Much has been said about the compliance requirements of the recent changes to the UK’s ePrivacy Regulations (for which a one-year moratory is due to end on May 26th). Primarily, the new legal framework implies the necessity to request express permission by each user every time a cookie is served or read (and, yes, you are right in imagining this as a mini-banner at the top of the page, or a pop-up for each of your 10-20 cookies: Jakob Nielsen’s worst nightmare).
The reality is, great progress has been made in the course of the past few months. Namely:
Of course, there are more, but in this brief post we do not have space to explore them all- unlike in the Divisadero White Paper,which comprehensively covers them. So let´s get to the point of the recommendations that have great potential to abate our present concerns, for a few months at least:
1. Do an internal cookie audit
You will be surprised by the quantity of cookies that you use without knowing, arriving from different plugins (from content managers, search tools, social buttons…) or even small traces of deleted contents.
You could use one of many free tools for this (eg. Firecookies)
Draft a table with those that have to remain (eliminating the rest, of course) and specify: how long they last (expiry date), their purpose, and in the case that they are served by third parties for their own use, to whom do they belong.
Designate a person within the company responsible for regularly monitoring and updating this table.
Explain the different types of cookies that you use in a simple and comprehensive manner to your visitors. To this explanation, add a copy of your table (from your audit- as explained above).
Finally, explain that you will request explicit permission when you use third-party cookies, which are served with the intention of use outside of your site and within a site not specifically requested by the user. Why is this phrase so complex? Think about the Twitter button. If the user has logged in to Twitter, they do not have to re-log in again to share this article, but clicking the button will send information to Twitter (who will read the cookie). Here a third-party cookie is used, but it is the user who has previously requested this service.
And in the opposite case? Think about an ad network for a display ad (“banners”). It is collecting information about users through multiple websites. Your website forms part of the network and provides information about the behavior of the said user. But the user has never specifically requested this service of “advertising personalization”.
In the sequel to this post (part II) I will explain in detail what we at Sweetspot have done to prepare ourselves.
You may also be interested in:
Not Another Dashboard.