gilest.org: about; archive; photos

A template letter for web developers to send clients regarding the new EU cookie law

The text below is my attempt to write a simple template letter that web developers can send to clients, explaining the implications of the new cookie law. It is a work in progress and may be changed at any time. It is published here without copyright and as a work in the Public Domain. (Why not Creative Commons? Because - and this was news to me - there are no CC licences that allow for work to be released without attribution to the original author, and I didn't want anyone using this template to be forced to add attribution to me.)

You are free to re-use this text without attribution to the author, to use it for commercial purposes, to edit and make derivative works, and make changes as you see fit. You are encouraged to make changes, because I'm pretty certain that not everything included here will apply to your company or your clients. I accept no liability for any consequences of your use of this text. If in any doubt about using it, please consult a legal professional.

If you spot any errors, or anything you think should be changed, please get in touch with me (giles at gilest dot org) and I'll be happy to make changes.

Dear client,

The European Union has changed the law covering how websites should work, and this affects you.

Please take a few minutes to read through this document. It deals with some technical issues, but we've tried to explain them in a non-technical way. If you have any questions - which we expect you will - please call us after you've read what follows.

The "cookie law" - everything you need to know

The so-called "cookie law" was passed by the European Union last year, but the UK government allowed an extra year's grace before treating it as law here. That period of grace ceases at the end of this month (May 2012).

The new law affects millions of websites across the EU. To find out how it affects yours, read on.

First of all: what is a cookie?

"Cookie" is geek-speak for a tiny text file left on your computer by websites you visit.

If you know where to look, you'll find hundreds, perhaps thousands of cookies stored on your computer's hard disk. Each one is unique, and relates to a specific website.

Cookies are useful. When you do an online shop with your favourite supermarket and it greets you by name, that's because it detected the cookie stored on your computer from your last visit.

When you click the "Like this on Facebook" button on another website, and your Facebook account automatically opens up showing your profile, that's because of the Facebook cookies on your computer.

Cookies are used all over the place, for all sorts of reasons. They're used routinely by web developers everywhere (including us).

Your website uses cookies too. That's why the new law affects you.

Why did the European Union change the law?

Because they were worried about privacy. Cookies can be used to track people's movements on the web. Advertising companies, for example, often use cookies to monitor which websites a person visits. If they see that you visit a lot of websites about cars, they'll use that information to show you more adverts about cars.

How has the law changed, exactly?

In simple terms, the new law says that website visitors must CHOOSE to accept cookies. Instead of simply saving them automatically, every website they visit has to offer them a choice of accepting or rejecting cookies.

(Strictly speaking, the EU has passed a "directive", which is an instruction to member states telling them they have to create a new law using their existing legislature. When we refer to the "cookie law", we're using that as a simple abbreviation to cover both the EU directive and the law here in the UK.)

That doesn't sound too difficult

Unfortunately, it's more complicated than you might think. Almost every website that uses cookies right now was built long before this European legislation was even thought of - as a result, millions of sites have to be altered to comply with the law.

To comply, the code of the each and every one of those sites now has to include:

and

On the plus side, the new law says that "essential" cookies can be saved without the user's permission. The definition of what "essential" actually means isn't precise, but as we understand it, it refers to cookies without which the site would just stop working. Even so, the new law requires your site to tell visitors that those cookies exist, even if it doesn't ask for permission to save them.

Also, if a web user decides they don't want cookies, there's only one way for a website to remember that choice - yes, you guessed it, by saving a cookie!

That's one reason why many web developers are unhappy about this law. We understand the need to protect user privacy, but the new law, as it stands, poses enormous problems for website developers like us, and owners like you.

Another problem is communicating the issue to users. Most web users have no idea what cookies are, and will be perplexed when asked if they want them or not.

What's more, cookies are so widespread, that people will very quickly get fed up of being asked to grant permission for them on website after website.

The situation is messy. But it's now the law, so we have to deal with it.

What are other companies doing about it?

Rather surprisingly, most companies haven't done a thing. Millions of them, all over the EU, are breaking the law right now as a result.

Even worse, the UK government's own websites are in the same boat. They use cookies too. Most of them are not complying with the new law.

What are the options?

We'd like to stress at this point: we are not lawyers. We are web developers, and we're trying to make the best of a bad situation. We do not advocate or condone any of the options listed here: we are simply listing them as possible options.

  1. Comply with the law as it stands. This will require parts of your website to be re-coded. Please call us to discuss this.
  2. Re-code your website to remove cookies completely. This might mean losing some features. Again, call us to talk about this.
  3. Wait. Since even the government hasn't got its act together on this, some degree of consensus may emerge in the coming months, and we can take action then. The situation may change or become clearer, but we cannot guarantee this.
  4. Ignore the new law. This may leave you open to prosecution.

Our advice is: Don't Panic!. We're optimistic that a sensible and pragmatic solution will be possible, especially once larger companies and government departments start taking steps to make their websites compliant.

The fact that essential cookies are considered OK is a big mitigating factor. For some sites, an audit of cookies used might be a good idea, to see what's essential for the site's function and what isn't. Another thing to do is check your website's published privacy policy - and if you don't have one, get one drafted. We can help with this.

In summary

  1. Cookies are useful snippets of text that help websites work better
  2. The law about cookies has changed
  3. Your website uses cookies
  4. The situation is messy, and even government websites are not all complying as we would have expected them to
  5. You need to decide what to do about it

We hope we have explained everything clearly. If you have any questions, please don't hesitate to get in touch.

 Further reading

(May 2012)