The EU cookie directive and its impact on charity websites

Welcome to your worst nightmare! Over dramatic? Read on and see if you still feel that way at the end….

*Update* Check out the comments for some interesting thoughts from people working on this problem, it seems this is not a straightforward issue. With many different ways of interpreting the new law, the sector needs to develop a common approach to interpreting what it means.

Today marks the first day that the European cookie directive that bans the use of web cookies without the user’s expressed consent. What does that mean in real terms? Well it means that if you want to track a user visiting your website (you know, to prove to funders who uses your site) or if you want to provide a user registration and log-in system for your forum or online shop and even potentially to take donations, you will first have to ask the user’s consent to drop that all important cookie.

Yes, it really is as bad as that! Every website operating in the UK right now is probably breaching this new law, but don’t fret too much as the UK government has said we have 12 months to comply and if they get a complaint as long as you can show you are working towards a solution you won’t get a fine.

Brilliant, so you would think the government has issued some clear guidance on how to create a technical solution that meets the letter of the law? HAHA  think again they haven’t got a clue! Their big hope is that they can get browser makes to add a DO NOT TRACK button that a user clicks, thus opting out!

Guess what that will do to your KPI‘s? Toilet and drain!

So let’s consider a true technical solution to this problem that informs your visitors what you are tracking and what happens if they DON’T opt in.

Consider for a moment that you use two forms of  cookie on your website, the first is an analytics service  used by many charities, the second is a custom cookie created by your log-in system to allow your web server to know a user is still logged in as they move around your website (a core bit of most websites).

You would no longer be able to drop those cookies either when the site first loads or when the user logs-in unless you have asked their express permission to do so AND for each cookie you wish to drop. This may lead to multiple requests depending on how a user is accessing your site and at what point they log-in.

Our solution so far is this:

When a user first visits a site, provide a Jscript popover (that wont trigger a browser pop-up warning) this is drawn on top of your web content and in effect prevents the user going further until they have chosen a consent path.

On this popover provide a explanation of each cookie and who provides it so you might say:

• Google Analytics (used to help us improve our service and prove our worth to funders)~
• Our charity forum and user profile cookie (ensures you can access our forums and your user profile without problems)
• Preferences cookie (allows us to remember your choice in future)

Next to each option provides a check box, when the user selects the cookies they wish to allow reload the entire page they are on with the selected cookies activated.

Yes it’s a mess! But right now as the law stands this is what we will be expected to do, saying we are waiting for the browser manufacturers to maybe make a button that might comply with the law is folly. Plan now to change your website and if the button thing happens and satisfies the law great, if not you could be in line for a fine if you didn’t even consider ways to tackle the problem in a year’s time.

We need to educate our visitors and avoid at all costs a single OFF button that will prevent that visitor loading cookies at any website. Informed consent at least means we have a chance to maintain our KPI‘s.  No cookies means no data and no data means funding cut as your stats nosedive.

We would be very interested in setting up a cross organisation working group to examine this issue in detail and provide a recommendation and best practice to the sector as a whole, anyone else up for it?