scientific and technical website design projects news

The cookie crumbles (UK and EU websites)

EC cookieNew EU legislation is to regulate the use of cookies online. Cookies are ubiquitous, but on most sites the use of cookies is quite innocuous, commonly they are used:

  1. To track logged-on members, the cookie identifies your visitor and confirms that they have logged in, and are entitled to view a given page.
  2. To remember what visitors have looked at – allowing the site to maintain a back history (this might be ‘previously you viewed the following items’, keeping track of a shopping basket, or smart behaviour, such as only showing the introduction to a movie or animated display once).
  3. To track what users did on your site, possibly passing this information on to a third party. Whilst the information is ‘anonymous’ – the visitor is usually only identified by their IP address* – with enough linked sites a commercially useful profile of your visitors can be built up.

At CookandKaye we don’t use option 3 above, which is the one that is causing legal concern, unfortunately options 1 and 2 will also be caught by the proposed legislation. As a consequence, you may need to look at your existing web provision. Whilst prosecution is not imminent for any site, we recommend the following policies to cover this possibility:

With login forms: We recommend a comment to be added below the login form, to the effect:

To access this section of the site you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

With shopping baskets: ICO says that if a cookie is essential to permit an activity, no consent need be obtained. In spite of this we recommend a comment to be added below the button to the effect:

To save an item to your shopping basket you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

Clearly if you do use cookies to track browsing history (not everybody has the refinement to be a CookandKaye client!), the text in italics should be replaced with a statement to that effect! If you are able to add this text, however, then it provides you with an opportunity to re-assure your visitor.

With smart sites: Here the problem is a lot more difficult to solve satisfactorily, as the objective is to help the site run smoothly, not pop up warnings that it is about to save cookies on your browser. Unfortunately these just look like you are trying to do something dodgy, and are likely to damage your relationship with the visitor, rather than match your intent of offering them a tailored service. ICO has not yet published its guidelines, so for the moment we suggest placing a note in your footers to the effect:

Cookies are used on this site to help personalise the browsing experience for you. No information about your browsing history is taken from them.

If you do acquire browsing history, you need to seek legal advice here!

If this proves inadequate in the light of ICO’s final recommendations, then you will need more extensive work on your site. Our work-around at present is to track visitor’s IP addresses rather than use cookies – where this is permitted by your host. When a visitor requests a web page, the page is sent to their IP address, so a record of this is essential. In consequence it is difficult to imagine a reasonable legal challenge to holding this record. It also has the advantage of working whether or not visitors enable cookies! Unfortunately it is more difficult to implement, and there is a small possibility of mis-matching IP addresses and visitors because IP addresses are re-used. As a consequence the time window for tracking is quite narrow – of the order of a few minutes. This is good enough to follow a visitor from one page click to the next, but not safe enough to hold shopping cart information!

We don’t think there is anyone in the web-design industry who supports the new legislation, which, paradoxically, may oblige us to capture more detailed traces of IP addresses, if not actually save cookies on visitors’ computers. In the UK there is some reluctance to introduce the legislation, and a sizeable breathing space is being allowed for us to get ourselves organised to meet its requirements. Unfortunately we have to live with it, and we need to start living with it now. If you need help implementing any of these guidelines on your site please contact us.

More information is available through the BBC – see article linked below:

Websites told to ensure cookies comply with UK law (includes a link to ICO’s current guidelines).

* More clearly private data – linking the IP address/browsing history to a person’s name or physical address, which you might be able to do after your visitor has logged in, is already restricted under the data protection act – there is a good review of this on the BCS website:

Data Protection Act 1998 overview

Cookie crumbs: Update August 2011