On the 26th of May 2012, a new EU 'cookie directive' comes into force which means that websites should gain the consent of users before using a technology called cookies. Cookies are small files that are downloaded onto your computer which allow websites to store information between pages. They are used on the majority of websites to record useful information such as basket items, authentication, preferences and personal settings. They can also be used to track people's use of the Internet and target behavioural advertising.

The 2011 Privacy and Electronics Commuications Directive aimed to safeguard online privacy and prevent users from unwanted digital marketing and behaviour profiling. The directive was imported into UK law in May last year but companies had one year to comply. The deadline for compliance is the 26th May 2012.

I don't doubt that some lawyers (and web designers) will use this new directive to try and make a load of money and I have already seen a large number of 'scare' articles appearing in blogs and business briefings. My advice would be to ignore anything that talks just about compliance and penalties as we have seen this all before (anyone remember the panic around the disability discrimination act applying to websites?) Instead you should try and work out what cookies your website is using and if these are 'essential' or not.

Essential cookies

Essential cookies are needed for website behaviours such as managing the contents of shopping baskets, controlling access to private pages and yes even Google Analytics. In this article from eConsultancy they explain that UK government's own Digital Service has taken a view that the cookies used by Google Analytics, are 'essential'.

In another (rather boring) document the Government outlines that in the case of 'minimally intrusive' cookies for web analytics, metrics and personal settings "it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action".

Now this covers Google Analytics and the cookies that are essential to the running of your website. What about the 'non essential' cookies?

Non-essential cookies

Top of the list of offenders are embedded adverts and buttons such as sharing icons. They might be useful but some of them also come with lots of hidden tracking cookies so they might have to go. However, as the law applies to the companies that provide the buttons as well, you might find that the tracking cookies 'disappear' in the run up to the compliance deadline. Its worth checking though - Facebook, I'm thinking of you.

There is also the question about adding a prompt which will give the user a chance to approve the use of non-essential cookies. Now at this time there doesn't seem to be a wide consensus in the best way to do this. Well, thats not quite right, the widely held consensus is that this should be done in the browser but as browser makers haven't stood up to the mark on this, website owners are having to lead the way.

There are some interesting details on the different approaches that website owners are taking to this but with no clear winner at this stage our advice might be to just wait and see. The deadline will come and go and we are unlikely to find many companies fined (at least at first).

It might be better to do nothing and see what the browser manufacturers come up with rather than spend time and money adding opt-in features to your website. Of course, if you choose to add opt-in features now, you'll be compliant on the 26th but you may also need to redesign things further down the road.

Whatever you decide, this new law isn't going away and so we will need to see website owners and developers paying more attention to the use of any technology that can be used to track visitors and 'invade' our privacy.