The EU Privacy Directive was announced in May 2011 to much groans and disagreement. In 2012 we see the rule being enforced from May 26th - but are you prepared yet?
The UK government has updated the Privacy and Electronic Communications Regulations in response to the EU Privacy Directive but many UK websites have probably forgotten, or chosen to ignore, the upcoming changes with a risk of being fined up to £500,000 for a serious breach of the law.
What is the EU cookie directive?
The aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. It addresses how personal information is held and used.
The legislation forces websites to be transparent about how they are using cookies, detailing exactly what information each cookie holds and how long it will be held, and requires them to actively request permission from their users before cookies can be used.
Previously, the law dictated that websites had to explain how they were using cookies and how users can ‘opt out’. Most sites did so in their Privacy Policies, but this isn’t enough under the new law: users now have to ‘opt in’, having been made fully aware of the implications of doing so.
How sites reacted to the new requirements has been mixed, and even more difficult for organisations who have had their site custom built long ago and no longer have access to the same developers to shoe horn in the changes.
Thankfully open source content management systems like Drupal bring a number of bonuses to the user:
- You're not alone having to support the new changes as there's thousands in the same position as you on the same platform as you.
- It's quite likely somebody has already done the research and solved the problem and can be used as a reference point for others.
- Use of APIs make it easier to integrate new features around existing functionality on the website.
What cookies are used for
Popular cookies on a large number of sites come from a few sources:
- Web analytics software, such as Google Analytics, counts the number of visitors to each page of a website as well as how often the same person returns to a website.
- Having the ability for visitors to log in to the website and customise their experience.
There are lots more - from simple things like having a YouTube video or Google Map embedded on your site, sharing pages with social networking sites, to simple things like allowing the text on pages to be made bigger or smaller and remembering the selected size.
To find out what cookies your site is setting enter your website url on the Cookie Cert database site. It can take as long as two hours for your site to be checked, so don't expect an instant result!
What others are doing
We've taken a look at some UK Government sites to see how they are implementing their own rules.
gov.uk - includes a 'beta warning' modal pop-up which includes a message "N.B. This site uses ‘cookies’ and Google Analytics. Closing this page sets a cookie so you don’t see it again. There’s more information on cookies at AboutCookies.org." Every page also contains a link in the footer pointing to their very clear and helpful cookie information page.
bt.com - this is a really slick and informative user experience for cookies. Click the 'change cookie settings' link in the footer to reveal a pop-up detailing all the cookies being set, their purpose, and a nifty slider to control how many cookies are used.
ico.gov.uk - displays a drab almost hacked in like message box at the top of their site with a consent tick box. A good example of how the cookie consent requirments could damage your sites nice design.
The Cookie Control widget from Edinburgh based CivicUK appeared to be an elegant and consistent answer to the cookie requirements. The user interface provided a simple pop-up in the bottom corner of a visitors web browser with minimal options to complicate things.
Drupal gets it easy
CivicUK are working on some new additions to the Cookie Control project which we'll be integrating in to the Drupal module as soon as possible. In the mean time - if you're running a Drupal 7 site for EU visitors it would be well worth considering installing the module earlier than May 26th to ensure you comply.
To find out more about the Drupal module and download the code visit http://drupal.org/project/cookiecontrol