Sharing info with third parties
‘Ultimately, you’re responsible for the
cookies you use on your site.’
The EU legislation is about trying to
protect users’ rights, putting them in control of what information companies
know about them. ‘From a user’s perspective, you might have a third-party like
Google who know that you’ve gone from, say, a food blog to something on some
other topic, and using those third-party analytics it’d be possible to build up
a broad picture of that user that the individual website operators would never
know about, and have no interest in,’ Rice says; and that’s the kind of really
intrusive stuff the legislation is designed to keep in check.
So if you’re using Google Analytics, one
thing you might consider doing is turning off the third-party cookies. That
way, the only analytics cookies on your site will be first-party – the
information collected will be visible to you, but visitors won’t be tracked
once they leave your site. To check or change your cookie settings, log into
your Google Analytics account, and click on the gear icon on the right-hand
side of the page. Click on the name of the website, then click ‘Account
Settings,’ and click on ‘Do not share my Google Analytics data’ and click
‘Apply’.
You don’t have to switch those cookies off,
of course – but you do need to tell visitors to your website that you’re using
them, and let them make the decision about whether they want to opt out.
Ultimately, you’re responsible for the cookies used on your site, so it’s your
decision what you use, but you need to be open about what you’re doing.
Getting informed consent
The next important thing to do, then, is to
add information to your site that tells visitors what cookies you’re using.
This can be tricky, since many people don’t know what cookies are or how they
work. But that’s the point of this legislation, really – raising awareness so
people know what their information is being used for. ‘There’ve been quite a
few surveys looking into what the general public understands,’ Rice says.
‘Probably the worst thing people could do would be to switch all cookies off,
and then complain that nothing works. The technology isn’t the problem; there’s
nothing wrong with using cookies. It’s about how they get used.’
So you should add a privacy policy to your
site, somewhere easily accessible and visible, that tells visitors what cookies
you’re using, and what you’re doing with the information here on how users can
opt out (obviously, not visiting your website is one way, but probably not the
way you want to encourage!). Google offers a browser add-on that lets people
opt-out of Analytics; it’s available for Internet Explorer, Chrome, Firefox,
Safari, and Opera, and you can get it here: is.gd/MXA7FI.
While that’s a good starting point, though,
the EU legislation specifically says that users must give explicit consent to
the use of cookies, not merely not have opted out. ‘There are consent
mechanisms available that people can incorporate into their websites,’ Rice
says. ‘There are some plug-ins they can use, and as they gain visibility with
more and more people doing this, the options will get better.’ The ICO’s
guidance document recommends consent should be gained through either pop-ups,
splash pages, or other banners or overplays – in other words, websites should
use the same methods they currently use to show irritating adverts to get
consent for cookies.
Some Javascript plug-ins are starting to
pop up (Google ‘eu cookie law plug-ins’ to find some) but most of them aren’t
terribly sophisticated. Let’s hope Simon’s right, and they’ll get better. For
now – well, it’s a good time to start the rest of the process, figuring out
what cookies you’re using, removing any of don’t need to be using, and sorting
out your privacy information.
What’s going to happen next?
Failure to comply with the EU legislation
can mean a fine of up to $750,000 (although it is noted that that’s ‘in the
most serious of cases … if any person has seriously contravened the
Regulations, and if the contravention was of a kind likely to cause substantial
damage or substantial distress’, so you’re not going to get a find like that in
the post for using Google Analytics). So this isn’t something that website
owners can afford to just ignore. While there may not be a huge number of
websites currently asking your permission to use cookies, you can bet that that
number is going to increase dramatically over the next few months.
The ICO added a banner asking users to
consent to the use of cookies on their site last May, and since then, it’s seen
a 90% drop in the number of users recorded via Google Analytics. Which might be
a bit worrying, for anyone who relies on analytics for their business (or even
just likes knowing where visitors to their blog came from). Hopefully, the
increased amount of information on the web will mean that people understand
what cookies are, and will mean they feel more comfortable accepting them, but
that’s something we’ll have to wait to find out about. In the short term,
you’re probably going to be irritated by a lot more popups and banners, but try
not to get too annoyed by them.
The real, key message of this legislation –
which might be getting lost beneath the irritation about the extra work it’ll
take to make websites compliant with it – is that websites should be upfront
and open with their users about what information they’re storing about them. It
should be down to the user to decide what information they want to share.
Which, we reckon, is probably a good thing.
