May 26th is doomsday in the UK, when new EU legislation kicks-in and starts to make E-commerce, Online and Digital Managers begin to re-consider their career choice. The ICO (Information Commissioners Office) has kindly put together a 10 page guidance PDF that is design to advise and educate people on how to comply.
Update (25/05): The ICO have now issued a further notice saying that websites have 12 months to “get their house in order” before the enforcement of the new law will begin. Read more in a PDF news release from the ICO.
Self proclaimed ‘Chief of online personal diddler sales’ at Lovehoney (NSFW) @mattycurry recent tweet encapsulated the frustration that all of us are feeling having read the ICO advice:
The ICO advice is clearly from a disconnected group that’s never managed a website, analysed their bounce rate or reported on their weekly online sales performance to their Board of Directors.
Having spent more time than I would like to admit reading this 10 page document and speaking to various third-parties about their stance, here’s a 3 step guide to being prepared for the 26th May:
1. What’s in your Cookie jar?
Understanding the size of the task ahead is your first step. The quickest way to do this is by carrying out a Cookie Audit:
Tools required…
- Mozilla Firefox
- Install the View Cookies – Firefox Extension
- Notepad, MS Word, Google Docs, any text document creator…
Paying a visit…
- Head to your website homepage in Firefox
- Right-click and select View Page Info
- Select the new ‘Cookies’ tab and a screen like this will appear:
This gives you a comprehensive picture of the cookies that are being served to your typical visitor. Make a note of each cookie in your favourite text editor.
- Please note: It may be worth clearing your browsers cookies before doing this as you may have old cookies, cookies from testing and other items that could cause confusion. You might also have additional cookies being used on other pages on your site so repeat this process on a number of pages.
Remember – Not all cookies are bad cookies. If a cookie is ‘strictly necessary’ for a service requested by the user e.g. Adding an item to their basket, you don’t need to get consent. Read page 3 of the ICO guidance to understand this fully. To be safe, include all cookies in your audit, even if they are ‘strictly necessary’, but label them as such.
2. Speak to the experts
Now you have an idea of the number of cookies being delivered to your visitors you need to identify each one and what it does. Some of them you should immediately recognise, but others maybe coming from systems that you have very little to do with on a daily basis – analytics, MVT tools, video hosting, CDNs, etc.
Expert 1 – Development
This is where your development team or agency come in. Schedule a meeting and innocently take along your list of cookies from Step 1.
The aim of this meeting is two fold:
- Get a technical understanding of each cookie, why it’s there and the role it plays as part of a visitors online experience.
- Begin to think about a customer friendly way of explaining the point above (more on this later).
Almost certainly you’ll be dealing with a combination of first party (cookies delivered by your own systems) and third party (cookies delivered by online solutions that you use e.g. Google Analytics). As a follow up to your meeting you’ll need to contact the third parties as ask them to explain the role of each cookie they use so that you understand it’s importance.
Expert 2 – Legal
Not everyones lucky to have an in-house legal team, but you’re likely to have someone that you can turn to for advice. Now you have an understanding of the size of your cookie usage and the role each one plays, it’s highly advisable to seek legal advice on how your online business can be compliant with this new legislation.
3. Make a plan
So if you can complete this step you’re going to be considerably ahead of the majority of online businesses in the UK and also shows you’ve listened to the ICO guidance. In their guidance they clearly state:
What will happen to me if I don’t do anything?
The government’s view is that there should be a phased approach to the implementation of these changes.In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.
Your plan needs to include the following:
- A one paragraph introduction to this new legislation that anyone in your business could understand.
- Your Cookie Audit – details of each cookie, what information it contains, the privacy level of that information and the cookies importance.
- A plan for obtaining consent for each cookie that you want to keep using past the 26th May.
Extra bonus points are available for adding a customer friendly version of your Cookie Audit to your Privacy Policy before the 26th May.
Next steps
As the ICO say, you cannot ignore this, it won’t go away. So get your Cookie Audit underway today. You really don’t want to have a blank, expressionless look on your face on the 26th May when your CEO or IT Director pop over to see to talk about this new legislation. Most of this could be done in a day and then you’ve got a plan to deal with this and a far better understanding of one of the key technologies that is controlling your website visitors experience on a daily basis.
Have I missed something out or if you’ve got more advice? Please let me know in the comments below…
Big help, big help. And superlative news of cuosre.
Brilliant advice. Clear and much more comprehensive than many other sites that I’ve seen! Have you seen this? http://www.silktide.com/cookielaw/video. Thanks again for your help.
Does this legislation apply to every website created by anyone in the UK?
How will individuals, who have created a website about their hobby, be made aware of their obligations?
How will these individuals, who have used some simple website creation software, be able to to carry out their own audit?
Most would be unable to afford for professional services and would have to remove their website from the Internet. Isn’t this a bit harsh on them?
Hi AlanD and thanks for the comment. The legislation is over zealous and quite frankly limiting. Already as we approach the deadline we are seeing other European countries taking a much softer approach to the implementation. I think by mid-April there will have to be a UK focused announcement from the ICO updating their original guidance. That said, having a knowledge of the information you are tracking on your website is very useful, especially if you are capturing data, so I think it’s still a very useful exercise for website owners to undertake.