So something that seems to have been exercising the worry muscles of quite a few colleagues of late seems to be the latest EU privacy wheeze and how it impacts the way that websites operate. If you want to read more about the Directive then there is further info here http://www.cookielaw.org/ and here http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx. The Directive is so vague and there isn’t really any suggested or recommended way of implementation that anyone official has endorsed but the thrust seems to basically be that if your site drops a cookie on a user’s machine for anything other than ‘essential website functions’ then you need to get the user’s explicit permission to do so. There are a few things to consider with this, number one (to me at least) seems to be that most internet users don’t know what a cookie is, they don’t care what they do but they DO care about their privacy. So if they are told that cookies track your behaviour, they record what you do, what you look at etc then I would say that most people will think that that is creepy, 1984-esque awfulness that they want no part of. They don’t care how tailored that can make their browsing experience, they don’t want you, me, Google, Facebook, whoever knowing what they do when they’re online. And I can’t really say that I blame them.
Some useful info from EConsultancy who recently carried out a survey on this subject: “89% of UK consumers think that the EU cookie law is a positive step, though 75% had not heard of the e-Privacy Directive before they were surveyed.” http://econsultancy.com/uk/blog/9819-89-of-uk-consumers-think-the-eu-cookie-law-is-a-positive-step-but-is-it. Basically they don’t care or know what it is, but they like the sound of it.
Coming out of all this confusion are a number of ‘solutions’ ranging from much clearer and better-written privacy policies (which I am massively in favour of) through to fairly clunky and garish opt-in mechanisms (which I am less in favour of).
So what should you do? Well firstly at least get an idea of what cookies your site uses (if you don’t know this already, forshame!), then work out how worried you are by the prospect of “failing to comply” (I would say, don’t be that worried – unless your site is hugely cookie-dependent or, having audited the cookies you do drop, you realise there are some borderline shady practises at work). The ICO has indicated that fines aren’t likely unless you are doing some “really bad stuff” (my words, not theirs) http://www.pcpro.co.uk/news/enterprise/374734/ico-no-fines-for-breaking-cookie-rules so in general I would say, be aware, have some idea as to how you might implement a range of solutions, monitor the situation from Friday (or whenever the thing goes live, I can’t remember) and react accordingly. Things I would not recommend: flapping around and implementing some poorly thought, clunky, horrible to use opt-in system that scares your users away and makes you look stupid.