New privacy laws in effect.
As of the 26 May 2011, the new EU privacy laws are in effect and all sites are required to consider how they comply with these news.
However the ICO has given a 1 year window for implementation and compliance to the new rules. Get it wrong and you could be fined up to £500,000!
The Information Commission Office has issued guidance around how these laws affect EU companies and what is and isn’t covered in the directive. While it’s aim is to provide a steer and not a strict set of rules, the practicalities of adhering to the laws are still very much unclear for most as is the eventual impact the changes will have.
The law relates to cookies and any other technologies which store information on a user’s device.
While there has always been a need to be explicit about how cookies work and alert users to the fact that these will be stored during their visit.
The specific shift is from the requirement for users to opt out to now having to opt in to allow cookies to be stored on their machine. A subtle but significant change.
Don’t get excited by the title, there is only one exception to the rule and that is those cookies which are “strictly necessary” to carry out a function the user has requested. The example given is around using cookies to remember items a user has selected to buy before they proceed to the checkout.
The ICO have been clear that this exception offers very little room for interpretation.
The government’s view is that the changes should be enforced in a phased approach given the lack of clarity and the significant work which may be required to bring some sites up to compliance level. While this means you won’t be hauled over the coals if you haven’t made the changes, you do need to be thinking about coming up with a plan of action.
If the ICO receive a complaint about your site and you can’t show you plan to rectify it, you could receive a fine so ignoring the problem isn’t an option.
Make a list of them with the most intrusive at the top and the least at the bottom
Start thinking about what solutions you could come up with that might address those at the top and work your way down.
The most intrusive cookies are the ones used to track and monitor user behavior and reveal personal information about the individual. These are the ones that need to be addressed as a matter of urgency.
How you decide to gain consent will depend very much on your unique situation and the judgment you make on what will suit your users. As time goes on, this will no doubt start inspiring many more help sites and ideas from other users.
Unfortunately opting in can’t currently be managed through browser settings as they aren’t able to request the level of detail needed.
Though according to the ICO the government is currently working with the major browser manufacturers to establish when browser level solutions might be available.
Terms and conditions
Third party cookies
This is where it starts to get trickier. If your site contains content from a third party website such as embedded content, the collection of cookies from that content is still your responsibility. If it’s accessed from your site, it’s up to you to make sure the user is opting in.
There is more working being done around this area in particular and hopefully further guidance will be available soon.
Check out the full guidance on ICO site
For more information about cookies go to All About Cookies
The IAB are also reporting on this fairly regularly.
The ICO isn’t planning on issuing any further guidance around the topic though it has said it might publish some supplementary information. And if anyone has come across anything helpful, share it in the comments section below.