The EU has recently amended the rules restricting use of cookies in a move set to put the lid on the cookie jar for businesses benefitting from the information they gather using them.
More than ever, businesses rely on the content of their websites to sell and promote a wealth of goods and services. Tracking a customer's use of a website through collecting "cookies" is seen as one method of delivering a unique, customised website interface for a returning user of a website to create a familiar and tailored website experience.
Cookies are small files of letters and numbers downloaded on to a user's device when they access a website. This allows the website to recognise the user's device.
The Privacy and Electronic Communications Regulations, implemented in the UK last month, state that cookies can only be placed on a user's machine if the user has given their consent on each website. Previously, websites only required to inform users how the website uses cookies and how they could "opt out" of using them. Simply providing a privacy policy often did this.
This change may seem minor, however it will require website owners to review their current arrangements in relation to cookies to ensure that websites are transparent about their use of them and that users will be given the opportunity to opt out from cookies being collected.
In practical terms, what does this mean? Albeit the legislation has already come into force, the UK Government has stated that there should be a phased approach to the implementation of this amendment. The Information Commissioner's Office (ICO) anticipates that if a complaint was received about a website they would expect an organisation to revert to the ICO with a plan setting out how to achieve compliance. However the ICO stresses that the rules cannot be ignored.
The first step which should be taken by a business is to assess its website. This may involve consultation with web developers to confirm whether the website uses cookies and if it does, how they are used.
Once this assessment has been undertaken and cookie usage is understood, a review of policies and effective methods of ensuring users of the websites can opt out of use of cookies needs to be considered. It is important to stress that if cookies are particularly intrusive with regard to user privacy then action will need to be taken quickly.
Some options which website owners might want to consider to obtain consent from users to collection of cookies are:
Use of pop-ups for users who first access the website
Use of terms and conditions where users have to register or sign up to
Or receive consent when a user is electing to use certain settings of the website which use cookies.
It should also be stressed that if a website has third party cookies, for example from advertisers, then it is the website owners responsibility to ensure that advertisers comply with the new Regulation.
Of course, the difficulty will be ensuring that a website user's experience is not diminished which may deter users from return visits. Importantly, users can view a proactive approach positively if an honest and upfront message is given to users that helps them understand what is done and why it is done.
It seems that the lid on the cookie jar has been put back on by the EU but those who wish to indulge can be free to do so if they opt in.