It is, however, a law and website owners need to take note. Unless a site is deliberately flaunting the law, it is unlikely to face legal action, but the ICO is keen to ensure that all site owners have a plan in place to achieve compliance within a reasonable time frame.
In the longer term, browser manufacturers are looking at ways to further improve the way users deal with website cookies. We'll wait to see what that means, but in the short term, the onus is very much on the websites to make sure that they provide clear information on how they use the data they collect.
Incidentally, my favourite kind of cookie, not to mention my reward for writing this article, has chocolate chips in it.
The following links (to third party sites) are provided further information. You may or may not find them useful.
ICO guidelines: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
Useful article: http://boagworld.com/site-content/the-eu-cookie-law-what-to-do-now/
Cookie Monster: http://en.wikipedia.org/wiki/Cookie_Monster
Our monthly helping of digital goodness straight from the soil.