EU “Cookies” Directive. Interactive guide to 25th May and what it means for you

Haha… nice one. I hope we won’t have to go to such extremes 🙂

ha well done

Nicely done. And I have seen these annoying ‘sayings’ when you are about to leave a website. Big irritation. =/

hhahahaha that’s great :), silly unenforceable legislation…

Great one 🙂

Well, I can’t be arsed reading those directives. I wonder where server location comes in to the mix, as in if your server is located outside the EU, is it under the remit, whatever the TLD. If that’s a quick fix then relocate, relocate will be the order of the day. This is one of the most silly set of regulations ever.

Yeah – it’s another interesting thing to chuck into the mix. Maybe Iceland will end up being Europe’s web-hosting location of choice… they seem to be keen on being the go-to destination if you want to avoid certain EU laws 🙂

Not really. If your a company registered in the EU then you’ll have to abide by EU law regardless of physical server location.

We had the same discussion in the office about server location and abiding by the law, and we’ve come to the conclusion that it’ll be down to the intended destination / domain name, eg http://www.bob.co.uk is obviously UK so you have to abide by it, and to be honest even though the we have a .pe website outside the EU we are going to put it on there too as it can’t hurt can it (perhaps not the pop up jobby) the information on cookies we use etc.

very instructive

Ha ha, fantastic.. the first time a pop-up has made me smile. Also there is F+++ all else in Iceland, i recon we could all host there!

Oh no, I just accepted all without reading. What have I agreed to? 🙂 Very good!

Loved this.. quality post. Implications of this are just insane.

Hi David

This is great! Let’s send this link to all the politicians we have the email addresses for and show them what they are about to do to the Internet.

Ha ha .. Can not wait for this cookie directive becomes reality 🙂

Brilliantly done! While as a user I’d be happy to see less tracking, as an SEO I know what is harmless and I have to accept that some of it is a necessary evil. As usual politician and legislators have no idea how the internet actually works so they can’t tell the harmless from the intrusive. This is going to cause a lot of hair tearing (good job mines already gone).

The point of (and solution to) mandatory popup notifications about cookies is not having the popups, but not having the tracking cookies.

It might as well be a law stating that sites third-party-advertiser scripts/tracking cookies must put their page background blinking red and pay 100% extra taxes – it’s meant as a deterrent – just don’t do it.

The problem with that Peteris, is that many companies have to track their advertising so they don’t end up making a loss, that is why all the tracking is necessary.

Excellent. I’m all for these changes. Either a simple popup on first landing to handle a collection of checkboxes (which is simple enough to deploy) or the browsers will set up a standard template for the user to specify general or specific site “permissions” and pass that in the header information.

The only people crying about this are marketers… who as we all know aren’t real people anyway.

Hey Bob, except websites themselves can’t do this. Mainly because if someone says “no I don’t want to opt-in to you storing cookes” then they can’t record a cookie to say they don’t want cookies.

So quite frankly, it’s stupid.

Which is why a browser based solution would make more sense (a more extended version of the X-DO-NOT-TRACK header currently being implemented by Mozilla, Chrome and Opera). Something like (which the user would pre-configure in their browser) and allow the user to override for a particular site:

[ x ] Allow us to store a quasi unique session id on your computer
[ x ] Allow us to store non-personal site preferences
[ x ] Allow us to track your navigation through our website
[ x ] Allow us to sell this information to whoever will pay us

However you could store the “no don’t track me” decision based on the persons IP address (for 12 hours). Please note, since storing something in a database is not a cookie, it don’t believe it is being regulated.

@Bob: Many users still aren’t clear on what a browser is, let alone how to set preferences. And what about sites that allow public comments that may in turn include content from other sites who do use cookies to track where their content shows up? If someone visits your site, you should be as automatically entitled to track their movements and activities whilst they are on your site as a shop owner is to watch customers whilst they are on their real-world premises. This is necessary simply to maintain the virtual premises effectively, whether you’re directly selling stuff or not. Selling information on your individual customers’ actions to others is another matter, and tracking which other sites you visit is not something that real-world retail leads consumers to expect either, but those are specific actions that could be legislated against with less impact on the majority who aren’t really seeking to abuse their customers.

Brilliant… Paul you are the RantMaster! Another piece of euro-c**p we can all do without!

Did anyone read all the pop-ups? I did get tired on the third!! :)) Hahaha!

Nice!

They got much funnier after the third one. I think you should go back and start again. 😉

Gota love a good pisstake 🙂

Brilliant, thanks.

What is it about MEPs and cookies? Even the original debate behind the first cookies requirement in the Privacy and Electronic Communications Directive 2002/58/EC was pretty hysterical (in both senses of the word) – giving us the first weird article that required us all to put unnecessary cookie wording in privacy statements/policies.

Maybe it’s as simple as there being plenty of good chocolate in Brussels (Strasbourg on away days?) but no good biscuits?

Hey I think it’s a good idea in principle but kudos for the series of comedy pop-ups 😀

Hugely clever!
Being a girly, I don’t have much of a cock to swagger about town with (my balls are a different matter. They are HUGE), but I did write a bit of a round up on Cookie Law here:
http://t.co/Hej3v3G
You can read it if you like, but the top and bottom of it is Keep Calm and Carry On.

lol @ “huge balls” (I take it that wearing Spanx is out of the question for you then?)

I actually kind of figured that it’s not going to be that big a deal (until the aforementioned lawyerly type decides to bring a fatuous case, as you *know* they will) but there’s no fun at all in a balanced, rational look at the facts 😉

Simply perfect, same problem is growing in spain. On the “website link” there is a bief explanation of the spanish market with the law against the “ilegal downloading” the IT infraestructure and the cookie staff.
We have had better moments…

Thanks, David – though tongue-in-cheek, this also raises vital points about whether or not ticking a box guarantees that something has been read or comprehended. UK guidelines on how to comply won’t be completed until after the law comes into force, which is another way of saying “we passed this law without thinking it through.”

To those who think this is a good idea “except for marketers” – it isn’t. If you’re in business, you’re a marketer. If you run a website, either you pay for it, or your customers do, or adverts do. Ad targeting lets your visitors see relevant ads that they may just be happy to click on (i.e. it’s good for the website, and for its visitors). So even if you don’t run a website, preventing ad targeting will just mean you either see more, less relevant ads, or that sites who provide free services will have to start charging for them.

I don’t like the idea of being tracked or profiled, especially once I leave a site – but a blanket ruling against a technology (instead of against very specific abuses of a technology) is simply not competent legislature. Done badly (and there’s no sign that this is being done any other way), the following outcomes seem probable:

1. European sites will become less user-friendly, driving online trade out of Europe.
2. Small businesses (i.e. most UK businesses) will be hit by costs for developing workable alternatives.
3. Ads on European sites will be less targeted, thereby becoming more offensive to site visitors and less likely to earn money for site owners – again hitting small businesses, charities and ‘pro bloggers’ hard.
4. If storing user data on the visitor’s computer is wrong, firms will have to collect and store it in databases, where it is FAR LESS controllable by the user. Securing these databases will incur more costs, and Data Protection regulations will apply in areas where they were never needed before.

Besides, if targeted advertising is so terrible online, why does no-one complain about it in shops, on billboards, on the radio, on television, in magazines etc. etc.? This is Luddite technophobia being made into law, and it should be repealed until someone does have time to think it through.

Will be interesting to see how this will turn out..

So tell me, how is it being called David all the time Paul?

Haha – I’ve been called worse, believe me 🙂

D’oh! Apologies, Paul! I had noticed your byline, just one of those mind-racing-ahead moments and didn’t spot my typo, sorry.

Haha love it! The message boxes were definitely worth the effort on your part. Although, I want the chocolate chip cookies you said you had! 🙂

It’s certainly interesting to see how they will police all of this – the internet is far too big to police, and cookies are actually useful, so why would they make them opt-in?

All those pop-ups and nary a polar bear in sight!

Haha…..excellent post, a very British approach to the subject.

Most amusing.

A clever idea and really well executed. The whole concept behind the cookie warnings is absurd, and I’m curious if Google will issue a statement given it could damage Adsense, Analytics and YouTube.

This is sooooo userfriendly, or?

Thank you! You have most definitely brightened up my day.

Tim

nice Idea 🙂

Skimmed over the regulations and it seems that the only part that mentions cookies is about users being offered a chance to opt out of cookies and not a word given on how. The way I read it, it seems that it can be handled with a footnote in privacy terms.

But the trend that uninformed politicians make legislation on very specific areas is worrying.

Ha, so basically everyone will give up going on any site using cookes, and we will lose any decent site that relies on ad revenues to provide us with free, interesting information! Thanks EU, thanks a lot…

Nicely done. Would such a directive, designed to protect privacy and limit the extent that firms can tap into behavioural advertising, open up the advertising market for smaller companies? One thing is for sure though, users will see lots more pop-up windows and boxes asking them for permission to collect data – a step in the wrong direction for usability.

Thanks Paul, love the pop ups! 🙂

I agree with the good points made by PeteW and some of the other commenters. I think it should be asked if this is actually in the public interest? I can see both sides of the argument, although being a website owner, naturally, I want to track everything I can whilst being transparent and giving the user the best experience possible.

Do you think I could get the Yahoo Tool Bar or maybe the Alexia one to remember all my choices in a public place ?
After all all these popups could get tiresome and I know all the sites I go to from google are safe. Right?

-enjoyed the humor of it thanks

I think the legislation will be aiming for the strengthening of standards like p3p, rather than requesting a load of popups…

using these standards browsing experience would be enhanced, not hinderd…

Just been thinking on the pop ups we could see – does anyone else think that we could start seeing adverts and sales opportunities pushed at us IF we need to start clicking popups to confirm cookies? Seems to me some advertisers would jump at the chance to throw an extra advert in a pop up if they had the chance.

That’s why i stay far, far, far away from EU markets. Utterly silly.

Love this – ok,ok,ok,ok,ok,ok,ok, – have I just signed up for porn, helping princes in Nairobi shift cash, Viagrow, another book club????? Really looking forward to the internet is it goes this direction.

@paul I agree, I reckon we will see pop up cookie requests with built in Ads, that way every single visitor is guaranteed to see that Ad, which can be sold for a lot more money! Although far fewer people would end up accepting the request if they thought it would just give them loads of spammy pop ups.

@Tom Doerr, Thanks Tom. Just taken a look at your blog and see you have written an article on the cookie directive, you make some very good, clear points.

Very clever – I was cursing you for a minute but then it made me smile. It’ll be very interesting to see what effect, if any, this new directive has on digital marketing and the software that we use.

Brilliant – but you forgot the option box that asks what sort of cookie the user wants. I want the one with jam on the top

awesome!

Surely the implementation of the EU cookie directive will mean that we will miss out on a sector of traffic to a website? When working with sites where the user base also reads the Daily Mail, where they have been warned about TERRIBLE things that cookies can do, will mean site traffic will just drop off, at least for the first month?

@Tom I think you make a very good point about the built in ads. But this is now a development cost that every single EU site will have to swallow.

Well done for bringing the reality of this absurd directive to our attention.

The EU cookie directive is just a massive joke. Derived by some half-wits in a board room who have no idea what cookies actually do, and think they’re massively improving the interwebs security by bringing this law into play.

I’m hoping the Internet Browsers will come up with a way of getting around this foolish idea. How badly may this hit the digital economy? Not many non-geeks know what cookies are, and what they do on the internet, so they will probably say no when the pop-up pops up anyway.

And yes I’m a disgruntled affiliate.

As always the EU commissioners are completely out of touch with everyday life.

Really such a great info!

oh noes! why the “prevent this page to create additional dialogues???” the point was to annoy the hell outta visitors!!! 😀

The EU ist a wonderbar thing.

If it weren’t for the EU, we’d all be eating bent cucumbers and straight bananas.

Long live der vaterland!

lol you´re damn right! Here in Sweden the EU is trying to attack the holiest of holy (except for our women), Snus. Our politicians are panicking and sweating as pigs trying not get their people to start praying for Thor and Odin to strike upon Angela Merkel and her peasants.

This is childish and annoying.

This is a complement.

Brilliant article – loved it.

What qualifications do you need to become and EU legislation maker? Do you have to have “lobotomised” as part of your CV?

Haha, that was quality! Love the “Douchebaggery”

I read all the popups.

First time EVER. (good job – still smiling)

Epic, i love it! Think Google should implement internet wide, see the CTR’s then.

Well, I just visited the ICO website and it set 5 cookies in my browser and didn’t ask me or tell me anything about them, that will be the first website I’m report to the ICO for breaking the rules on May 26th!!!

I don’t want to not not comment; great stuff 🙂

You might be interested to know about a new website just launched which is promoting a more practical solution to the cookie law than the UK government: http:\\www.cookiecrunch.co.uk

Lets all report the ICO on May 26th. Browsers already give me the option to stop cookies. If I didn’t want cookies I would of set firefox to not accept them plus how would the pop up get round the pop up blocker or did the EU forget that people hate pop ups. There is already plenty of info out there to tell people how to stop cookies in their browser. I remember the dark days of using the web on my old mobile, I had to accept or reject loads cookies before I could look at a site. So please UK government don’t make me go through all that again. The EU is a waste of money and this law will inconvenience the end user. Loved the pop ups on this site though.

Shhh, don’t tell anyone but the official EU site sets a cookie without asking permission: europa.eu.

Of course none of the UK government websites will conform post deadline. Many don’t even conform to their own COI guidelines!

Bob mentioned earlier we could just record a user’s IP in a database for 12 hours which is ok if a: you have a database already or b: the user isn’t on a corporate network where one external IP may be used by hundreds of machines as their point of access to the web and a hundred other reasons why this might not work or be wholly impractical.

On the point of how do you record the “don’t track me” preference of a user without using cookies. Well the law states you can store a cookie without permission “where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user”. So ironically because a user doesn’t want me to store information about them in a temporary session cookie I can place a permanent cookie on their machine which says “don’t track me”. EU logic at it’s finest

Enjoyed it no way this can apply .

Let’s set up a petition on the UK government website telling them not to enforce this law. Protect UK business.

Brilliant – I loved that guys. You brightened up my morning.

In case I accidentally opted out at some point and you couldn’t track my referral information:

Referrer URL: http://econsultancy.com/uk/forums/best-practice/eu-cookie-ruling?page=1#forum_post_14291
Time: 08.09
date:18/05/2011
Geolocation: SE1, London, UK
Favourite colour: Navy Blue
Ad preference: open to ads on holiday offfers
Projection of wifes xmas present: possibly a nice dress, or perhaps some shoes.

😀

I don’t mind if they are chocolate-chip cookies!

We might have to resort to them big landing pages, Do you agree we can track you or Leave Site.

Although this is the first time ever i laughed at alert’s in a browser 🙂

Thank you, all the lovely people who read my initial post about cookies from here. In light of the releases yesterday and today, I have updated it here:
http://beneaththewig.com/cookies-not-oats-and-raisin

And how is one expected to record the fact that the user doesn’t want cookies??
If I refuse the cookie at http://www.ico.gov.uk/ , the notification never goes away.

I got the point by the fifth pop-up.

Individually, they’re all funny. Collectively, it soon gets tedious.

Thanks for the feedback Dave, and I’m glad you got the point so quickly.

Does anyone else remember the ‘click to allow Flash to be displayed on a website’ directive? That lasted all of 5 minutes before it was summarily chucked in the ‘crap idea’ file.

Can’t we just shut down the EU and keep the WWW open?

There’s a certain irony that you’re spamming all those pointless pop-ups but then going ahead and breaking the law anyway by setting cookies without permission.

I’m sure there’s a whole other layer of irony implicit in that comment.

Do tell.

Well… we weren’t ‘spamming’ anything (as spam is entirely unrelated to the use of pop-ups in this specific context) and the entire point of this jokey bit of fluff is that the law is itself an unenforceable and impenetrable ass of a thing 🙂

The message boxes are indeed spammed – spam doesn’t mean just email. That wasn’t meant as a criticism, spamming the message boxes is obviously a fundamental part of the joke.

I guess I disagree with your basic premise; I don’t think the new law is particularly impenetrable or unenforceable. I think it’s an important step forward, although clearly it’s going to take people some getting used to the concept that cookies should not just be flung at users willy-nilly. Yes, the law could be misinterpreted to be ridiculous, as you have done for your joke, but that does not make the law itself ridiculous. In reality it’ll be interpreted in a more moderate and sensible manner, but it’ll probably take a little while to reach equilibrium.

For the avoidance of doubt, I am not a lawyer, and even if I were I would have no intention of suing you or anyone else with regard to cookies 😉

Ah OK – sorry. Even after 3343 years of reading blog comments I still sometimes can’t tell when someone’s being snippy or not! Thanks again then – and I probably agree with everything you’ve said 🙂

That was funny :))) Thanks for brightening up my day!

Well bit the bullet and had to implement wolf software’s GA cookie opt in on our site.
I’ve removed our live-chat/realtime tracker from the front page
Can’t wait to see what it does to my traffic.

Well you are all missing the point here. This is just a bit of an experiment the EU is doing. Since the Internet has been used so effectively to organize protests and rebellions around the world, governments are now seeking to take control of it. What we are seeing here is the EU testing the waters under the guise of privacy, to see how internet users, businesses and companies will take to imposed changes and controls inflicted by government powers. If we all go along with this kind of nonsense we will all loose our freedom and enter an age of over control and repression.

The actual directive it’s self is very ill conceived, and goes a long way to giving non EU businesses a major advantage. It does little else than that. If the EU is so bent on pushing out internet directives to protect people, then why don’t they go after the spammers and fishers, many of which are based in the EU?

My stats have dropped from several hundred to 1 logged visit, and that’s me testing from a different server. This law sucks.

Do you mean visits as measured by Google Analytics? Because it’s hard to see how adding the opt-in box could have reduced your actual visits to zero since people have to visit your site before they can even see the box is there.

As recorded by analytics

That’s not particularly surprising, I can’t imagine many people will click “yes, please track me!”. I would think the real test is whether it affects your sales.

Sad how much I enjoyed that 🙂

David,
thank you so much for this humor and also for your many informative articles!
I just had to take a moment this time after that wonderful example! You made me laugh so hard I just had to click to see what you would come with next!

Laura

Hmm ok i see the site name is David my apologies if your name is Paul:) and I too called you David!

One of my clients asked me how his website was going to be affected by this and I was trying to write a serious article about what I could do to stay a law-abiding web designer. Your site came up in the course of research and I have been giggling ever louder as I work my way through all the dialogue boxes.
Presumably if Google Analytics is one of the main culprits, the big G will be doing something pdq to stop us from removing their tracking codes just to stay within the law…?

Perfect!
Visitors will get annoyed after the 3rd click, close the Window/Tab and go elsewhere, where the site owner will not bullshit them with a load of cookies.
Perfect, mission accomplished!

Going to be **very** unpopular for saying this, but so what?

Back in the day I was taught **never** to rely on cookies for any kind of behavioural tracking due to their unreliability – people do turn them off – people do move machines.

(That said, I’ve got Google Analytics on my site but it will be removed and replaced in due course).

Maybe what we’ve become is a little lazy in our coding by jumping on a cookie bandwagon and forgetting it might not be the most resilient approach?

Ross – the irony is that using cookies to track behaviour gives more control to the user over that tracking than stuff collated server-side, because they can delete cookies easily if they care enough about them to learn how. So this law will only really protect people who don’t care that much, whilst penalising EU businesses, and irritating many others.

Besides ‘lazy’ often equates to ‘efficient’ or (importantly for clients) ‘cost-effective,’ since it essentially avoids doing unnecessary work. Site usage tracking doesn’t need to be particularly resilient, unless external factors (like this law) significantly increase error margins by reducing the sampling % – so cookies are a reasonable choice for that. Tracking site use with databases etc. will incur more development overheads, but will still be essential – so some clients will want to maximise returns on that extra expense by tracking more aggressively. This law couldn’t be more of an own goal if it tried.

> Maybe what we’ve become is a little lazy in our coding by jumping on a cookie
> bandwagon and forgetting it might not be the most resilient approach?

I understand that although the focus is on ‘cookies’ here, the legislation is actually about tracking/maintaining state – which includes flash cookies (aka Local Shared Objects), session IDs in the URL and other (potentially more ‘reliable’) approaches that crop up in the future. Doesn’t this cast your question “So what?” in an entirely different light?

This whole topic serves to show why Europe is in such dire straits. With our economies falling down around us the politicians are passing a ridiculous law about cookie. WTF – if people do not want cookies on their machines they can set their browser not to download them. Simple as that – takes about 15 seconds. What is all the fuss about?

If the MPs really want this crap then surely they should just ask the browser manufacturers to make their browsers detect cookie and request temporary or permanent permissions to set cookie (or not as the case may be) rather than requesting that every website designer rebuilds their websites.

What planet are these people on??

haha, impressive. Wondering if it will affect Canadian website design industry too?

“The easiest way to resolve problems with Google Analytics, cookies, opt ins and The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is to stop using Google Analytics.

There are other products such as our eVisit Analyst Select Version 8 which offers similar functionality to Google Analytics but without using cookies.

Not only does this elegantly fix these problems but as we are a UK company that operates in the UK we are in the jurisdiction of the UK legal system.

Our hosted systems are secure but for extra comfort our systems are available for location and operation within customer’s data centres.

Our systems are not that expensive and in some cases are cheaper than implementing opt in solutions which as previously commented don’t work anyway. We are associated members of Audit Bureau of Circulation and our systems can be used for COI website audits.

Can’t fault you for taking a marketing opportunity Paul, but the real problem is that flawed legislation compromises a popular free solution to obtaining business-critical data. Offering a paid solution doesn’t solve that underlying problem *at all* – it just swaps it for an alternative – either:
a) The problem of an extra business expense during an economic downturn, or;
b) The problem of how does one run a business and advertising without effective stats.
For many, many businesses (and charities), ‘b’ will be the default position. You may (or may not) only care about the ones who find your services cost-effective, but the fact remains that they have a right not to be penalised by incompetent law-making, and even your clients would be penalised (to the tune of your costs) compared to those who don’t *have* to comply with this legislation.

Incidentally, we now have only a few months left before the ICO should theoretically start persecuting innocent site owners who don’t even want to track their visitors but happen to use a standard technology without explaining it to the widely-technophobic British public. To date, the only sites I’ve seen that has shown any sign of compliance are this one, and the ICO site itself (whose solution is impractical for any serious private-sector site). Is anyone actually aware of a site that has found a workable, yet compliant, solution that could become a common model?

In my investigation into this problem I’ve come across these solutions: –

http://www.wolf-software.com/downloads/jquery-plugins/pecr-and-google-analytics/ (only applies to GA cookies)
http://www.reddbridge.co.uk/ (their own site has a plugin but it doesn’t seem to be available to others now)
http://cookieq.com

Whilst these solutions would enable some progress towards compliance I’m not sure any of them are perfect. I think the problem is more fundamental than that – given a choice many people will simply reject the request to store cookies or ignore the request and continue to browse without accepting them. This is not necessarily good for them or the web site they are visiting. Web site owners will be deprived of data useful for improving their site user may be deprived of certain functionality. Most people will find the process of being prompted to authorise/reject cookies on a site-by-site basis extremely tiresome and will be irritated by their browsing experience.

The EU nanny-state knows what’s good for them of course. This is all a fear-based reaction to the possibility that some big brother (advertisers) might know more about you than you would want (unlikely given that data attributable the actual identity of an individual would not be being tracked). Where data that might be identifiable is stored e.g. shopping carts and payment processing then this would be exempt anyway because it is “strictly necessary for the provision of a service requested by the user”.

What is needed IMHO is a single policy that can be enforced by the users browser (and I’m not just talking about users specifying preferences in the hope that the sites they visit will respect their settings). The main browser producers need to get together (sooner rather than later) and agree and implement a definitive standard and, at the next browser update (which is very frequent these days), the user should be taken through a clear set up process where they can specify their preferences in relation to cookies. Then everyone can be left in peace. If you happen to be running an older browser which doesn’t have such policies, tough. If you’re too lazy or ignorant to update your browser then you clearly won’t care about cookies and can continue in blissful ignorance (individuals have to take some responsibility).

It appears that the UK Government may have sympathy for browser-based solutions because they’ve set out proposals to continue to work with browser producers to see if enhancements can be made to meet the EU directive (I can’t help but think the EU should have done this before introducing the directive. C’est la vie). In responding to the directive, Government Minister Ed Vaizey calls it a “challenging provision” and has made clear that “enforcement action will not taken until appropriate technical solutions are available”. The ICO on the other hand makes it clear that web site owners can’t wait for a browser-based solution and we are expected to implement the directive – confusion reigns. No doubt everyone will universally ignore this ridiculous requirement until the last possible moment. Hopefully if enforcement action is taken they’ll go for the big boys with European operations first – e.g. Google and Amazon et al (who I notice haven’t yet attempted to implement any kind of solution).

Thanks Nick – I hadn’t seen *any*, and like you, I suspect that we’ll all end up avoiding implementing anything until we really can’t afford not to. Besides, these are just variations on the ICO ‘solution,’ and ultimately the problem is the effect of these notifications on site visitors and business stats/competitiveness, rather than technical implementation.

I’d broadly agree on a browser-led approach if done properly, but the real solution to all this starts with everyone agreeing on two simple and pretty undeniable facts:

1. Property owners have a right to know what their visitors are doing whilst ON their property”. This is as true of virtual properties as real-world ones, and vital to most functions of society, including trade.

2. Individuals don’t like being followed or profiled after they have *left* a property, especially without their consent, and this should not generally be allowed purely for the commercial benefit or the property owner. Noticing when they return to your own property – fine. Watching where else they have gone – not fine.

These issues have nothing to do with a specific technology, so should be easy for the least technically competent lawmaker to grasp. They should stick to making laws about behaviour like that, not targeting technologies that they patently haven’t even tried to understand.

Of course, this does still mean that we have a continent-wide lawmaking process that can pass laws without the slightest attempt at researching facts, implications or consequences…

Pete, I agree with your 2 simple principles. Makes perfect sense to me.

Your analogy with virtual and real-world properties is a good one. The obvious example being that if we are running a bricks and mortar store, customers are quite used to having their movements and behaviours tracked by CCTV, the usual data protection requirements apply in these circumstances and you will have no doubt disclosed this purpose in your data protection registration with the ICO. On that basis the store owner does not need to get the customer’s consent before they enter the store. The agreement to being tracked is implicit and by choosing to enter your property the visitor is deemed to have accepted that condition. Similarly (point 2) the store owner doesn’t send a camera after a customer when they’ve left the store.

The question is, what can we do about it after the fact? Mass disobedience seems likely by default. Many website owners might not have access to easily implemented technical measures (people with sites using a CMS like WordPress might not even know whether cookies are being set, for example). An antiSOPA-like campaign might be in order with some high profile operators leading the charge. The aforementioned Google or Amazon who will probably be most affected by this crappy legislation seem to me to be the obvious people to pick up the baton. (as an aside, I browsed amazon.co.uk from a clean start (all cookies cleared first) and after looking at a few pages checked what was there – there were no less than 50 cookies that had been set! – I’ll start worrying when Amazon have been fined by the ICO).

None of the solutions you have pointed our are either particularly easy to use or have the capacity and adaptability needed for enterprises. The product provided by the Cooke Collective is a different thing altogether: http://www.cookielaw.org/cookie-solutions.aspx

One of the big problems however is the lack of information available about what cookies are and do, here is a site that is attempting to change this: http://www.cookiepedia.co.uk

On the issue of browser solutions – this can never be the whole story. Though a browser is obviously capable of blocking cookies. People can only give consent via a browser if they have the information about what they are being used for – and this must come from the website.

I can foresee a time when websites could communicate the purpose of cookies directly to a browser (through meta tags or similar) and the browser can then offer user control – but it will still be upon website owners to create the information that the browser can interpret – so even with such a browser, modification of the site will be needed.

In response to Pete – if you walk into a shop, does that give the staff a right to inspect the labels on your clothes, look at the contents of your wallet, to determine whether or not you are a worthy customer? That is effectively what they are doing online.

I suggest the law makers did not what they were doing – the industry had years to do something about it – but decided instead to mostly stick its head in the sand. When that happens, you shouldn’t really be that surprised when someone comes along and gives you a boot up the backside every now and then.

Here’s the thing – people exaggerate cookie threats to newbies to scare them, or to sell them ‘solutions,’ and that scaremongering is now driving legislation, which is wrong. Yes, cookie technologies can be abused, but not like that. Site owners can’t use cookies to look into my wallet, nor to look at the labels on my clothes – not even ‘effectively’ – and they have every right to take an interest in how I’m acting whilst on their property, virtual or not. Basic cookies are domain-specific, and can’t grab information unless a site actively feeds it to them, so it isn’t even that easy for single-site firms to achieve any off-site tracking – but the ad and analytics networks they partner with can do so, because those span many domains.

Once I’m off that property, I don’t particularly want to be tracked by ad networks, and yes, that should be my choice – but it always has been. That’s why *easy* cookie settings have long existed in browsers, and antivirus/firewall solutions provide further control. The argument is that this is too complex for many users – yet those same people are expected to understand the details of what cookies are, how they are being used, and to make informed, separate choices in response to potentially-technical messages on almost every EU site they visit? Because that will *really* make them feel safer. No, that’s just insane.

Many site owners don’t even understand cookies or even whether their site uses them, let alone how to misuse them. Those who *do* profit by doing so will just mislead their visitors in any message about how those cookies are being used. Meanwhile, less devious site owners will be conned – with assistance from EU courts – into paying perhaps hundreds of pounds a year to check compliance with a law against something that they weren’t doing in the first place. All for the sake of people who like to fret about their privacy but can’t be bothered to even look at existing ways of protecting it.

The ICO’s caution is heartening, but in no way is this legislation competent.

In the other thread

http://www.davidnaylor.co.uk/return-of-the-eu-cookie-directive.html

I’ve just come to the same conclusion as Michael Jones did here, some 316 days ago.

As for other implementations, I’ve also found:

* http://www.cookielaw.org/

and Mark Steven presents a solution from Civic UK in the other thread too:

* http://www.civicuk.com/cookie-law/index

This is what you get when
1) people assume their users are morons – witness the phase of spurious links emulating the perfectly serviceable “Back” button in the browser
2) their users *are* morons who need such idiotic ideas
3) people annul their ability through individual responsibility (“I shouldn’t have to learn all the controls to my browser”)
4) as the above says, you appoint fat cat lawyers and idiotic politicians who wouldn’t know a bendy banana whichever end of them you showed it to.

Interesting. The official site of the EU – http://europa.eu – which should have been compliant since the law was passed – simply dumps a cookie into the cache without any warning/explanation/opt-in.

It seems they use a “select a language” splash-page as a kind of paywall to allow them to set a cookie that would be ‘essential’ for the provision of services, and therefore exempt. However, as we all know (right?), you don’t need a cookie to determine the preferred browsing language, and even if the default is wrong, the standard for language-selectors is an unobtrusive set of flag icons. The point is that choosing a non-default language is optional, not essential, so their own site is (surely?) non-compliant, even now.

That site also links to petition options: http://www.europarl.europa.eu/aboutparliament/en/00533cec74/Petitions.html

Just sayin’…

I got as far as “lawyers” … tres witty. I think we’ll need some clever pursuasion architecture to get people to opt-in. It’s only a matter of time before the functionality gets built into browsers anyhow – wouldn’t that be an easier approach to legislate?

Bob Whelan

Love it!! This has made me realise just how stupid this is, I did not think into it as deeply until clicking all those boxes. Will it happen though that’s the question. We do have to deal with some stupid shit!!

Great laugh…. I have been trying to think of a straight answer to the crooked law (perhaps we should re-name it), it has been law for nearly a year. How many laws come into force, and then say, hmm, too difficult to understand or comprehend so we won’t enforce it yet…. stupid ….!

By the way

” if you walk into a shop, does that give the staff a right to inspect the labels on your clothes, look at the contents of your wallet, to determine whether or not you are a worthy customer”

When you walk into a store, the shop staff (and store detectives) do look at you and judge you by your looks – statistically 1 in 20 are actually trying to steal from a shop. They look at your you clothes, the way you act, watch you with cameras, take your name and address when you get a refund… watch you with cameras and store the images ….. they remember your face when you come back in the store …… you get the picture

For anyone who’s not seen this, it looks like the most sensible approach so far: –

http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf

Whilst not strictly “advice” David Evans, group manager for business and industry at the ICO, said at the launch of the guide: “Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance.”

That guide seems to suggest for services like Google Analytics a more seamless approach:

‘Obtaining consent by functional use: Immediately after the notice in Part 2 above, place the words: “By using our [website][online service], you agree that we can place these types of cookies on your device.”’

..ehich seems more reasonable – not sure if it is enough of an explicit opt-in, but it certainly seems the most pragmatic solution.

Yep, that does look useful in terms of figuring out some simple language to use, but it doesn’t fix the core issues of how to get visitors permission for cookie-setting without disadvantaging European website owners either in terms of:
a) Driving visitors away;
b) Restricting the information available to them on the use of their own website;
c) Exposing them to opportunist “pay us to check this for you” sharks;
d) Having to pay developers to mitigate the damage done by incompetent law-making, or face fines for not doing so;

We have to work with this for now, because the ICO’s leeway is about to run out – but in the medium/long term, laws can be revised and even reversed, and that’s what we, as an industry, should be seeking to achieve here.

About a Terms & Conditions with Cookie Policy when some enters your site on a landing page, most people will not bother to read through it all and just click accept?

I think most people would just ignore it and not click anything, in which case you wouldn’t have their consent. You are then faced with either not letting them browse the site until they accept (not good for getting the best out of your visitors), or letting them browse without cookies and lose any analytics data and other functionality. None of which is ideal.

Forces outside the internet are ruining Cookies for everyone, but I want to know what the Sesame Street Cookie Monster has to say about this!?

I think cookies are entirely reasonable thing. If people don’t want to be tracked, then either don’t use the internet or turn off cookie tracking on your browser.

EU “Cookies” Directive. Interactive guide to 25th May and what it means for you

159 Comments

Get in Touch