A guide for online publishers on the new EU cookie rules

With the Information Commissioner's one-year enforcement lead-in deadline fast approaching online publishers are putting into practice their solutions for complying with the EU cookie directive.

In a nutshell, under the new rules websites need to obtain consent from visitors in order to store and retrieve usage information from their computers, such as via cookies.

Sites were given a year from 25 May 2011 to "get their house in order" and work on a solution to comply with the directive.

The exact form of consent which will be required from users has been widely discussed since. This feature will look at advice from the Information Commissioner's Office (ICO) on what sort of measures they will be looking for website operators to be taking, and will also look at examples of solutions being implemented by news publisher websites.

As Simon Rice, a technology advisor at the ICO, told us that while the ICO decided to postpone enforcement action for a year, it does "still expect organisations to be doing something in the meantime".

What the ICO will expect from online publishers

"Show willing and show evidence as well. It's not just a case of saying 'it's very difficult, we're getting a new website in two years time, we're not going to do anything until then', there's still a lot of things that people can do now.

"Do that cookie audit and find out what cookies are actually being used. We've seen lots of examples of website operators who've done a cookie audit and not known even whole domains were running, let alone what cookies were running on those domains.

"So it's a case of looking at those and saying, 'do we still need these cookies, let's stop setting them because actually the survey that we were running 6 months ago doesn't run any more, or that cookie that's got a 25 year expiry date, well actually we only use that data for 24 hours, so let's start reducing the expiry dates on those cookies'."

It is also about the level of information provided to users, he added.

There is no one-size-fits-all, in the same way there's no single definition of a cookieSimon Rice, ICO

"There is no one-size-fits-all, in the same way there's no single definition of a cookie.

"They're used for a range of different purposes and even take different technical forms, so we're quite openly admitting there is no one-size-fits-all solution and certainly the solution on our own website, we're quite open that we know it won't fit other organisations necessarily.

"It's about giving the information first off to the users about what's going on, because without information people couldn't give consent in any way."

What has changed?

There have been regulations in existence since 2003 which required websites to provide a "certain level of information about cookies anyway", Rice added, "so people should have been doing this kind of stuff already".

We've moved to a place where this needs to be more prominent. We're not talking about page 26 of your terms and conditions that's linked to from page 17 of somewhere elseSimon Rice, ICO

"But now we've moved to a place where this needs to be more prominent. We're not talking about page 26 of your terms and conditions that's linked to from page 17 of somewhere else.

"Perhaps in the first few months or weeks, make that more prominent, put a new link at the top of your header that perhaps is a bit bigger, a bit bolder. I don't want to say flashing and blinking because that has all sorts of accessibility issues, but make it more noticeable for people."

Implications for online publishers

John Barnes, chairman of the Association of Online Publishers (AOP), which has raised concerns about the impact of the directive on online publishers, outlines how the new cookie rules affect on news sites.

"So cookies that might be in place to help track site analytics, or help improve the user experience, i.e. you've logged on and it's suggesting content you might want to read as a subscriber. Those aren't necessarily the reasons the directive is in place but obviously those kinds of cookies need to be considered as well.

"One of the big problems is that users don't really understand cookies and it sounds very scary. It sounds like identify theft or one of those kinds of things which clearly it's not, but the concern around the directive is that if advertisers are targeting advertising more and more closely to users behaviour, which means they're building up profiles of users, is that a good thing for end users?

"Probably it's fair to say it's questionably useful, some people will find it useful, some people will find it scary."

Third party cookies and social media buttons

According to the law the implication is that the person who has set the cookie would be the one required to gain consent, Rice added.

"So in the case of third party Like buttons for Facebook or whatever, it would be the social media site," he said.

"However there is an expectation perhaps that some people might think that you're setting that cookie and might start looking in your privacy policy, or your cookie pages, or your guidance and information about what cookies you're setting and 'why have I visited your website and you've set this Facebook cookie' for example."

He added that there is a clear relationship between the website and third party, in that "the social media site or advertising site hasn't hijacked your website and placed their content there", it is with your knowledge.

"You've made that space available so you can't absolve yourself of complete responsibility. But again it's about being more open about what's going on."

Here is some more information on social media buttons and dropped cookies.

Implied consent

In its guidance the ICO said a reliance on implied consent "must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact cookies will be set, is clear about what cookies do and signifies their agreement".

"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent.

"As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree. This shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to 'More information about how our website works and cookies’ at the top of the page' rather than through a privacy policy in the small print."

The general view I think among publishers and different industry bodies is that publishers need to demonstrate a practical and proportionate approach and it's something that makes it clear tracking will be deployedJohn Barnes, chair of AOP

Barnes added that to achieve implied consent sites would "need to include information on how and what the user is opting into, bearing in mind the way you opt out is don't go into the site basically", he added.

"The general view I think among publishers and different industry bodies is that publishers need to demonstrate a practical and proportionate approach and it's something that makes it clear tracking will be deployed."

Barnes said other advice recently given to online publishers at an AOP forum is to "wherever possible, tailor your policy and cookie consent around your user", bearing in mind "user experience".

"Make it part of the experience and informative and helpful rather than some sort of wall or barrier."

Non-compliance

There is a fining mechanism available but Rice says this would only be come into play where actions "meet very strict criteria", such as "causing serious harm to individuals".

"Obviously it is going to depend on what the cookie is being used for, but in most cases that's not going to be probably very likely to demonstrate serious harm.

"So we're probably unlikely to end up in actual penalty, but of course if we went to a website operator and they said they'd never heard of this law, they weren't going to do anything, they had no intention of doing anything and just told us to go out the door and never to come back, that's obviously going to have a different reaction from us to an organisation that says 'look we've done an audit, we've got 1000 cookies operating across 25 different sub domains ... it's going to take us a long time and this is what we've done so far and this is what we're going to do in the future, and actually here's a project plan that's going to take us two years' - that might be acceptable."

Recent examples adopted by news outlets

As well as being chair of the AOP Barnes is also managing director of digital and technology at Incisive Media. From Sunday night the publisher will be running an advert on its "baby leader" across its websites which will offer a link to more information.

This will "explain what you can do to opt out", Barnes added. This message will stay up on all its sites for four or five weeks he added.

What we're sort of doing is making sure we're complying, then trying to understand what the best of way of doing it is by looking at what other people are doingJohn Barnes, chair of AOP

"What we're sort of doing is making sure we're complying, then trying to understand what the best of way of doing it is by looking at what other people are doing.

"I think generally everybody's trying to learn off each other because there aren't any clear guidelines. Which is probably a good thing actually."

Yesterday the Financial Times published a new cookie policy on its website, "that explains to users what cookies are and how the FT uses them", the publisher added in a statement.

Following publication of the policy the website also introduced a pop-up screen which informs users about the policy and its use of cookies which is activated the first time the site is accessed from a certain device.


FT.com's cookie policy pop-up

The pop-up message also states that by closing it and therefore continuing to access the content behind, "you consent to our use of cookies on this device in accordance with our cookie policy unless you have disabled them".

"The FT takes the privacy of our users very seriously," the publisher added in a statement.

"Our transparent policy gives users clear information about the cookies we use, so they can make an informed choice about whether to allow the use of cookies.

"In addition to the pop up, we will host information on FT.com explaining clearly how users can disable cookies, feature prominent links throughout the website to our cookie policy and use appropriate areas of the website to bring the attention of our users to the new policy.  Users will have the ability to choose to disable cookies at any point."

The pop-up will also appear when users access FT.com from a mobile. It is not currently being used on its html5 web app but this it is due to be rolled out into the web app and other mobile apps.

The website for the Mirror has also introduced a pop-up box which appears at the bottom-right corner of the page the first time a user accesses the site for 12 seconds.



There is also a link on the site's header which goes through to the site's cookie policy.

Trinity Mirror's product director Malcom Coles told Journalism.co.uk the approach, which will be rolled out across Trinity Mirror's portfolio of news sites, is to both try to help people understand the issue and offer controls for them for all the relevant types of cookies. The site's policy also links to the cookie policies of the services it uses.

He speaks more about the Mirror's approach in this piece on Econsultancy.

• The ICO has published all its guidance on the new cookie rules online at this link

Update Monday 28 May

The ICO has published some further guidelines at this link.

Free daily newsletter

If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).