ICO Cookie Regulations Update: T-Minus 5 Months


From 26th May the way in which websites will use cookies is to fundamentally change in response to the EU’s new privacy directive and the regulations issued by the Information Commissioner’s Office. Whilst the rules have been in effect since May 2011 there has been a 12 month grace period for websites to comply with the regulations, after which enforcement of the new regulations will commence.

What does it mean for businesses?

Essentially the cookie laws mean that websites will have to gain explicit consent to place a cookie onto a user’s computer. This differs from the previous situation where companies simply had to inform website visitors of how they use cookies and how they could ‘opt out’ of cookie placement. The latest directive, whilst still ensuring that companies inform their users how they are utilising cookies demands that user consent is obtained, changing the emphasis from an ‘opt out’ to an ‘opt in’ system.

With talk of monetary penalties for those companies that fail to meet the regulations naturally there is worry across the industry. These fears have been made worse by relatively muddled advice from the ICO and a lack of concrete actions that websites can take to comply with the regulations. This has left many to their own devices and a modicum of ‘interpretation’ when it comes to achieving compliance.

What can businesses do to comply?

Many companies are choosing a ‘sit it out’ approach, waiting for definitive clarification of the actions which will be needed in order to comply. This approach however is problematic and could even result in a chicken and egg situation for the ICO and UK brands. Nor does this approach mean that companies should do nothing, as it stands there are 3 actions that if taken, should help in achieving compliance.

Step 1: Completing a Cookie Audit

The first is concerned with housekeeping and requires a complete audit of the cookies used on a company’s website. This audit should look at the types of cookies being used, how intrusive they are to the visitor’s privacy and how critical they are to business functions.

Step 2: Addressing Your Website’s Privacy Policy

Another step you can take is to look at your current privacy policy or website terms and conditions in detail. Your privacy policy then needs to be re-addressed so that it includes a granular breakdown of cookie usage for website users. (A great and comprehensive example of this can be found on the BBC’s website.)

Step 3: Think About Ways to Implement an Opt In System

Without strict guidance on how to implement an ‘opt in to cookies’ option there are very few successful examples out there. The ICO and Swedish Government websites have both opted for a text box atop the page describing why cookies are required and giving the option to accept cookies. Whether this will be suitable for many businesses however, remains unknown.

My Two Cents

As a digital marketer my preference would be the creation of a standardised solution whatever that may be. By providing solid guidance on what actions businesses can take a level playing field should be achieved for all companies. More importantly, this would create a single, simple and consistent approach for users who are likely to be confounded and frustrated by hundreds of different approaches to obtaining consent.

The next 5 months are going to be crucial for the digital industry. In this time auditing cookies and planning for the deadline is certainly a wise course of action, demonstrating that without a universal solution to obtaining consent you are making an effort to comply with the regulations.

More on this subject