Cookies are in the news. Why? Because it is now a requirement, under UK law, to advise visitors to your web site about what cookies you store on their computer.
Although, on the surface, this doesn't seem to be much to worry about, there are harsh penalties which can be imposed for companies who ignore it.
With almost all web sites [and there are literally millions of them out there] neglecting to tell visitors about cookies, whether it be through location, ignorance or ignoring the laws, how will they, if ever, get round to telling you off for non-compliance?
The ICO who are looking after the information about and enforcement of this ligislation seem to be working towards spreading the word in a positive way and appear to be encouraging people to blow the whistle about their 'cookie fears'. This probably means the big fish will need to get their houses in order, but statistically, anyone could be reported, especially if a visitor decides to challenge your approach to cookie legislation.
So what do you need to do, in order to meet the requirements of cookie information? Well, it's pretty simple. You need to tell visitors to your site that you are using cookies, tell them which cookies you are setting and allow them to accept them. Now here is where it becomes a little vague. The ICO are willing to accept implied consent as a satisfactory means by which you can comply with cookie law requirements.
Implied consent means that by virtue of you arriving at a web site that clearly states they are setting cookies, and you carrying on browsing the web site, your agreement to cookies being set is implied by your actions.
This doesn't sound like a solid foundation upon which to build a rule, but it is the child of necessity rather than a strict enfocement policy. The full requirement for cookies where specific consent is required is almost impossible to implement in modern web sites because of the way they are structured around things like session cookies. Most web sites, including the ICO's, need to set things called 'session variables' in order to function. This isn't a bad thing, it's just the way programming on the internet has developed, using a simple and logical technology to function. Because this [implied consent] is really the only option for the ICO and almost everyone else without a huge change to the way web sites and the languages and technologies we use to build them, it makes sense to set some reasonable parameters for compliance.
So more specifically, what do you need to do to comply with cookie legislation on web sites?
Here is a simple outline to make a website compliant with cookie law.
1. State that you are using cookies on each page of your web site in a prominent place
3. Include a mechanism, either a link, button or checkbox, with which the visitor can agree to cookies being set. You also probably want to hide this statement upon acceptance of cookies by the visitor.
That may all sound a little scary, but it's not too big a problem once you understand what you need to comply.
We've written a small module to help you manage cookie compliance which you can read about here.
You can see an implementation of it in action on this site.
The files are available on SourceForge.
Alternatively, you can contact us and we can help you get up to compliance.