By law, operators of a website in the UK must now gain users’ consent to place cookies on their machine or face a fine of up to £500,000.
How does this affect me?
According to the About Cookies website:
The UK Regulations carry a maximum fine of £500,000 for serious breaches. It is anticipated that this power will only be used in limited circumstances. Before this the fine was £5,000 and companies may have been willing to run the risk but with these increased powers the result of enforcement action is potentially more severe.
What are cookies?
A cookie is a small text file that a website places on a user’s machine. Typically, cookies are used to store information about a user’s session, such as the contents of a shopping cart, or to retain information across sessions, such as user preferences.
Cookies can be created by the site itself and by third parties. One primary example of a third-party cookie would be Google Analytics which might create cookies to help it track users’ activity.
Sites which use advertising networks such as Google Ads would also set third party cookies on users’ machines.
How are cookies used in a WordPress site?
Interpretations of the regulations
The UK Information Commissioner has issued a set of guidelines for website owners on how to interpret the regulations.
They summarise the steps you might need to take to ensure you comply as follows:
- Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
- If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
- In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
There are already a number of solutions available. It may be that you wish to force users to accept cookies on the site. The main drawback of this is that you risk deterring users from your site. Our reading of the regulations suggests that unless you are collecting sensitive personal information, then implied consent is sufficient to comply. However, if you are in any doubt about how best to comply, we recommend you consult a legal expert.
It is vital to maintain a balance between the legal requirements and the requirements of your business. Obtrusive notices in the form of pop-ups are more likely to deter visitors from your site than inform them of their options with regard to cookies. Likewise the use of opt-in forms where the user must actively agree for cookies to be used.
We believe that if a user does not wish to accept cookies on your site, it’s likely that they don’t wish to accept cookies on other sites. For this reason, the most practical solution for the user is to disable cookies in their browser rather than on every site they visit. It’s also likely that yours will not be the first site they visit since the directive was introduced – so they will already have made a decision as to whether they wish to accept cookies in general.
The guidance recommends a “clear and unavoidable notice that cookies will be used”. We suggest an information bar at the top of each page which the user can acknowledge and dismiss or follow a link through to further information about cookies and how to disable them.
UK Cookie Consent Plug-in
We recently released a plug-in for WordPress that implements a simple notification bar at the top of the page allowing the user to acknowledge that cookies are being used on a site or to find out more. It doesn’t disable cookies or prevent the user from browsing the site.
Find out more: UK Cookie Consent plug-in