How to comply with the new cookie laws (EU Privacy and Communications Directive))

There has been a lot of discussion and confusion regarding the new cookie laws lately. There's confusion about what cookies are, which ones are covered by the new laws and what you actually need to do to make sure that your website is compliant.

The short answer is that nobody knows. However, after several months of trawling through the official guidance and discussing the various implications, OpenGlobal has developed a small widget that you can place on your website which may make your website compliant.

If you are using Google Analytics (or other visitor analysis package) or any type of CMS, the law requires you to implement a solution.

The requirements, in short, are that if your website is using cookies (which pretty much every website does), then you need to get consent from your visitors to do so. The way that you ask for that consent has not been decided other than to say that relying on the consent they've already provided in the browser is not enough.

Cut and paste widget

Nobody wants to see a load of pop-ups on every website that they visit, so the OpenGlobal widget is non-intrusive. You may currently see a small grey box in the top right hand corner of this page asking if you want to accept cookies. This is the our proposal for satisfying the cookie legislation.

If you don't see it, then you will already have assumed consent from this or a previous visit.

If a visitor clicks on the "Yes" button, the widget disappears and is never seen again, they have provided consent. If the visitor choose neither button, but instead clicks a link to another page on your website, then that visitor has given assumed consent and so they never see the widget again either.

The non-intrusiveness of this widget makes it ideal for (attempting) compliance with the cookie law, without hindering the user experience of your website, compared to competitor sites who have decided to take the risk of flouting the law completely.

If you would like to have a widget like this on your website to constitute your "something", then please copy the code below, changing the ########## to the address of your privacy policy on your website:

<!-- Copyright (c) OpenGlobal. GNU/GPL V3 licence. You may copy and modify this, providing the link to http://www.openglobal.co.uk remains intact. -->
<div id="openglobal_privacy_widget" style="display: inline; text-align:right; font-size: 13px; line-height: 100%; position: fixed; top: 0; right: 0; margin: 0; padding: 0 0 0 3px; background: #dddddd; z-index: 100000; opacity:0.9; filter: alpha(opacity=90);">
Accept <a title="This website uses cookies to store information on your computer. Some of these cookies are used for visitor analysis, others may be necessary for the website to function properly. You should configure your browser to only accept the cookies you wish to approve, or leave this website." rel="privacy" href="##########">Cookies</a>?
<button id="openglobal_privacy_accept" style="vertical-align: middle;" onclick="openglobal_privacy_accept();return false;">Yes</button>
<button id="openglobal_privacy_wait" style="vertical-align: middle;" onclick="clearTimeout(openglobal_privacy_timer);return false;">Wait</button>
<button id="openglobal_privacy_leave" style="vertical-align: middle;" onclick="window.location='http://www.change.org/petitions/stop-the-eu-s-legal-war-on-web-cookies';">Leave</button>
<br />
<span style="font-size: 9px">Provided by <a href="http://www.openglobal.co.uk" title="Web design, Gloucester">Web design, Gloucester</a></span>
</div>
<script type="text/javascript">
//<![CDATA[
var openglobal_privacy_timeout = 0;
var openglobal_privacy_functions = [];

var openglobal_privacy_widget = document.getElementById('openglobal_privacy_widget');
var results = document.cookie.match ( '(^|;) ?openglobal_privacy_widget=([^;]*)(;|$)' );
if (results) {
  if (1 == unescape(results[2])) {
    openglobal_privacy_accept();
  }
} else {
  window.onload = function() {
    for (var i = 0; i < document.links.length; i++) {
      var link_href = document.links[i].getAttribute('href');
      if ('privacy' != document.links[i].getAttribute('rel') && (!/^[\w]+:/.test(link_href) || (new RegExp('^[\\w]+://[\\w\\d\\-\\.]*' + window.location.host)).test(link_href))) {
        var current_onclick = document.links[i].onclick;
document.links[i].onclick = function() {openglobal_privacy_accept();if (Object.prototype.toString.call(current_onclick) == '[object Function]') {current_onclick();}};
      }
    }
  };
}

var openglobal_privacy_timer;
if (openglobal_privacy_timeout > 0) {
   openglobal_privacy_timer = setTimeout('openglobal_privacy_tick()', 1000);
} else {
  var openglobal_privacy_wait = document.getElementById('openglobal_privacy_wait');
  if (null != openglobal_privacy_wait) {
    openglobal_privacy_wait.parentNode.removeChild(openglobal_privacy_wait);
  }
}
function openglobal_privacy_tick() {
  if (0 >= --openglobal_privacy_timeout) {
    openglobal_privacy_accept();
    return;
  }
  var openglobal_privacy_accept_button = document.getElementById('openglobal_privacy_accept');
  if (null != openglobal_privacy_accept_button) {
    openglobal_privacy_accept_button.innerHTML = 'Yes (' + openglobal_privacy_timeout + ')';
    openglobal_privacy_timer = setTimeout('openglobal_privacy_tick()', 1000);
  }
}

function openglobal_privacy_accept() {
  clearTimeout(openglobal_privacy_timer);
  document.cookie = 'openglobal_privacy_widget=1; path=/; expires=Mon, 18 Jan 2038 03:14:00 GMT';
  openglobal_privacy_widget.parentNode.removeChild(openglobal_privacy_widget);
  for (var i = 0; i < openglobal_privacy_functions.length; i++) {
    openglobal_privacy_functions[i]();
  }
}
//]]>
</script>

You should paste the code above into the template of your website, or if you don't have a CMS, then paste it onto every page of your website. It doesn't matter where the HTML code is pasted on the page, it automatically gets displayed in the top right hand corner of the screen.

This code is provided under a GNU/GPL copyright licence, which means that you can modify it to suit your own requirements, but the link to the OpenGlobal website must remain intact.

Extras

If you don't have a privacy policy on your website yet (which is also a legal requirement), you may copy our privacy policy. However, we obviously make no guarantees that this policy is suitable for your website.

There are also some advanced features to this code for the technically minded.

In the meantime, I you might like to sign the e-petition against the cookie law. And join our newsletter to keep informed about the latest changes and recommendations to this legislation and how it might affect your usage of this tool.

If you just want a quick and easy way to comply with the new legislation, you can stop reading. However, if you are interested in why this law is pointless and unworkable, then please read on.

* Nothing in this article constitutes legal advice, it is just our opinion of current affairs. Always seek professional legal advice.


What is the point of this law?

Some privacy campaigners have complained that the use of cookies (which are just pieces of text that a website may store on your computer to keep track of you) is an invasion of their privacy and that they must not be used without the visitors consent.

This is a very valid point, and one which was understood very well by the people who invented cookies at Netscape, in 1994. They understood that it would be wrong for a website to put a cookie onto someone's computer without their explicit consent, especially if the cookie is used for tracking them for the purposes of targetting advertising at them.

However, unlike the people who have been involved in drafting this new legislation, the people who invented cookies also understood the technology involved.

When you view a web page, your browser sends a request to view that page to the web server. The web server replies first with the cookies to be set (along with any other header information), and then the sends the page that was requested.

So because the cookies are sent first, it is not possible to ask permission to use those cookies on the page that was requested. By the time the visitor sees the page, the cookies have already been sent.

Therefore, the only place that consent can be reliably gained, is within the web browser itself.

So, the people who invented cookies understood the privacy implications and the technology well enough to create a pop-up box in the browser that would appear every time a cookie was sent. The visitor would have to click on a button to accept or refuse the cookie.

It doesn't end there.

The people who invented cookies also understood the usability implications well enough to realise that people would get annoyed with the constant pop-ups so they also added an "Accept all cookies" and "Decline all cookies" option which would prevent further pop-ups.

Problem solved.

Subsequently, every browser currently available has a setting to accept or decline cookies and most also offer many more features to only accept certain types of cookie and only from certain websites or types of websites. The configuration options are little short of perfect.

The problem now is that politicians have become involved that partially understand the privacy implications of cookies and totally misunderstand the technology and usability implications.

The EU politicians were largely aware of their ignorance on the matter so the legislation they drafted was so vague that it would force the individual EU member countries to do their own research into the matter to draft specific laws. However, the national governements didn't bother and simply copied the wording and, in the UK, passed the buck of working out specific requirements to the Information Commissioner's Office (ICO), who's job is to enforce the legislation.

The ICO has done their best given that they also do not understand the technology and have introduced a consent form on their website that neither satisfies the letter, nor the spirit of the legislation.

The letter of the legislation was initially that prior consent must be gained. But as I've just explained, prior consent is not possible, except from the web browser itself. Their website has already set one or two cookies by the time you see the consent form on their website.

For this reason, by default, our privacy consent tool does not even attempt to ask for consent before sending cookies (you can change this using the advanced options).

The wording of the ICO's consent question does not explain what cookies are, nor what they will be used for. An explicit breach of the regulations. The default mouseover text in our privacy consent tool at least explains what the cookies may be used for.

So who is going to comply with this legislation?

Well, given that at least 99% of websites do not completely comply with the European E-commerce Directive, the Companies Act, the Disability Discrimination Act and the Data Protection Act, it is pretty safe to say that almost nobody will make any effort whatsoever to comply with this new legislation. Especially when you consider that it is trivially easy to comply with the previous legislation and this new cookie legislation is just an incomprehensible shambles.

However, the ICO have said that "Those who choose to do nothing will have their lack of action taken into account" and the the maximum penalty for failing to comply is £500,000.

However, the ICO has a 29 year history of not enforcing any laws it was set up to enforce.

The ICO has updated their vague guidance document and it is still just as vague as the previous guidance. They are still simply saying that the existing browser technology (which prevents cookies from being stored without visitors' consent) is not enough.

It is becoming blatantly obvious that they just want to pass the responsibility of resolving this onto the courts system once somebody actually gets prosecuted for it.

This video also goes some way to explaining the idiocy of this legislation.

Another possibility is to use pop-ups. For a comedy example of this, take a look at this website. Do you hate your visitors enough to do something like that to them?

In the meantime, I would urge you to sign the e-petition against the cookie law.