By Finlay Carmichael, managing director, C2 Software

The new EU law on cookies on web sites came into force on 26 May 2011. To date, there has been little clear guidance on what’s expected of web site owners, or on any penalties for failing to comply. The current situation is frustrating and we have therefore attempted to make some sense of what companies should be doing, to ensure their web sites are consistent with the law.

The principal behind the new law is that consumers have a right to know, and decide, what is downloaded to their computers. When they first arrive at a web site, therefore, there should be an explanation of all the cookies used by the site, and the ability to choose which can be used.

That’s where the tricky stuff starts. Many web site managers don’t even know what’s there, themselves. There will be cookies used to smooth the browsing experience, cookies that collect information on users’ habits, and increasingly, third party cookies that are used by the likes of Google Analytics and social bookmarking tool Add This (www.addthis.com).

So the first step has to be a thorough audit of your site so that you do know what’s there. Then, decide what you actually need, and what your readers or customers are likely to accept.

Do you need analytics and social bookmarking sites? What about the Flash cookies? These can be placed on the client computer if your web site uses the Adobe Flash plug in for the display of video, or just to deliver enhanced browser functionality. The issue with Flash cookies is that they are not deleted when a user clears cookies in their browser.

Even worse they can be used to re-propagate standard cookies — it’s easy to see why people are wary of them. Do you really need them?

Then, you need to work on ‘marketing’ the ones you decide to keep. How will you explain each cookie to users, in a way that encourages them to say yes? In our experience users are generally quite savvy about the benefits of cookies and quickly get frustrated when they find their browsing experience hindered by the lack of them — so with careful wording you can make sure most are accepted.

If you list each cookie, with a link to some information about it, such as why it’s there and what the benefits are to users, you’ll have a greater chance of having them accepted. There’s a good example on the Information Commissioners’ web site — tight and succinct, it explains what it’s asking, why it matters, and what users’ choices are:

[i]“The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice..”[i]

That’s followed by a simple check box for users to accept (or not). If they tick it, fine, the site can activate all the non-essential but ultimately useful features that need cookies: Google analytics, Twitter Follow, Add This, Font Picker etc. If they don’t, then we have to hope the user will understand why some features are not available or are a little clunkier than they have been in the past.

There’s no denying that this is a big change, and there are serious concerns among some web designers about the impact this is going to have. At the moment, all we can advise is managing it as well as possible, and making it easy for users to understand. They’re going to get savvy to it quickly, anyway, as more and more sites begin to ask these questions — each user will settle on their own level of comfort and work from there.

There are some hopes that this will eventually be managed within browser settings — each user can set their preferences once and for all. But that’s not an easy task for a browser to handle, across the vast range of sites out there, and to date the tools just don’t work.
To date, the UK government has not been clear about exactly what needs to be done, or about any penalties for companies who fail to act. At the moment, there is a period of one year’s ‘grace’ for companies to get their sites in order.
What will happen at the end of that is open to speculation.
But my advice has to be to do the work now, before you are forced into it, and do it well. A thorough audit of your site and some clear and direct explanations to users will help ensure people keep returning to, and enjoy using, your site.