The law requiring websites to gain explicit consent before storing cookies on users computers was passed in May 2011 but the ICO granted firms a year to comply before prosecuting any cases.

Apart from one or two lonely voices, reactions from website owners have been entirely negative. Many saw the law as an ill-conceived nonsense that failed to appreciate the technical reasons for which cookies are used. Many are holding out for a u-turn on the legislation, perhaps in the hope that a Conservative, red-tape-busting government might be averse to interference with the World Wide Web. Some plan never to comply and others hope for some kind of meta-solution from browser vendors and the major players like Google and Facebook.

Lonely voices

But the law isn't woolly, ill-intentioned or wrong-headed. In fact, while it poses one or two compliance headaches, we believe that it's Quite a Good Thing.

Big providers of Internet services, particularly Facebook and Google, liberally use cookies to make their services work, track user behaviour, sell us things and personalise our browsing experience. They keep telling us that data is anonymised, that they only have our best interests at heart, and that they exist to make the world a better place. 

Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online. Not that it chooses to exercise that power. And in theory laws exist to discourage it from doing so.

We think the new cookie law will produce a new kind of good practice for websites. The rules will help prevent such user-identifiable data getting into the hands of big corporates (and their governments). Ultimately, for the protection of individual freedoms online, this is a good thing.

What the law means for webmasters

There are a few steps to go through in order to achieve compliance with the law:

• You must audit your cookies and present clear information about them on your privacy policy
• You must include a mechanism for obtaining consent, before any cookies are stored (with one or two exceptions for things like load balancers and shopping carts that are deemed "strictly necessary")
• You must make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.

In practical terms it means you need to avoid using cookies or deploying third party software that uses them except where it is essential for the purpose making your website work. This is because as soon as explicit consent is required, users may refuse that consent. If you see a particular feature as important, you'll want to know that it will work all the time, whether or not users have consented to cookies.

What is "strictly necessary"?

The ICO's definition of "strictly necessary" is very narrow. Where users have explicitly requested a particular service, such as adding products to a shopping cart, it will be OK to store a cookie on their computer without making a further, explicit request for consent. 

Analytics scripts, ads, personalisation and social media widgets are not "strictly necessary" from a user perspective, and are NOT exempted under the legislation.

A friendlier user-interface

Cookie Control has been carefully considered in terms of user interaction design. Some solutions interrupt the critical head of the page area with a banner-style consent form. Others interrupt the entire browsing experience altogether, obscuring all content before you can proceed.

Our aim with Cookie Control is to provide a mechanism for getting consent that minimises the impact on the user experience of your website that you've spent many hours carefully crafting. A single button press is all that we require from a user to secure their consent.

Customisation

We didn't want to be too prescriptive about how you use Cookie Control. When you visit the configuration page you'll find various options enabling you to change the posistion of the Cookie Control icon, populate your own boiler plate text, link to your privacy policy and determine whether you want the user interface to be open on page load, or closed. For full compliance Cookie Control users should set the user interface to open on page load.

Eventually we hope the Cookie Control icon will be so well known that its presence alone will be enough to signify the use of cookies on a website.

Tweaking your scripts

Examples are provided on how to adapt typical third party scripts to test for user consent before they run, and the team at CIVIC are ready to help with custom implementations.

The solution was originally rolled out in response to the needs of CIVIC's many government clients, including the Scottish Government, SQA, Skills Development Scotland and the NHS. 

Cookie audits and privacy policies

A cookie audit might sound daunting, but actually it's dead easy to do. We've explained a bit more over on the deployment page.

Problems, problems

While most websites will be able to comply with a few simple tweaks to their code and the application of Cookie Control, some third party apps will be badly affected.

Google Analytics is estimated to run on 90% of websites. As an entirely cookie-based analytics solution it is not compliant with the legislation without the provision of explicit consent by website users. When the ICO tested this on their own site, only 10% of users actually opted into the service.

Obviously, an analytics package that only tracks 10% of users is hardly of use at all. Google's silence on this problem has been deafening. We can speculate that they're hoping the ICO will approve a global opt-in that will be valid across all Google services, or that an exemption will be made in the case of analytics. But in the absence of any solution from Google, webmasters may have to find an alternative analytics solution that doesn't depend on cookies.

Websites dependent on sales from advertising will be harder hit. At the moment scripts from some ad networks deposit cookies in order to personalise ads on websites that users visit later. It's difficult to see how this functionality will survive when explicit consent is required in order to make it work.

Let's try it!

Heard enough? Let's crack on with configuration and deployment.

Need to speak to someone?

The team at CIVIC are supporting this project free of charge. Within reason!

So feel free to contact us with questions or suggestions, and we'll do our best to help.

At CIVIC we're committed to making the web a better place, saving money for local authorities and governments, and helping out where we can in the community. Our CIVIC Pride programme includes our free open source Content Management System, seminars, pro-bono consultancy and widgets.