It's officially 10 days until Europe's much talked about ‘law' comes into play doing its best to restrict and control the way site owners use cookies within their sites. The law sounds scary and there are rumors flying about how it will ‘kill European marketing'.

However the truth as we see it is that it's just a pain in the ass to have to stop what you're doing in order to comply. Then once you've complied you're getting in the way of your visitor's user experience with annoying pop-ups and warning messages. So, let's cover what this law is, what you need to actually change on your site AND how to do it gracefully without chasing your visitors away.

Understand The Law

Legislation states that on May 25th 2012, all sites within the Member States of the European Union AND sites that are outside of that area which are specifically targeting visitors within the Member States will be required to be sure that...

"...users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible."

Yes, it is written in a way that is vague and well...kind of nice. There aren't any solid restrictions and plain spoken language within the legislature that lays down the exact details which can be both good and bad. Good because it will allow you to find your own way to comply to this new law and bad because it leaves itself open to a lot of abuse. Then in turn (because of all the abuse and difficulty enforcing the law) those in charge will be forced to continue to update it with addendums in order to make it realistic. Here are just a few HUGE loopholes within the document as cited in Gigaom:

"It's not really a law yet. The document states that each member state should enact their own legislation in this area in order to harmonize with each other, but each country gets to apply it in its own way. Britain's government will have no impact on the French; the Spanish solution may be very different from the Italian, and so forth.

It doesn't make opt-in compulsory yet. Because of the system, directives take a long time to become enforceable laws. So while the directive might come into force on May 25, it's not going to be resulting in court cases for years.

It doesn't ban cookies. It just asks that those sites which use cookies to track user behavior off site (usually to serve targeted ads) tell users that they're doing so. Login cookies and shopping carts would be exempt."

The Actions You Need to Take

Your site now needs to be transparent about how you are using cookies, detailing exactly what information each cookie holds and how long it will be held. Then you need to request permission from your visitors before cookies can be used. Yeah I know it's all still vague so here are 3 steps to compliance.

1. 1. Audit Your Site's Use of Cookies. Get rid of what you don't need and document how you're using them. Ask questions like: can they be linked to personal data like email address, applying to just this visit or future visits, how long they last, and are they 1st, 2nd or 3rd party?
2. 2. Update your Privacy Policy with exact details on how you're using the cookies and why. Use plain spoken terms. This law also dictates that you make your privacy policy more prominent. This can be easily done by adding it to your site's footer.

3. 3. Gain Consent. This is the part that you have a lot of room to figure out. From what we've read and researched there is any number of ways to get this part handled. The first thing you need to understand is the different types of consent.

   • Settings based consent
     This involves gaining consent when a user makes a change that affects how the site works for them. For example, this could mean asking the user if they want the website to remember a particular language setting and gaining consent for cookies to be used for this purpose.
   • Feature based consent
     This applies in instances where cookies are used to remember what content a user viewed the last time they visited the site, to enable content to be tailored to them – for example, remembering what videos they viewed last time they visited. In such cases, your site should make clear to the user that taking a particular action will result in a cookie being used. This could mean, for instance, highlighting cookie use when a user turns on a particular feature and requiring consent before the change is applied.
   • Consent for functional/analytical cookie use
     Cookies used to collect anonymous information about how visitors use your site still need user consent. This is relatively straightforward if a user has to log into your site, but more complicated where they do not. You'll need to make absolutely clear to users what cookies are being used, what they're being used for, and asking for consent.

   When it comes to how you gain consent from visitors be creative. To get you started here are some ideas that were officially released from the Information Commissioner' Office.

   • JavaScript pop-up box - explaining cookie use and offering 'yes' and 'no' options for consent. This is a good idea but popups can turn people off to your site and most browsers block them automatically.
   • Splash page - yeah maybe 5 years ago. This has proven to stop visitors in their tracks and is terrible for your optimisation.
   • Banner - shown along the top of the page to first time visitors with a tick box to allow users to consent, with cookies disabled until the visitor ticks to indicate consent.
   • Footer bar - similar to the banner concept, this would be displayed along the bottom. And here's the great part - if they do not click yes or no, but continue to use the site, consent can be inferred because they have seen a clear message but are still continuing to use the site. Then a smaller message could be maintained throughout the site in such instances, to remind users of the fact that the site is using cookies.
   • Remember preferences - When a user clicks to change a preference on your site they should get a check box that tells them that cookies are required in order to have the use of 'remember preferences'. When they click yes or I agree then you're good.
   • Flag changes to terms and conditions - This is an option where users have to log into their account on your site. They will need to see all changes and updates to your terms and conditions as they happen and re-agree to them. Consent cannot be assumed just by changing the terms and conditions they agreed to when they signed up. You'll need to get a positive indication that consent is granted, as they log in and before they are able to proceed to their account.

   The above changes are a pain yes, but the end to marketing as we know it - NO. Even with only 10 days left on the original deadline you don't need to be in a panic. Yes, make it a priority to get the above completed but do expect a little flexibility. On the 25th every site in non-compliance isn't going to suddenly disappear or be fined. It's completely unrealistic for them to attempt action so quickly.

   Sometime in the future, when the law is more enforceable, there may be some sites pulled out of the mix and fined as warnings to everyone. So, make the changes to your site and keep your ear to the ground for the exact details for your area when they're released.

   The most important thing you can take away from all this is to *always* keep your site user in mind when making the necessary changes. Keep things simple and don't give into the panic that seems to be sweeping Europe. This may be the first wave of restrictions of this kind, but it's doubtful to be the last.

   Kristi Hagen - President Planet Ocean® Communications, Inc.