The amended EU privacy directive came into force in the UK on 29 May, provoking a collective scratching of heads, a yawn from the web development community and numerous headlines about cookies crumbling.

The new regulations require site owners to seek the explicit consent of a website user before cookies may be used, except where they are strictly necessary for the site to function.

As of June, only three of the EU’s 27 member states had implemented the directive - Estonia, Denmark and the UK, and it seems likely that most countries are playing for time until a browser solution is developed.

Exactly how a website should obtain consent isn’t yet clear, but the UK’s Information Commissioner (ICO) has issued guidelines (PDF) which may influence any decisions of the European Commission.

How are sites applying the new law?

In most cases, they’re not. And in fact the ICO has announced it is giving providers a year to get some sort of mechanism in place.

Various solutions have been proposed, including an interrupting pop-up containing a statement of the cookies used and a check box users are supposed to tick. Some developers have speculated that a more specific declaration of terms in a site’s privacy statement amounts to seeking consent, but since hardly anybody looks at privacy statements this might not satisfy the ICO.

The most popular method of seeking consent so far has been some variety of javascript tool bar appearing along the top of the browser window. It briefly explains the rationale behind using cookies then presents a check box users can tick if they accept. An example appears when you visit the ICO website at www.ico.gov.uk.

But it must be said that sites haven’t rushed to align themselves with the directive. A quick look at tesco.com and amazon.co.uk shows that they haven’t yet applied the rules, while the one site you might expect to have got it right - the European Parliament - has yet to make its move.

What you can do to move towards compliance

Firstly, read the ICO’s guidelines available as a PDF here.

Secondly, find out where and when your site serves cookies, and whether or not they are “strictly necessary” to the services your site provides. Bear in mind that you may be responsible for third party cookies such as those served by Google Analytics or banner ads.

Next, devise a way of obtaining consent that satisfies the regulations. Tripledub can help with the technical side of that, although we can’t offer legal advice. Feel free to give us a call, and we’ll have a consent form working for you in a jiffy.