Does your website comply with the EU cookie law?

Attention! Google requires all websites that use AdSense, DoubleClick for Publishers and Doubleclick AdExchange ads to comply with the European directive on privacy and cookies by September 30th, 2015 at the latest; this includes websites established outside the EU! What exactly does this mean?

What does the European law on cookies (Directive 2009/136/EC + Regulation 45/2001) say?

  • Websites must inform users about the nature of the cookies that will be stored on their computer, the purpose of these cookies, and request the users’ consent.
  • Exceptions to this rule are the cookies that are only used to provide a communication, or that are only needed to be able to provide a service (for instance: log in to a website, cookies for a shopping cart and other cookies that are limited to the session itself). Those are cookies for:

- user input (session ID)
- authentication
- security at user level
- multimedia content player
- load balancing
- user custom settings (for e.g. user language)
- but also – and this may surprise you – cookies for plug-ins from third parties, usually social networks, in order to allow the members of those networks to share content.

  • Websites have to limit the use of cookies to what is strictly necessary for their proper functioning.
  • All persistent cookies from third parties that are stored throughout the sessions have to be authorised beforehand.
  • This obligation does not only apply to websites, but also to (web) apps and communications via e-mail.

Which changes is Google now making?

Google European privacy and cookie lawThis is a European cookie law that applies to all European websites. But since European users also visit non-European websites, Google wants to apply this rule to all websites that use Google advertising products – AdSense, DoubleClick for Publishers and DoubleClick AdExchange.

Websites that still want to place ads of those networks after September 30th, 2015 will have to comply with Google's new user consent policy. To assist in this process, Google posted instructions online on Cookiechoices.org. The EU has help files as well, and IAB Europe offers you five practical steps to implement this directive.

How exactly should you proceed?

  1. Draw up an inventory

  • List an overview for yourself of all the cookies that you use on your website and/or the tools used to identify a mobile device in your app.
  • Consider if you really need them for the proper functioning of your site or tool.
  • Sort the cookies into two categories: “first-party cookies” and “third-party cookies”.
  • Be careful with cookies and trackers from third parties. Those are the ones that users are the most wary of. Badger Tracker, the new extension for Firefox and Chrome browsers, which has just been released by Electronic Frontier Foundation, makes the user painfully aware of those trackers on websites!
  • Cookiepedia tells you how many and which type of cookies are present on your website.
  1. Create a page with your cookie and privacy policy

  • Explain in plain language what cookies are, and why they are often required to guarantee that a website works properly.
  • Also explain that when a user blocks third-party cookies on your site, he will still see ads, but they will no longer be personalised.
  • If you are using AdSense, DoubleClick for Publishers or DoubleClick AdExchange, make sure to also provide a link to the page “How Google uses data when you use partners’ sites or apps.”
  • And if you want to show users that you really care about their privacy, you should also provide a page that shows how they can edit their settings in their own browser (Firefox, Chrome, Safari, IE...). Civic gives you an example.
  • Tip: Provide a link to your privacy policy in your menu or sitemap. Give visitors the opportunity to edit their cookie preferences at a later stage.
  1. Create a consent message

  • EU cookie law consent cookiesWhen visiting your website for the first time, visitors will see a pop-up requesting their consent to store cookies on their computer.
  • The text that you have to mention here depends on the cookies and identifiers that you use on your website or app. Typically, it will mention that cookies/identifiers are being used, with a link to the abovementioned page with your privacy policy. Here is an example for a website:

We use cookies to offer content and advertisements, as well as features for social media and to analyse our website traffic. We also share information about the use of our site with our partners for social media, advertising and analysis. Show details (link to your privacy policy)

  • This banner or pop-up includes buttons that allow visitors to allow or block cookies.
  • The consent message works as follows: when the page is loading, the script will search for a certain cookie. This cookie will store the user’s preferences, as well as information on the nature of cookies that that user allows or blocks. As longs as this cookie has not been allowed or blocked, the script will continue to display the consent message. Once the choice is made, the user’s preferences will be stored in the cookie. The message will then disappear and will not be displayed again.
  • Attention! The consent message is only a text that indicates a preference. If the user wants to block ad cookies, you will still have to execute this option in the ad tags on your page.
  • Attention! Unless you use geotargeting in your script, all visitors of your website, including non-EU users, will see the consent message.
  • Attention! The consent message has to appear on every single page where cookies are stored and on which users may land via an external link.
  1. Tools

If you do not have the technical knowledge within your SME to create a consent message for cookie management, do not worry; here are a few websites that can help you…

In the wizard, you need to enter the text of the consent message and edit it where necessary. Then, you will receive a code that you can paste in the header section of every desired page, just before </head>

Visitors can immediately choose in the banner which cookies they want to allow (supported in all languages & default text templates in 34 languages): Necessary / Preferences / Statistics / Marketing. This service is not free (from €4 per month), but you also get a report on existing cookies and control over first-party and third-party cookies.

This tool also includes special modules for Drupal, Joomla and WordPress. With the free version, you do not get geotargeting and a link to Cookie Control is provided. For a one-time fee (£39), you are freed of those limitations. A positive feature is that the tool also works with SSL.

This page offers you a step-by-step manual to create the script yourself, as well as a template to explain your privacy policy. Complete documentation is also available.

Our colleagues at WPism.com discuss a few useful plug-ins for your WordPress site.

Do you have any further questions? Google Support will try to help you. As for the how and why, as well as the way to implement cookies, please visit Wikipedia.