Complying with the Cookie Law – a Guide

Posted on April 1, 2012 by Ken Seymour

This is a guest post from John Taylor of www.jtresponse.co.uk a company that offers technical solutions for Website Design, Development and Hosting.

picture of choc chip cookies

Due to recent changes in privacy regulations many owners of UK websites will be in danger of receiving large fines from May this year.

This is not for eating snacks at the keyboard but for gathering and storing information about your website visitors on small parcels of code called ‘cookies’.

The Privacy and Electronic Communications Regulations 2011 (PECR) came into force in May last year and UK web sites were given 12 months to comply. The penalty for non-compliance is a  fine of up to £500,000! Time is running out to comply,  so here is a quick guide to help you get started.

What is a Cookie ?

These new rules are commonly known as the ‘Cookie Law’.  Not many people realise that when people browse the internet, the websites they visit can leave small pieces of information on the visitors computer. These are called cookies.

What are the new rules ?

The new rules say that websites must explain the cookies that they use, and must get prior consent from the user before leaving any cookies on their computer. However, there are some exceptions, including cookies that are strictly necessary for the provision of the service.

  • Cookies used for: shopping carts, login systems, security are exceptions
  • Cookies used for: tracking,  advertising,  customising the display are not exceptions

How do I comply ?

The first thing you need to do is to perform a Cookie Audit (details on how to do this re below). This should only take about 10 minutes for a small business website.

There are many services offering free tools for cookie audits but these are simply ways to get your details and sell you more services and are unnecessary. It is very easy to do your own cookie audit.

  • If you have no cookies, then you are in the clear.
  • If your cookies are only used for your shopping basket or login system, then you are also in the clear.
  • If you have any other cookies, then you need to check further.

Once you have performed your Cookie Audit, you need to file it away somewhere safe. You may later need proof that you have performed the audit and are doing your best to comply with the new rules. See the references below for an example cookie audit.

Checking for Cookies with Firefox

  1. Go to Preferences (in edit menu or tools menu depending on your OS)
  2. Select the Privacy Tab
  3. Make sure that “Accept cookies from sites” is set
  4. Click on the “Show Cookies…” Button
  5. In the Cookies window click on the “Remove All Cookies” Button
  6. Close Cookies window and the Preferences Window
  7. Browse as much of your website as possible
  8. Go back to the Preferences, Privacy Tab
  9. Click “Show Cookies…” button
  10. See if any cookies have been listed
  11. You can click on the website domains to expand the list and see the cookies
  12. You should record these cookies, and what they are used for in your cookie audit

Checking for Cookies with Chrome

  1. Click on the spanner at top right, and select Options (or Preferences on some systems)
  2.  Click on “Under the Bonnet”
  3. In the Privacy Section, click on “Content settings…” button
  4. In the Cookies section, ensure that either “Allow local data to be set” or “Allow local data to be set for the current session only” are set
  5. Click on “All cookies and site data…” button
  6. Click on “Remove All” button
  7. Close the Options tab
  8. Browse as much of your website as possible.
  9. Go back to  Options -> Under the Bonnet -> Content settings -> All cookies and site data…
  10. See if any cookies have been listed
  11. You can click on the website domains to expand the list and see the cookies
  12. You should record these cookies, and what they are used for in your cookie audit

Checking for Cookies with IE(8 & 9)

  1. Click on “Internet Options” in the “Tools” menu (addendum, if you don’t see the “tools” menu, press and relase the [Alt] key, the menu will appear, or if IE9, just click on the ‘gear’ in the upper right hand corner of your IE9 window, Ken)
  2. In the “General” tab, Click on the “Delete…” button in the “Browsing History” section
  3. Make sure “Preserve Favorites website data” is not set, and “Cookies” is set
  4. Click on “Delete” button, and close the Internet Options window
  5. Browse as much of your website as possible.
  6. Go back to Internet Options -> General Tab
  7. Click on the “Settings” button
  8. In the Temporary Internet Files window, click on “View Files” button
  9. Look for files starting with “cookie:”
  10. You can view the contents of these cookie files by dragging them to another folder (e.g. you desktop) and opening them with Wordpad
  11. You should record these cookies, and what they are used for in your cookie audit

What if my website uses Google Analytics ?

Google Analytics  and most other website statistics systems use cookies, and the use of cookies for analytical purposes falls within the rules. In order to comply with the new rules you will need to inform website users about these cookies and gain their consent before using them. This has two main issues:

  • Most people won’t bother to agree to accepting the cookies, so your statistics will be greatly reduced.
  • This will require some programming, and make google analytics much more difficult for website owners to implement.

The only realistic solution for many people will be to remove analytics from their website, putting them at a huge disadvantage to non-UK websites.  At the time of writing, I am not aware of any way around this issue, and Google have not offered any advice.

Luckily, there are ways to gather website statistics without using analytics. One of the most common ways is to use your webserver logs. Most hosting companies will provide access to the web server logs for your website, and provide statistics similar to Google analytics, but this method does have some shortcomings:

  • It can’t distinguish between people sharing the same IP address (people sharing an internet connection, or different users on the same PC.), and will lose track if your IP address changes (e.g. switching to/from WiFi on a smart phone).
  • It can sometimes mistake web bots for actual users.
  • The statistics are not as sophisticated as Google Analytics.
  • It can’t be easily linked to adwords campaigns.


References

The official ICO  guidance can be found here:
http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx

Also see this helpful PDF:
http://www.ico.gov.uk/news/current_topics/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

The table on this page shows an example of what a cookie audit might contain:
http://www.ico.gov.uk/Global/privacy_statement.aspx

If you have any queries on the Cookie Law please contact John at john@jtresponse.co.uk , join in the discussion on LinkedIn at http://lnkd.in/8ANv2s or leave a comment or query below.

This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *