New EU Cookie Compliance Rules
This ICT Knowledgebase article provides a good overview of the current situation and steps needed for compliance. This can be summarised as:
- assess their intrusiveness
- determine how to obtain user consent for intrusive cookies.
For determining your cookies' intrusiveness we propose a three-tier hierarchy of moderately intrusive, mildly intrusive and exempt. Examples of each could include:
Embedded third-party content such as YouTube/Vimeo videos; social media plug-ins such as Facebook ‘Like’ buttons; campaign management including A/B split-testing of content. See note below about analytics.
Cookies used to prevent multiple form submissions (including Drupal’s webform); session management cookies required to fulfil primary functionality such as shopping carts and donation forms.
What steps do you need to take?
From a user experience perspective (i.e. least disruptive) the preferred method of compliance would be simply ‘implied consent’. This may be acceptable for specific actions such as ‘remember my preference’ checkboxes but not in the general case because (as ICO's guidelines state) - “evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent"
To make this even more visible, a separate ‘cookie information’ page could be created specifically for this information. This could then be linked to as necessary from:
- the footer (tertiary navigation)
- areas of your site where cookies are used
- a news article/press release acknowledging the legislation with perhaps some background information on what cookies are.
In addition to a cookie information page, you should seek to inform the user at specific points when a cookie identified as ‘intrusive’ is being set. In many cases this could be achieved through suitable labels/copy stating that a cookie will be set when the action is performed (and linking to your cookie information page as noted above for more information).
For any cookies you categorise as ‘moderately intrusive’ we recommend you review the associated functionality to see if it’s really necessary. (Such consideration is intended to be the principle target of the legislation). If you do consider these cookies necessary you should ask users for opt-in consent before setting any associated cookies. We can discuss how this might be achieved on your particular website.
A note on analytics
Should you require any assistance in implementing any changes please don’t hesitate to get in contact.