A template letter for web developers to send clients regarding the new EU cookie law
The text below is my attempt to write a simple template letter that web developers can send to clients, explaining the implications of the new cookie law. It is a work in progress and may be changed at any time. It is published here without copyright and as a work in the Public Domain. (Why not Creative Commons? Because - and this was news to me - there are no CC licences that allow for work to be released without attribution to the original author, and I didn't want anyone using this template to be forced to add attribution to me.)
You are free to re-use this text without attribution to the author, to use it for commercial purposes, to edit and make derivative works, and make changes as you see fit. You are encouraged to make changes, because I'm pretty certain that not everything included here will apply to your company or your clients. I accept no liability for any consequences of your use of this text. If in any doubt about using it, please consult a legal professional.
If you spot any errors, or anything you think should be changed, please get in touch with me (giles at gilest dot org) and I'll be happy to make changes.
The European Union has changed the law covering how websites should work, and this affects you.
Please take a few minutes to read through this document. It deals with some technical issues, but we've tried to explain them in a non-technical way. If you have any questions - which we expect you will - please call us after you've read what follows.
The "cookie law" - everything you need to know
The so-called "cookie law" was passed by the European Union last year, but the UK government allowed an extra year's grace before treating it as law here. That period of grace ceases at the end of this month (May 2012).
The new law affects millions of websites across the EU. To find out how it affects yours, read on.
First of all: what is a cookie?
"Cookie" is geek-speak for a tiny text file left on your computer by websites you visit.
If you know where to look, you'll find hundreds, perhaps thousands of cookies stored on your computer's hard disk. Each one is unique, and relates to a specific website.
Cookies are useful. When you do an online shop with your favourite supermarket and it greets you by name, that's because it detected the cookie stored on your computer from your last visit.
When you click the "Like this on Facebook" button on another website, and your Facebook account automatically opens up showing your profile, that's because of the Facebook cookies on your computer.
Cookies are used all over the place, for all sorts of reasons. They're used routinely by web developers everywhere (including us).
Why did the European Union change the law?
How has the law changed, exactly?
In simple terms, the new law says that website visitors must CHOOSE to accept cookies. Instead of simply saving them automatically, every website they visit has to offer them a choice of accepting or rejecting cookies.
(Strictly speaking, the EU has passed a "directive", which is an instruction to member states telling them they have to create a new law using their existing legislature. When we refer to the "cookie law", we're using that as a simple abbreviation to cover both the EU directive and the law here in the UK.)
That doesn't sound too difficult
To comply, the code of the each and every one of those sites now has to include:
- a way of asking visitors whether or not they wish to accept cookies from the website,
- code that keeps the site working no matter what choice the visitor makes. If someone decides not to accept cookies, we need to re-code the site to make it possible for them to continue using the site without them. (Although for some things, like online shops, cookies are essential - in which case we will have to explain to visitors that by rejecting cookies, they are also effectively choosing to disable certain features of the website.)
On the plus side, the new law says that "essential" cookies can be saved without the user's permission. The definition of what "essential" actually means isn't precise, but as we understand it, it refers to cookies without which the site would just stop working. Even so, the new law requires your site to tell visitors that those cookies exist, even if it doesn't ask for permission to save them.
Also, if a web user decides they don't want cookies, there's only one way for a website to remember that choice - yes, you guessed it, by saving a cookie!
That's one reason why many web developers are unhappy about this law. We understand the need to protect user privacy, but the new law, as it stands, poses enormous problems for website developers like us, and owners like you.
Another problem is communicating the issue to users. Most web users have no idea what cookies are, and will be perplexed when asked if they want them or not.
What's more, cookies are so widespread, that people will very quickly get fed up of being asked to grant permission for them on website after website.
The situation is messy. But it's now the law, so we have to deal with it.
What are other companies doing about it?
Rather surprisingly, most companies haven't done a thing. Millions of them, all over the EU, are breaking the law right now as a result.
What are the options?
We'd like to stress at this point: we are not lawyers. We are web developers, and we're trying to make the best of a bad situation. We do not advocate or condone any of the options listed here: we are simply listing them as possible options.
- Comply with the law as it stands. This will require parts of your website to be re-coded. Please call us to discuss this.
- Re-code your website to remove cookies completely. This might mean losing some features. Again, call us to talk about this.
- Wait. Since even the government hasn't got its act together on this, some degree of consensus may emerge in the coming months, and we can take action then. The situation may change or become clearer, but we cannot guarantee this.
- Ignore the new law. This may leave you open to prosecution.
Our advice is: Don't Panic!. We're optimistic that a sensible and pragmatic solution will be possible, especially once larger companies and government departments start taking steps to make their websites compliant.
- Cookies are useful snippets of text that help websites work better
- The law about cookies has changed
- The situation is messy, and even government websites are not all complying as we would have expected them to
- You need to decide what to do about it
We hope we have explained everything clearly. If you have any questions, please don't hesitate to get in touch.
- The No Cookie Law website (includes video, free e-book, and links)
- BBC: Majority of government sites to miss cookie deadline
- EConsultancy: UK government crumbles on cookies
- The Webalyst: How to get ready for the EU cookie directive
- The Workshop: EU cookie law - taking the biscuit?