EU Cookie Directive - What it means for business and SEO

For a while now I've been on the trail of a solution to the "EU Cookie Directive" which in it's most basic form means that any cookie which your website uses that is not used for an essential service (eg. controlling a shopping cart) must have "direct permission" of the user before it can be implemented. For many this would mean we need permission to track analytics, this is not an essential function of a website. eu cookie law - are ico the cookie monster or just muppets?

Before we begin we need to consider the question...

What is a Cookie?

For most users of the web cookies go unnoticed, or are a nice snack alongside a brew. But in terms of the web a "cookie" is a small piece of code a website sends to a browser to store little snippets of data, it can be anything from what is in your shopping cart to which web pages you've visited to what you search for or which websites you are shown.

Now there are two types of cookie, first party and third party. First party are those dropped by the website itself, these are generally under this directive accepted as being fine. Third party are those which are used by the website but come from another service such as Google Analytics and NOT the website itself.

To understand the law we need to think about...

Where did the EU Cookie Directive start?

It appears that the EU Cookie Directive was born of user complaints about third party cookies being used to serve adverts across the web, the most popular service for this is Google Adsense.

To ensure that adverts are relevant Google (in this example) would use cookies about the website the advert is served on, it then classes the topic of that webpage as being a vote from your IP to that topic. Then when you visit another website or blog you may see an advert relating to that topic. It is this "cross pollination of cookies" which upsets some users across the web. It is not though cookies for adverts which some people are upset about, there are a few though, it is the other data which can be transferred via cookies and how this data is used. After all you are at the whim of the website owner and developer who installs the third party cookies (or first if not essential to the service) as to whether the cookies and services are reputable or otherwise.

And that is why the EU wants websites to collect permission for those non-essential cookies. Basically if your website can work without those cookies (analytics, adverts etc) then you must collect permission for those cookies being used.

But the website still works so...

What's the problem with the EU Cookie Directive?

The problem comes in a few forms. First, how do you collect permission without hindering the website experience for your visitors? Second, can you get use implicit permission or do you need explicit permission, and is this for some or all types of cookie? Third, will this make for an uneven playing field in the UK, Europe and across the world for business, will your business suffer due to this directive?

The answers are fairly hard to come by. The reason for the failure to give a direct answer here is that we just don't know the answer. The Cookie Law was written by what appear to be technically inept people, lawyers who don't know what cookies really do. This means the law is so broad and unclear of "what you need to do to comply" that each country is approaching the law in a different way and some EU countries are ignoring the law. What is also unclear about the law is whether websites served from servers outside of the EU must comply directly, so for say Google.co.uk will that need permission for anything but search and then be impossible to collect info about which search you've used and therefore it will damage that business? If so that website will be served from US or other servers and may avoid the law giving it upper-hand on its competitors, as suddenly it doesn't need to comply?

Using the above example it's easy to see why lots of businesses are crying out for guidance on this matter, are businesses about to take a hit for implementing an explicit solution asking for permission whilst other businesses in that niche market are not implementing anything?

The Solution the the Cookie Question?

For now, in my opinion, the best solution is simple. Invest in your privacy policy.

My advice is to update, or write your first, Privacy Policy. Ensure you have a list of the cookies your website uses, from essential to non-essential. Explain where each cookie comes from and why it is used on your website and how it helps your user. Make clear how a user can access such data also. A good example of what standards you need to meet in your Privacy Policy is ICO.gov.uk, who also use the next possible solution for permission.

However the above solution does not gain permission of the user in an explicit way, alone.

The explicit permission is at the top of ICO.gov.uk where you will see a tick box asking for your permission to track you. This is one possible solution.

Another solution is a pop up box solution, the type used by AllAboutCookies.org (another great resource for further reading on this directive). There are others of a similar elk to AAC's solution provided by Wolf Software, but that implementation is simple and fairly easy to follow.

There are other solutions also that are not pop up's and not just like ICO's. However, wolf software does display a few different ways you can implement explicit solutions. Do take a look, there is no real one-size solution to this problem.

Finally, I want to finish on a little tip. It is doubtful that ICO or DCMS will implement this law in all its power even once 26 May rolls around. The law became law in 2011 and ICO gave the UK 1 year to find a solution, since then the above solutions have appeared. Across Europe others have appeared but none as clear as the above. Also many EU countries as mentioned above have given grace or ignored the law.

What I believe ICO will likely do is ask the "big boys" to comply and find a way to is agreeable to all. In the web industry we hoped implicit would do for most websites using normal things like analytics and this could be a tick box in a browser during set up, problem solved, it would leave other "none normal" services to collect permission explicitly. The problem is that the browsers have not done this, and it's doubtful they will and its really unclear as to whether it would meet the laws requirements. It too is unclear whether 2 computers from 1 IP, or even 2 browsers on one machine both need to say yes or not, and it's further complicated by how mobile browsers will deal with the problem as they all in some way use javascript as a solution (with the exception of a browser solution). This is not a problem that will disappear and questions will be asked for a long time yet.

Final advice, get your privacy policy up to scratch and then watch what the big boys do.