Cookie Compliance

Earlier today we highlighted the complete lack of direction from any Church of England Diocese to help parishes deal with the new EU Cookie Law. We couldn’t find a single Diocese where there was clear evidence of guidance being issued to help churches with websites to comply with the law. Since then we’ve had more and more people getting in touch telling us that they didn’t even realise that they needed to do anything. We also heard an interesting account about one church once consecrating biscuits instead of bread, but that’s another story for another time.

So, what to do? Well, luckily the Twurch is here and we can help. We’ve written this short guide to help you handle the EU Cookie Law and to make sure that your site is fully compliant. And for most people, that’s not going to take more than ten minutes.

What is the Law?

Since the new law came in, any site hosted within the EU or providing services to people within the EU needs to let its users know if they use cookies to store information. Each site needs to gain explicit consent for using any cookie that isn’t vital for the operating of the website. This includes tracking codes to monitor visits and other plugins that many websites run.

Failure to comply can lead to prosecution and a potentially large fine. In reality, a small church website is unlikely to be hassled in this way, but it just needs one person to take an objection to your church and to register a complaint for you to possibly land in trouble. Also, there’s a simple Romans 13:1 principle at stake as well.

Are you using Cookies?

To check if your site is using cookies (if you’re in any doubt), simply download one of these tools depending on which browser you are using and let it tell you by navigating to your own site.

  • Firefox - View Cookies
  • Chrome - Crumbs - this is our favourite – simply navigate to any site and it automatically tells you how many cookies are stored on your computer from that site
  • Internet Explorer – Nothing we could find easily. If you know of one, tell us!

Making Your Website Compliant – The Easy Approach

If you want to take the easy approach then you can go for an “implicit consent” strategy. What this means is that you assume that viewers of your website will handle cookies by themselves as long as you tell them which cookies you use. To do this you need to include in your privacy policy a list of all the cookies you use and some text that points your website readers to how to change their cookie settings in their browser.

For a great example of a privacy policy that does this, look at the website for St Mary Magdelene, Taunton. This policy lists all the cookies used, has a link to a website that explain what cookies are and tells readers that this site will tell them how to block cookies using their browser.

We believe this approach will work for most parish churches. Simply make sure that your privacy policy on your site (and see below for how to write one if you don’t have one) lists all your cookies and tells readers how they can use their browser to block them. The choice is then in the hands of the person using your website – they know what the cookies are that you are using and they know how to block them if they want to. As long as your privacy policy is obvious, this approach will be fine.

There is more information on “Implied Consent” here.

Making Your Website Compliant – The Full-On Approach

Alternatively, you might want to go for an “explicit consent” strategy. With this approach you make absolutely sure that any viewer of your website has explicitly agreed to use cookies on your site before any of those cookies are actually used. Thankfully, this is pretty simple. If you have a really, really old website (you know, static HTML, that kind of thing) the chances are that unless you’re running any monitoring code to track visitors you probably aren’t running any cookies. If you’re using  a content management system like WordPress, Joomla or Drupal, the chances are that you are using cookies and you need to do something about it.

OK, let’s assume you know that your site uses cookies and you want to make sure you’re compliant with the law. What do you do? Fortunately the wonderful people over at Civic UK have produced a brilliant solution that will work on all websites. The idea is that you add some code to your site that does all the hard work for you, asking everyone who comes to your website whether they’re happy with the use of Cookies. Until the reader of your site agrees the code won’t let any Cookies be activated. The code is not that complicated to set-up (assuming you set-up a website in the first place you should be able to handle this) and very easy to maintain.

So, what to do. Follow this simple list.

  1. Go to the Civic UK Cookie Law page and see whether there’s a plugin already written for your website. For websites using WordPress and Drupal there’s already a plugin written for both of those systems, so you simply need to download it and install it like you would any other plugin.
  2. If you aren’t running WordPress or Drupal you need to do a bit more work. The page helps you create some code that can be inserted in your web-pages to run the compliance software. Choose which shape icon you want, whether you want the little pop-up to appear on the left or right hand side of the page and whether you want a light or dark background to the pop-up (to fit the general feel of your site).  There are two boxes of text that you can change, but for most sites the standard text already in place should be adequate.
    You will need to enter the URL to your Privacy Policy (you don’t have a privacy policy? Read below on how to create one) and delete the words “United Kingdom” to make sure the pop-up appears for anybody from anywhere who views your site. We suggest you keep the “Pop-up by Default” settings as they are. Fill in your email address, add your Google Analytics key (if you have one) and keep the “Apply to Sub-domains” setting set to “Yes”. Finally make sure you tick the “Accept Terms and Conditions” box and click on “Collect Your Code”. If you miss anything out the site will not let you continue until everything necessary is filled in.
  3. Once you get to the next page there are two things that you need to do. Firstly, you need to download the clever piece of code that does all the work. You do this by clicking on the “Download the Cookie Control script here” link and, well, downloading the code. This file then needs to be FTPed up to your website, to the root of your hosting, the same place where the homepage of your site lives. Without this script nothing will work.
    Then, you need to copy your custom code which appears on the left-hand side, and crucially, make sure you change where it says “/PATH_TO_COOKIE_CONTROL” to your domain. For example, at the Twurch our line in the code would look like - src=”http://www.twurchofengland.org.uk/cookieControl-4.1.min.js”.
    This edited code needs to go into every page on your website and it needs to go between the <body> tags. This isn’t as hard as it sounds as most good websites have a header or a footer that loads into every page, so you can put this code into that header or footer and it will automatically run on every page. If your website is still hard-coded and just has separate HTML for each page, you really should be thinking about moving to a proper Content Management System.
  4. WordPress and Drupal users can find these settings in their settings page for the plugin (for example the WordPress plugin creates a separate menu item with all its configuration details).
  5. Now the fun starts. If you’re not using a Content Management System like WordPress (are you getting the message about using a CMS like WordPress yet? It really does help) you need to make sure that none of your cookies are activated before the viewer says that it’s OK to use cookies. This means that you should edit each of the calls to a cookie with some prefixing code that allows the Cookie Control software to make sure the cookie isn’t activated before . The “Tweaking Your Scripts” section on the Deployment page on the  CivicUK website shows you an example with Google Analytics script.
    If you think that sounds frightening, don’t panic. For 99% of all websites you won’t be using any special cookies beyond a site visits tracking cookie. Whether you use Google Analytics or other code (though why would you want to use anything else apart from Google Analytics we don’t know), the worked example on the CivicUK site shows you exactly what to do.
    WordPress users have it easy. The plugin from CivicUK automatically blocks the standard WP cookies and has a space for you to put in your Google Analytics tracking reference in order to make sure that that isn’t triggered until a viewer agrees to use Cookies. We tested a pretty complicated WordPress set-up and found that it didn’t use any other cookies apart from the standard WordPress ones and Google Analytics, so we’re pretty sure that the vast majority of WP users will find the CivicUK plugin a one-stop solution to this problem. Just one more reason to move your site over to the top CMS (in our humble opinion) in the world!

Once you’ve done all this, you will have a little icon that pops up the first time someone comes onto your website that tells them that the site uses cookies. It then prompts the viewer to accept this, at which point all the cookies on the site become active and the icon hides itself away in a corner of the screen where it can be clicked on again to bring up the notice about cookies.

It’s as simple as that. A little bit of work and you’re fully covered. If you find all this a bit daunting and you’re running an old website that you don’t really understand, perhaps this is the nudge you need to move to a system like WordPress. Alternatively, given that for most sites the full solution involves downloading one file, pasting some code into another file and then editing one or two other bits of code, you could use the experience of making your site EU Cookie Law Compliant an opportunity to discover a little bit more about how your website works. And remember, the “implicit consent” solution above should be fine for most people and if your website doesn’t use any cookies you don’t need to do anything at all!

Joomla users should note that there is a Joomla Extension entitled “Cookie Monster” that has had some great reviews and does roughly the same thing as the Civic UK WordPress plugin. Here at the Twurch we haven’t tested it, so use at your own risk. Alternatively, the Civic UK site are working on a Joomla plugin and until that comes along they have a page to help you set-up their code in a Joomla installation.

Privacy Policy

Your website should have a privacy policy. Really, it should. You should have a page that is easily accessible that tells all your readers exactly what you do with any data you capture from them. For example, our privacy policy is here.

If you don’t already have a privacy policy there are lots of sites that can help you and there is a great list here of useful places to go. In particular the template generators are useful tools. Alternatively you could simply lift someone else’s privacy policy who you trust, tweak it a bit to fit your circumstances, and use that instead. That’s what we did here at the Twurch. A good live privacy policy can be found here.

If you have any cookies running on your site you must list them in your privacy policy in order to make sure you are compliant with the law, even if you are using the implied consent strategy. We use a WordPress plugin called Cookie-Cat to do that automatically, so any changes will instantly appear. Another reason to switch to  WordPress.

You should also consider putting a notice on your comment form making it explicit that you will store the message that is sent to you. You should also consider using a similar message where readers enter comments on blog posts.

Further Help

If you have any more questions don’t hesitate to ask. Unfortunately we can’t help you with the actual installation of a solution on your website, so please don’t ask us to, but we’ll try to answer general questions below. You can also contact the CivicUK team directly and they may be able to help.

If you do want some technical help we know some very good Christian web designers up and down the country who we can put you in touch with. Please note though that these men and women provide professional services and you should expect to pay for any help you receive.


2 Comments

  1. Hi,

    Thanks a lot for this, really useful. We did manage to update our privacy policy to meet the deadline, but I’ll admit we didn’t think to publish any guidance for our parish websites (not that anyone asked for it!).

    Ironically, we were bemoaning that there had been no guidance to dioceses from Church House!

    I’ll add a link to this from our website, if that’s ok.

    Dan Kemp
    Digital Media Manager
    Diocese of Worcester

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>