You may have noticed some small changes when you visited the Olswang website today. 26 May marks the end of the UK regulator's amnesty on enforcing the EU cookie consent rules. After years of hype, examples of creative and workable consent solutions are - quite literally - popping up on leading websites. Organisations not yet compliant need to show they are taking "sensible, measured action" with clear timescales.
What's important about 26 May 2012?
The EU requirement for consent to use of website cookies has been in force in the UK since May 2011, but the ICO recognised that businesses needed a lead in time to devise workable consent mechanisms. That amnesty is now at an end, and the ICO has stated that it expects website owners to have complied, or to be able to demonstrate "sensible, measured action to move to compliance." Earlier this week a spokesman said that the ICO would be approaching top websites to ask what approaches they were taking to obtain users' consent - then it will wait and see if consumers complain. The ICO has previously stated that it does not envisage a wave of enforcement actions relating to cookie compliance. Nevertheless, the issue is a reputational one as much as an enforcement risk.
My organisation hasn't yet complied - where do I start?
There are two essential guidance sources. The first is the updated guidance which the ICO published in December 2011 here.
There are four essential steps:
- First, audit the cookies used on your site - including any third party cookies
- Second, assess their intrusiveness
- Third, provide clear and comprehensive information about them, to enable users to make an informed choice
- Finally, decide what approach to consent will be appropriate for those cookies.
Organisations also need to keep an eye on the ICO's website to see if this guidance evolves.
The second key source is the UK Cookie Guide available here, published by the ICC (International Chambers of Commerce) in April. The Guide applies the principles set out by the ICO (and the ICO has endorsed the guide as reflecting best practice). In particular it:
- categorises and illustrates the main types of cookies - strictly necessary (not requiring consent); performance (e.g. analytics); functional (e.g. those which remember preferences like location, language, etc) and finally targeting or advertising cookies;
- provides suggested (and succinct) wording to use to describe the main types of cookies; and
- provides suggested consent mechanisms to use for each cookie type.
What approaches are we seeing?
In the run up to 26 May we are seeing a range of compliance solutions appearing on UK websites.
BT's website is one example of good practice. It has used icons to represent the four cookie types. It has also developed an interactive tool to allow users to adjust their cookie settings, which provides succinct information about what the website will and will not do according to the types of cookies the user consents to.
For businesses not wishing to develop a bespoke solution, a number of off the shelf cookie buttons, icons and consent pop ups have also become available.
We are also seeing a number of websites comply with the requirement for clear and comprehensive information about cookies by making some "quick wins" in line with the ICO's guidance: repositioning, highlighting and renaming the link to a site's cookie information are all a step in the right direction towards compliance - although merely providing cookie information does note equate to consent.
An end to the hype?
Despite the bad press given to pop ups and concerns about disruption of the browsing experience, many of the consent mechanisms we are seeing do, indeed, take the form of pop ups - and are far less intrusive than was once feared.
So, like we said, you may have noticed some changes to the Olswang website today - these have been made with cookie compliance in mind. But we hope they have not distracted you from your main purpose in visiting the site. Happy reading, and happy viewing!