NXT
Blog

Cookies: A practical guide to comply

by Richard Matthews Technical Director

 Posted on June 07, 2012

Following on from our previous blog last year regarding the EU announcement on cookie legislation, we have written part 2 on this subject as a guide for our customers and those who are interested. This guide is our suggestions for an appropriate response to the legislation and practical ways to keep your website compliant.

As a background to the subject, 'Cookies' are small text files that are stored by the browser (e.g. Internet Explorer or Chrome) on your computer or mobile phone. They allow websites to store such things as user preferences. You can think of cookies as providing a "memory" for the website, enabling it to recognise a user and respond appropriately. Cookies are used for varying reasons, from site performance, analytics, geo-targeting, registration systems and third party advertising. Most websites have web tracking for collecting information about visitors to the site.

The most popular and widespread cookie usage will be associated with Google Analytics (GA) web tracking - which we use across all of our client websites. The Google Analytics tracking code is set by JavaScript and augmented by the proprietary GA tool. It sets four cookies automatically. Google Analytics sets a first party cookie.

The EU Cookie Directive stipulates that all cookies must be given "consent". Because Google Analytics is first party cookie consent is needed only once. In other instances where a third party cookie is deployed a new consent for each deployment would be needed. For example each time a user visited a site. Google has previously agreed with the EU that Google Analytics cookies would be limited to a 24 month lifespan. Prior to this Google set anything up to and beyond a 30 year expiry on cookie files.

In early May 2011 the ICO issued guidelines on how to interpret the new EU Cookie Law. In the PDF document entitled "Changes to the rules on using cookies and similar technologies for storing information" they say: "An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent. One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user's device."
A recent survey by Moore Stephens Law Firm found that only 10% of technology companies were compliant. Read their article here.

Our quick suggestions to comply are as follows:

• Check which cookies your website uses. This could be from forms, registration components, advertisement placements and analytics
• Review what the main purposes of the cookies e.g. strictly necessary, performance related, functionality or targeting
• Decide how you will obtain consent (if you want to) – we would suggest something subtle and simple, if at all.
• We are suggesting a HTML widget in your header or footer outlining a request for users to accept their Cookie Policies. For example: “By continuing to use the site, you agree to the use of cookies. You can change this and find out more by following this link” – Link to Privacy/Cookie Policy Page. There are other options such as banners, scrolling text, pop ups, tick boxes.
• Communicate with third parties that you have relationships with such as agencies and ensure relevant staff are aware
• Update your Privacy Policy and / or create a new page outlining your Cookie Policy – take a look at our revised page. Some of our clients already list out their exact cookies that are being used e.g. __utma (for Google Analytics) its description and its expiration date. We have chosen not to go down that route and instead, just outlining basic cookie requirements, details and consent.
  As part of your annual digital strategy review, include cookies as part of this discussion as they could change with new developments
• Finally, you could just ignore it – but you do run the risk of being fined by the ICO.
  For further information on the current legislation and how you can control cookies on your machine, visit either The Information Commissioner’s Office or Your Choices Online.