As everyone in the UK and Europe knows (or should know!); the new EU Privacy Law concerning Cookies and other technology used to store data is officially going to be enforced from the 26th May. Even though there’s been a grace period of 12 months for websites to prepare, many people are freaking out a little bit when it comes to planning how to get their sites compliant. It’s quite understandable because the guidelines are vague to say the best; in fact it seems that the ICO are still figuring out the new legislation themselves – and they’re the ones tasked with policing it!

Originally intended for a South African event, we filmed this brief presentation aimed at giving webmasters a brief introduction to the legislation and also explaining a few things that need to be thought about. The main problem is that it just isn’t clear exactly what websites need to do and there definitely isn’t a clear black and white solution. However, there are some things that you should be doing to at the very least show good faith. For example, if anyone should complain about you dropping a cookie on their computer, having clear information in your privacy policy will put you in a much better position and at less risk of being punished.

Why should sites outside the UK and Europe care? Although this is a European piece of legislation and the UK is the first to action it (thanks!), issues surrounding user privacy will undoubtedly keep growing, and like it or lump it this is definitely a very major step in the world of web privacy.

Video Transcription:

Hi everyone. I'm Jon from SEOgadget. We're going to go through a few things surrounding the new cookie legislation here in the UK and Europe. I'm going to try to give you an unbiased and informative view of this. There are a lot of opinions flying around about whether this is a good thing or a bad thing for websites and whether it's fair. I'm going to try to give you information rather than opinions. So, this is what we've found when we've been looking into the legislation for our clients in the UK.

The first thing, really, that I need to say is that we're not lawyers and as an agency we don't have any legal qualifications, so we're advising people based on our understanding of the technology. If our clients really want to get into the legal side of things then the advice is to go and see their solicitors and their legal team. But, we can give some effective and good advice based on our understanding of cookies and their websites.

Here's some information from the ICO about what this legislation is about. Really, the aim of it is to protect the privacy of internet users. It's surrounding the fact that most users won't understand the fact that cookies are storing information based on their user journey through your site. Really the legislation is not banning the use of cookies, it's just stating the fact that you need to make your users aware of the fact that you are using them, what you're using them for. And also ask for user consent before you set any of those cookies. I think that's important to get out of the way. A lot of people are thinking that this bans the use of cookies, it doesn't.

The 26th of May, this is the date when this legislation is going to be enforced in the UK. The law was actually passed last year on the 26th of May, 2011. Due to the complications and the time it takes for sites to implement these changes, they've given everyone a grace period of 12 months. So, the 26th of May is when this is going to be enforced here in the UK. We're not sure about the rest of Europe yet, but really it should be quite an interesting few months or so to start to prepare for this. There's already a lot more news coming through. So, it'll be interesting to say the least.

So, in South Africa why do you need to think about this if it's a European legislation? Well strictly speaking, it applies to traffic from the UK and traffic from Europe, not sites based in the UK and Europe. So even a big site in the US that's getting traffic from the UK really, strictly speaking, should be thinking about this. If they're going to police that, if they're going to actually punish sites outside of Europe, I don't know. Personally I wouldn't be losing any sleep over that. But, it's worth thinking about, definitely.

So, key points in the legislation. How do you start to understand this? We kind of break it down into three areas. The first one is information. You have to give your users information as to what cookies you're using, what cookies your setting, and what they do, how long they're going to be set for, and why you're using them. That's pretty much the main purpose of this, is to make sure users are aware of the fact that this is going on. The second thing is user consent. The legislation states that the user should have a choice as to whether they let you set these cookies and whether they let you store their information as they browse through your site.

The third area is the exclusion. So, what cookies are actually excluded from this? The legislation says that cookies that are strictly necessary can be excluded. But it's strictly necessary from the user's perspective not the service provider's perspective. It's a bit strange because this area of the legislation's been left kind of open to interpretation. There's quite a bit of gray area at the moment as to what kind of cookies are allowed and which cookies aren't. Are analytic cookies allowed, are they not? So that's quite confusing.

What are we doing for our clients here in the UK? Really what we're doing is we're providing cookie audits, so we're looking into the use of cookies on their sites and trying to educate our clients. Some of them are getting worried about this, some of them aren't. But, the ones who do want to know about it, we can inform them, give them an overview of the legislation, show them what cookies they're using, and show them what they might need to be thinking about.

First up is the cookie audit. We've done that already for a few clients here in the UK. It's been quite an interesting piece of work. The first thing when you're conducting a cookie audit is just to try and find out what cookies your site is using. So the end result of that should be a nice list of all the cookies you're using. Some sites use quite a lot, some will hardly use any, maybe even just analytic cookies. But where ever you fit into that you need to find out exactly what cookies you're using.

We're going to go through a few things we can use to do that in a bit. But really, at this stage, what you want to be noting down is the name of the cookie, the expiring time of that cookie, so whether it's a searching cookie or a persistent cookie lasting longer than that visit. The location that that cookies set, whether it's the home page or a specific page on the site, and whether it's a first party or third party cookie. Here we've got a small screen shot from the web developer tool bar and their cookie information function. You can clearly see here, we've got an expiring date on the cookie which is five years from the date it was set. So that's quite valuable information to be passing on to the user. You need to be telling them whether the cookie just lasts for the session, whether it lasts for 12 hours, 24 hours, a year, five years. You'll find once you start looking at these cookies that you get quite a big variation of length that these cookies are set for.

So once you've done that it's quite important, if possible, to identify what function and what purpose each cookie is set for. So some will be to log sessions, some will be to log user activity. You need to find out why. Because then, once you've done that, you can start to decide whether the cookie is essential for the user, or essential for the site, or where does it fit in to the whole thing. Here we found this cookie which is a BB last activity. That was belonging to a V bulletin forum. That cookie, just by searching on Google, we just pop the name into Google and have a little look, do a bit of research, and found out what the cookie's used for. It's used to track the last activity on the forum so the forum can then serve up relevant new posts, etc., etc.

Here we've got a bit of contradicting information based on analytic cookies. So, from the ICO it's stating very, very clearly indeed that the way they define strictly necessary is, is it strictly necessary for the user, not the service provider. Then you've got the UK government's digital service office. They came out a few days ago and said, 'Well, yeah, analytic cookies, they are essential, because that's how we make continuous improvements to our site. So, without them, how can we improve the service that we are offering?' So, they kind of contradict each other there. This is one of the interesting things as we get closer to the date, the 26th of May. This new information is coming out and it's starting to get a little bit clearer as to what might be accepted and what might not be accepted. But it's still kind of contradicting and a bit unclear.

So when you're doing your audit, if you find cookies that just aren't being used anymore or aren't useful for the site or aren't needed, just ditch them, get rid of them. Try to keep a record of that as well because, it would be useful to say, 'OK, well we've done a cookie audit, we found these cookies, and we got rid of the these because they weren't being used.' Again, that shows good intent should anything happen, right? Good excuse for a little tidy up as well, never bad.

So how do we actually go about finding these cookies? When I was doing a cookie audit recently I used a combination of a couple of things. The first thing was just very, very simply, clearing my browser history, working my way through the site, and seeing what cookies the browser picked up. In Firefox when you go into the cookie window you get a list of the cookies it has collected and you also get information on the name, the expiring date, and so on. Quite useful and easy to do as well. Then you've got the web developer toolbar in Firefox, it's got a cookie information function. So you can see all the cookies that's collected as well. It's pretty much the same as the one before, but you get a slightly different layout. I was using the two in combination just to make sure that one hadn't picked up something that the other one hadn't, to double check and cross reference.

What I found was doing it manually like this was quite useful because it's got me going through the site, too. So, I got to know the site from that cookie's perspective, if that kind of makes sense. You can, of course, do an automated crawl. There aren't many tools available at the moment. I would imagine there will be some coming out soon. This is one by The Cookie Collective and you can get there if you go to cookielaw.org/cookiesearch. You just pop your domain name into the box, hit enter, and you get a big list of the cookies that the software has found on that site. I found it to not be that reliable. It had a lot of repetition, a lot of duplicate cookies in there. I didn't trust it 100%. It might be useful for a first glance but I wouldn't rely on it 100%.

So, here's an example of what some sites here are doing in terms of giving information to their users. This is BBC's site, it's part of their privacy policy, they've now uploaded a page which is their cookie policy, right? So they've got a big table of the cookies they're using on the site, what the purpose of those cookies are, and it just informs the users, 'We're using these cookies and this is why we're using them.' If you can do at least this then it will show good intent, it will take one box for you.

Part of the audit we're doing for our clients here is we're providing them a table like this that they can upload on to their site, so it actually gives them something they can put up. It might be something you can do for your clients as well perhaps, if they're interested. You're not really doing anything too risky here, it's just a new page as part of the privacy policy. So, the user consent. This is a slightly different matter, there's a few risks involved with getting this wrong. The last thing you want to do is scare users off, so if you put up a brash message that says, 'Hey, we're using cookies. We're going to track all of your private details,' some people are going to be a bit freaked out and they might go to the competition instead. You've got to be quite careful with this. When you're working towards this, if you want to do it, I highly, highly recommend A/B testing if you have different options. See how your users react to different messaging, see what the effect on your analytic is, see how it effects your traffic, etc, etc You really don't want to rush in to this.

But, here's an example from the ICO site. So, they've just put a bar at the top of the browser which gives you this message of, 'We're using cookies,' far more information here, “please accept to use cookies.' So, it's an opt in. It's got to be an opt in, not an opt out. The ironic thing here is it uses a cookie to decide whether you've been or not, so kind of a bit ironic, but there we go.

This is gov.uk. This is just a test, this is an opt in. You've got this pop up here that just comes up with a message stating the fact that you're using cookies and you just click, thanks, I've read the warning, then you can go and use the site. But, there's no way to say, 'No, I don't want to use cookies and I still want to use the site.' So, it's kind of a bit restrictive. It's not essentially asking for user consent. It's a message that you have to read and then once you've read that, they're using that for consent. It's just a test, so I don't think they're going to be doing this in terms of complying with the legislation, but it's an interesting example.

If you're still confused, there's a big gray area with this legislation. A lot of it is open to interpretation, so no one really 100 percent knows yet, in the UK anyway, what's likely to get you in trouble, what's likely to be enough. How far do you need to take this and how are users going to react. So, some of the biggest concerns are analytic cookies, are they essential or are they not essential. Do you need to ask for consent to set analytic cookies. Affiliate cookies, again this is quite a good example of the fact that an affiliate cookie is 100% essential for the service provider, it's the core of their business. But, from the user's perspective, if that cookie wasn't there it would effect their view of the advertising. But, it would ruin the service provider's business, so where does the line set?

Again, the biggest concern is user consent. A lot of people are wondering, 'Do I need to ask, what do I need to ask? What are the risks here?' Pretty big risks involved. Losing your analytic data if everyone opts out of cookies, could severely affect their user experience of your site. If they don't know any better they might just think, 'Well it's a rubbish site,' and not put two and two together. Loss of traffic, some people might be scared off by the message. So, with the user consent, you have to work hard to get that right. If you don't, there's a big risk involved. I hope that was useful.

Feel free to pop any questions over.  Feel free to get in touch on twitter @jonquinton1.