Over the last few days, I visited every FTSE 100 corporate website to see how they are responding to the European Union Cookie Law.
Obviously things are changing very fast, since the extension period for compliance ends on 26 May, but I found the following good practices at the time I looked…
- 1 website (BT) explicitly asks for consent via a pop-up from the footer bar. BT has received a lot of coverage for their solution to the Cookie Law, and it is worth visiting their site to see how they have implemented it, if you haven’t already.
- 1 links to their cookies page via a teaser box on the home page (Aviva). This highlights the issue, and helps to educate people about cookies by bringing it to their attention. I imagine this is a temporary measure, and at some point this teaser text will be replaced.
- 3% use text or a bar across the top or bottom of the window (outside the main body of the website) to link to their cookies page (ITV, RioTinto, and Serco). While not as central to the content as the Aviva teaser box, these are at least visible on the home page; the RioTinto one stands out most.
- 4% state that they are assuming consent because you are using the website.
- 20% provide a persistent link to their privacy/cookies page – labelled as ‘cookies’, not just ‘privacy’ – usually in the footer or other site services bar
- Around 33% list the types of cookies they use, some providing details of each cookie
- Around 65% offer some explanation of how to clear cookies (some more detailed than others)
- Nearly 75% provide some explanation of what cookies are (some more detailed than others)
I’m not sure about:
- just under 20% do not mention cookies at all.
It is worth conducting an quick audit of your website with a cookie-monitor tool such as Attacat’s cookie audit tool, which may not be 100% accurate (they say it should not be treated as gospel) but which can indicate whether the website is using cookies for analytics purposes, or whether a third-party provider is using cookies (perhaps to facilitate the share price graph).
If you are using cookies, even if only session cookies, analytics cookies, or cookies that do not require consent, I think it is worth making cookie usage explicit, if only to reassure people. It also, of course, demonstrates that you have audited your site, and are willing to be transparent by revealing which, if any, cookies you use.
So what should you do with your website?
As has been outlined elsewhere there are three steps to take to prepare for the new Cookie Law:
- Audit your website to find out which cookies you use, and decide which would require consent.
- Reveal which cookies you use by updating your privacy page, or creating a dedicated cookies page.
- Develop a plan for compliance.
Many people are uneasy about cookies (which may explain a reluctance to accept cookies) but once we all become more familiar with cookies and what they do, people may be more likely to accept them. So the more we can all explain what they are, and what we’re doing with them, the better.
This is why I suggest that in Step 2 you take the trouble to:
- Explain how to clear them (see Sky’s FAQ for an example)
- Say which cookies you use, and why (see BAE Systems for an example of a detailed explanation). Make it clear if you don’t use any
- Provide a clear link to your explanation from across your website (because people don’t only arrive via your website front door)
- Include the word ‘cookies’ in the name of that link, because that is what people will be looking for
- Highlight that link – even if only temporarily – either visually or by its location.
And have a look at John Lewis‘ privacy page, to see how they’ve done it: not only do the tabs make it easy to see what the content covers, the content itself is reassuring and simply written.
What do you think? Have you seen a good example of cookie clarity on a corporate website?