In 2011 the EU cookie laws came into effect, however it wasn’t until 2012 when we started seeing websites in the UK displaying consent notices outlining that they used cookies on their site.
In most cases and countries, a ‘soft approach’ to enforcement has been seen, and in the UK, the Information Commissioners Office (ICO) has kept it a low-profile issue. However, Spain and the Netherlands have seen enforcement action and fines for non-compliance.
In September 2014, the French regulator (CNIL) led a series of days to assess how the law was being interpreted amongst big websites. They also began exercising powers to run remote compliance audits.
In the UK, we now see the vast majority of sites have implemented some kind of ‘cookie banner’ and implemented ‘cookie policies’. Looking at these sites shows the majority use the approach of notifying visitors cookies are used, outlining what the cookies are and dropping them on arrival.
But there are other sites using different methods like full on consent before dropping any cookies (ironically the only cookie to be dropped is the cookie for the cookie tool that allows you to opt-in to cookies) at one end to sites giving notices about cookies.
So with that in mid we thought we would pull together the choices that are being used into one useful blog. And these are broadly broken down into three categories.
- Notice Only / Implied Consent
- Explicit Consent
- Soft Opt-in
Wait, are all cookies equal?
Before we outline the categories, it is important to note that there are many ways that cookies are categorised by websites. They generally fall into these categories: Strictly Necessary, Performance, Functionality and Targeting/Advertising. Most sites now use these or a close variation of them.
Cookies that are strictly necessary for the functioning of the site are exempted from the requirements for cookie consent under the law. Strictly necessary cookies need no controls to be applied and can be set as needed without a cookie consent model.
However, it is important to note that the definition of what is a strictly necessary cookie is very narrow – and cannot be applied more broadly to suit the business needs of a site.
Although cookie consent is not required for such cookies, it is considered good practice to identify them so that people can distinguish them from other types of cookies.
It is also important to note that the law itself is silent on the issue of how much control users should be given.
Notice Only Consent
You’re on my turf and it’s my rules… you accept our use of cookies.
This cookie consent model tells the user that cookies are in use and their choices are to accept the fact or navigate away. This isn’t really seen that much and a quick search on the net didn’t bring back any examples. However they were about a year or so ago, but maybe now have faded away…
Notice Only – Implied Consent
We use cookies, but you can switch them off if you want. ‘Read more’.
This is a progression on the notice only version above, however the difference is the site provides the information about the cookies being dropped and tells you how you can disable them (like linking to an internal cookie information page); even though they are set by default on the first arrival.
These two approaches are the easiest to implement and in varying disguises, the most widely adopted. Very little effort is required to set it up and there is no change to a site really for doing it.
What is actually displayed can vary, with some having a short statement in a banner and others a few sentences. All allow you to remove the message from view with a simple click.
Explicit Consent
Please click to accept cookies on this site*.
With this model, you must block cookies until users agree to cookies. Essentially this means they have to tick a box or click a button or a link that says ‘I accept cookies’ or something very similar.
The biggest issue with this method is getting people to click on the accept link, without completely disrupting the user experience.
*However there are still variations that can be seen within the explicit consent model which are outlined below.
Version 1 – Explicit Consent. Have to Action.
No cookie dropping before action taken – off by default. Action is required before access to the website. However it is harder (more steps) to agree to no cookies.
In this variation cookies are not dropped but you must action something before you can access the website. In this case it is ‘accept all’ cookies or configure. Then if you configure the cookies, they are off by default, but you still have to hit ‘save’. The easiest thing is to just hit accept and be done with – but this is the user giving their explicit consent.
Version 2 – Explicit Consent. Have to Action.
Cookies drop before action taken – on by default. Action is required before access to the website.
Pretty similar to the version 1, but the key difference here is cookies are dropped on arrival. You still have to take action before you can access the website.
Again, the option is ‘accept all’ cookies or configure. The difference is if you configure the cookies, they are on by default. And as with before, the easiest thing is to just hit accept and be done with – consent granted.
Version 3 – Explicit Consent. Have to Action.
No cookies dropped before action taken – off by default. Action is required before access to the website.
The ICO have gone the full hog and no cookies are dropped – however as with the other two versions above, you still have to act before you can access the website.
Again, the option is ‘accept all’ cookies or configure. The difference is if you configure the cookies, they are on by default. And as with before, the easiest thing is to just hit accept and be done with – consent granted.
Version 4 – Explicit Consent. No Action.
The only difference in this approach from version 3 is that you can still access the website without having to do anything. You can just ignore the cookie banner – it will stay there indefinitely until you do act on it, but no cookies will be dropped until you accept or customise the settings.
Soft Opt-In – Initial Block
No initial drop, but we will use cookies if you continue to use the site.
Soft opt-in is practically the same as the implied consent and notice only methods, but the crucial difference is that cookies are blocked on the first arrival to the site (the landing page).
Any further user interaction, such as clicking on a link to a second page, is then taken as consent, and cookies are then set normally on the second page.
There is an exception in that if the first user action is to follow a link to more information about cookies to be set, this cannot be viewed as consent, so the cookie information page should not set cookies until a second action is taken.
Conclusion
The EU Cookie Law is actually 28 different laws – one for each EU member state. Although they are similar, being based on a common EU Directive, there are some subtle (and not so subtle) differences. Different regulators in each country also take very different views of enforcement and have provided different levels of guidance.
This means there is really no one size fits all approach to the cookie law, and businesses need to do their best to interpret the law and implement it how they see fit.
Making the right choice is about balancing the interests of your brand, your customers and your regulator.