The EU Cookie Saga Continues (an update)

So at the time of writing we are now just a few days passed the UK implementation (officially) of the EU Cookie Directive. Not going to ramble on about what that is, you can read that in my previous post all about the eu cookie law. This post is just a quick update as to the current status and mechanisms you may use to meet the cookie law.

48 hours before the law came into force (ish), 26 may 2012, ICO published “updated guidance” on the issue. For what it now says I do wonder why they couldn’t have said this previously and prevented myself and many other SEO’s and Developers wasting lots of time on this.

Click here to download the new guidance, its 30 pages of jargon (you’ve been warned).

To sum up the new guidance on the EU Cookie Directive is basically saying that rather than the explicit permission being required, as the previous guidance had said, we can comply with the directive by using implied consent.

What this means is that you should now take the following actions:

Update your privacy policy, use detail appropriate to your audience and explain what each cookie does and how you use it. If not tech savvy then you must explain what a cookie is, you can do this outside of the policy if you want but you must do it.

Update your terms and privacy policy to make clear that by using the website they consent to you “dropping” those cookies.

Ensure you link to T&C’s & PP from every page.

Implement the “do not track” browser detection script. Do Not Track is a plugin or part of a browser the where the user can opt-out of cookies, but only on sites where the script is implemented. The code is fairly easy to understand, if you want it just tweet me @andykinsey and I will send you links to paste bin where I will put that code for you to utilise. (WARNING: if you don’t do this step you are not getting implied consent completely).

Now there are a few things you should know here. This solution is primarily for those using only analytics, this means for adverts which drop cookies (eg Google Ads) you must still collect direct permission.

Also please note it is still good practice to ensure you comply by taking measures such as notification pop-ups or header bar acknowledgements, such as that being used by the BBC.co.uk website.

Even better practice is to get explicit permission, you can do this using Civic Cookie Control (which incidentally would also work for the acknowledgement.)