Feeds

back to article Got a website? Pay attention, Cookie Law will come

Small businesses need to be careful of the European Union cookie law - although so far most countries seem to be ignoring it. Many websites drop cookies, a small piece of software, onto visitors' machines to help with navigation, page view counts and to remember users' log-in details. But changes to European privacy law last …

COMMENTS

This topic is closed for new posts.

Page:

Lawyers

"Businesses must get users' consent before installing cookies and follow rules in storing and accessing information gathered from them."

This has already been interpreted by many advertising companies and approved in the UK as "showing a certain icon on screen when a cookie is placed" - apparently this implies explicit consent.

Also "must get users' consent before installing cookies" apparently allows for users to give permission after the event.

0
0
Stop

Really

" and approved in the UK"

Citation required.

7
0
Anonymous Coward

Advertising companies.

Anyone who doesn't block adverts deserves everything they get.

3
5
Anonymous Coward

That's for behavioural ads only

Not generic cookie use. For that, I'd suggest an icon of a half-munched cookie with the legend, 'This site uses cookies. Bite me!'

1
0

This post has been deleted by its author

Silver badge

I can explain

Session cookies, for example to remember what you have placed in a shopping basket, are allowed.

If you want to store data across browser sessions, you have to ask, otherwise, when someone visits your site again, it will be like it is the first time they have ever done so. Not fatal from a user experience point of view.

3
2
Anonymous Coward

erm

Ever worked with users? In my experience they'll click Yes or OK just to make the box go away!

As you say though, they won't have a clue what they're doing

0
0
FAIL

session cookies are not really 'allowed'

you still have to gain explicit consent.

It even applies to analytics cookies. So, to see where people go on your website, you have to gain their explicit opt-in consent. Yep, you can't watch people walking around your shop. Not allowed.

Every single site we operate will have to be changed at the cost of many thousands of pounds to my clients (a few hundred quid a pop).

I have to explain it to them and bear their wrath because they have to spend money for no 'benefit'. It's a shambles and no-one in the web dev. world seems to be grasping this nettle because it just seems like such a waste of effort and time.

6
0
Silver badge
Pint

Boxing clever

"In my experience they'll click Yes or OK just to make the box go away!"

"To continue further in your enjoyment of our website we require your acceptance of a cookie to enhance your experience here"

Sorted.

0
0
Megaphone

Bravo

It's exactly that attitude which got us into this situation in the first place, the current eonviroment of self-regulation *scoffs* means that people's ignorance is being exploited by all kinds of otherwise legimite outfits so now big, broadly written laws have to be written to try and correct the situation.

The costs of updating websites is moot as everyone has to do it and as for users lack of understanding, well it's the responsiblity of those of us who do understand the implications to impart that wisdom upon others, not simply bear their wrath.

5
2

This post has been deleted by its author

Session has nothing to do with it

It's nothing to do with the session - certain cookies are allowed WITHOUT consent providing they are "essential to the functioning of the website/service" ...

So, cookies that are allowed without consent (though you should still have a page explaining what they're for) would include things like a cookie that holds the contents of the user's shopping basket or an authentication cookie that allows to site to verify that the user is logged in.

Cookies that would REQUIRE consent would be things like analytics cookies (including Google Analytics) or cookies that save user preferences - basically anything that is not absolutely necessary for site to function.

Where I loose the plot a bit is with third party cookies - say for instance your site is using Google Analytics - well, that's based in the US and I'd guess Google aren't going to put a little pop-up that says "track me please", so it would, presumably, be up to the site owner to gain consent from their visitors to allow Google to track them?

0
0
g e
Silver badge

So does that mean -

That Google analytics code will have to pop up cookies on your behalf?

1
1

To be fair

It was up to the site owner to use Analytics so why shouldn't it be up to them to explain the cookie.

To say that they don't is a bit like saying that a site that provides a Direct Debit form shouldn't contain details of the DD guarantee. Even though it isn't their guarantee.

2
3

How do you know?

How can a site owner provide information about what Analytics cookies may or may not be doing? They don't know, and Google are hardly going to tell them.

To use the DD analogy, its a bit like being required by law to print the details of the guarantee on the form, but the bank refusing to tell you what the terms of the guarantee actually are.

1
1

Yay, Pish

This is just the EU getting back at the interwebs for giving so much air time to the likes of Nigel Farage.

Way 2 go, Nigel. Gotta root for the 'underdog'.

0
0
Stop

null

It is a little bit crazy in some ways is this law. Not all cookies are malicious.

Granted some are bad and are used for profiling your web browsing habits etc etc, but then, just about every website you log in to uses cookies to establish a session. If you refuse to accept cookies, how the fuck will you establish a session in the stateless web?

Perhaps the law needs a little refining so it only applies to advertisers etc and not people needing to use cookies as an integral part of their web apps.

And just to add as good advice as ever - we should all be using secure cookies!

2
1

Sessions

You can pass session tokens in URLs, that used to be quite common. It is however, very lame, and results in lots of ugly looking links.

Wasn't there some talk of this not applying to 'session' cookies which were required for the functionality of the website?

1
0
Pint

titles suck more than our leadership

Session ID's via the URL apart from being hideous are also horrible from a security point of view. Just about the easiest way to pass your session to your mate. Consider this scenario:

Me: Bloody hell, these are some fantastic cigars and rum. Dude check out these (copying and pasting link to him via IM).

Mate: Being a bit more tech savy perhaps, realises he has picked up my session to some website to which I am already authenticated with pre-stored credit card details decides he is going to go on a shopping spree.

A little far fetched and certainly hypothetical, but it could happen.

P.S. I am not that fucking thick!

3
1
FAIL

Could we stop redefining 'ugly'?

Let's. An URI isn't "ugly". Your uncle may be ugly; industralization of a pretty forest is ugly, but an URI is simply an address, and beyond the "theregister.co.uk" bit it ain't meant to be human readable.

Just stop setting unnecessary cookies.

3
3

@windrose

While I would love to fully agree with you about the URL, how many times do you see things advertised on the TV or in the media some place as domain.com/product ?

Some things after the actual domain do need to be humanly readable, but mostly, yes I do agree with you.

Granted this is all going to becoming less relevant with this current fad of putting "Search for XYZ online" in ads these days.

0
0
FAIL

Errm, no, not necessarily

URL session tracking is fine, as long as a robust set of login criteria including remote IP address are tracked, it's blinded with a nonce value, it's hashed and it's compared every page view with the value stored in the DB. You should also use a cookie in tandem with it, which since it's for authentication isn't covered by this (admittedly braindead) legislation.

0
0
FAIL

Cookies ARE NOT software.

Perhaps you guys need to do a slight bit of research before you spew garbage...

8
4

"Cookies ARE NOT software."

Yeah but, they are.

Reminds me, some guy was telling me "a computer case is NOT hardware". *SIGH*

some people just need to stop smoking crack.

PS. I still think the cookie law is somewhat stupid. I bet the guy who wrote the law didn't even know what a cookie was until 3 pages in to it.

5
2
Facepalm

@TAK

Cookies are data, not software

2
0
FAIL

Software?

"...cookies, a small piece of software..." Well, I guess you could put some code in a cookie and find a way of executing it but this is really stretching the definition of software.

6
2
WTF?

null

Since when was a Cookie a piece of software? It is a chuffing text file!

3
2
FAIL

Software

Indeed. A cookie is most certainly not software.

Software comprises instructions that are executed by the computer.

5
2
Silver badge
WTF?

IWGTST

That annoyed me, too. If the reg. is going to patronise its techie readers, it might try to do so accurately.

1
2
Go

Or...

And, if it can't do so accurately, then there's nothing wrong with the house style of doing it sarcastically - that's been working well for some time now.

4
0

"Software comprises instructions"

It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is.

This website is software because it comprises instructions for recreating the site on the client machine. The image file software contains the instructions that tell the image rendering software how to draw The Register logo, while the font software on your computer is a precise set of instructions for recreating text on the screen.

That is if you draw the arbitrary conclusion that software has to contain instructions, which of course, it doesn't. A help file is software, as is porn. Even though you could say that both comprise instructions for recreating images on the screen, that is besides the point.

I would say that any collection of intangible data that means anything to either the user or the computer, is software. Does your Windows executable stop being software when you copy it to a Mac? What about if you encrypt it as well? Now suppose that you have an encrypted file that MIGHT contain an executable, but you are not sure, is that software? Or does it only become software after you decrypt it? Does the fact that it CAN be decrypted not mean that it was software all along?

The software on my harddrive is hardcore, no soft-porn.

2
1
Happy

However, software != data

The information in a cookie is data. At no point on any platform is the content of the file executed or converted by means of compilation or interpretation to instructions that can be executed by a processor.

Therefore, although a cookie may fall into a broad categorisation of software as in 'anything that is not hardware', in my book as well as most other people's, it's just data. It is not a program that can arbitrarily do anything it wants, it contains information that is processed in carefully defined ways by the web browser.

The important issue at stake here is that less technical users will be scared of cookies because they don't understand them. The IT security industry is at this very moment busy telling every computer user to be careful of running malicious "software" on their computer lest they are defrauded or have their identity stolen. Therefore, by terming a cookie as "software" we are unnecessarily inducing FUD.

Ultimately, many websites will be broken and many headaches will be caused for businesses and web designers alike as a result of this FUD. This will make conducting business online more complicated and expensive and for this reason I disapprove of anything that will add to it (even if it is semantically correct).

4
1
Headmaster

Are Colleges dumbing down?

Cookies not program code???????!!!!!!!!!!!!!!!

Has the rush to etch-a-sketch drag and drop programming meant the people no longer read books like Niklaus Wirth's "Algorithms + Data Structures = Programs"

Oh Sorry, written in 1976, replaced by OOP and the Agile manifesto.

Teacher Icon.......

2
3

@ Klutz

"It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is."

Software is described as a series of instructions, yes, but they are programed instructions compiled into code that a computer can execute. Those instructions can include the reading and processing of data, and that data can be used in decision making within the software, which can then affect the software's behavior.

A Cookie is, by definition, data. It is not software as it can not be executed by a computer. Instead, software can read a Cookie and take the content to determine how the software is to behave.

Or look at it another way: I go to a website for the first time: The website can't find a cookie, but it is still able to function properly. If I delete the cookie it creates, it will still work: It will just loose the setting, preferences and other data it was storing on my PC.

So rather than referring to Cookies as instructions, it would be safer, and perhaps more accurate, to refer to them as preferences and/or settings.

3
0

A cookie could be seen as an instruction...

if you take it as a mnemonic for what the server has to do. Sure, it's generated by the server, rather than programmed by hand, but you're basically turning the web into an interpreter, generating single-use programs that take the cookie as one of their input instructions and return different output based on that. Sounds pretty much like a procedure call in any other programming language.

Well, that's one possible argument....

2
0

data

No, it's just data, no different from a row in a db table. You could store user preferences in a db table or in a cookie - they're simply different methods of storing and passing data.

0
0
Anonymous Coward

EU Web Laws

Bunch of shite

0
3
Bronze badge

This is of course, utterly daft

We already had that, back in the early days of the web it was common to see sites pop up alerts asking for permission, it was terrible UX and broke functionality when users clicked no.

Perhaps the EU should mandate marquue's and flashing text be mandatory on every page to complete this trip down memory lane?

5
2
Facepalm

Small pieces of software?

That's really what you're going with?

5
0
Trollface

yah...

talk about shutting the barn door after horses have bolted...

What is the use of cookies with LSO Objects, Web Bugs and referral tracking, not to mention browser identification algorithms around?

0
0

re: yah...

As far as I understand it from a site I just read to gen up on this, LSO objects and all other means of storing information on the local machine to track a user's activity are covered by this law. As such the term 'Cookie' as applied to this law is misleading.

1
0

What about non-commercial sites?

I presume this applied equally to non-commercial websites?

Does anyone know for sure?

0
0

ICO response

I emailed the ICO regarding who is affected by this rule and their response was (edited to important bits):

"Organisations that are operating in the UK (regardless of whether their website is technically hosted elsewhere) would be subject to UK law.

Obviously organisations operating outside the UK would need to comply with legislation which is local to them. If this is in the EU similar legislation to our own will exist."

Commercial, non-profit, hobbyist et al are all affected.

1
0

The Cookie Crunch

Yes, it applies to all websites, irrespective of whether commercial or not. Basically, anyone using Google Analytics is captured, there are even cookies used in code such as .NET. It's clear that the legislators didn't think through the potential impact of this enough before pushing it through; now you have a range of responses across Europe, from German sites switching off analytics, through to French sites ignoring it and saying it doesn't apply to them, to UK site owners being unaware or burying their heads int he sand.

0
0

Businesses only?

Does anyone know if this also affects non-profits?

0
0

And...

how does it define 'users'?

0
0
Thumb Down

software?

Since when was a cookie "software"? Cookies are just key/value pair data that are stored and retrieved based on specific domains by a browser; and only because that browser implements cookie handling. There is no "software" that gets installed, nothing "helps websites", they're just strings that a website can ask the browser the store when its pages are loaded, so that it can read the values it asked to be stored sometime later when that same browsers opens the same website's pages.

So, "many websites ask your browser to store cookies, bits of text that are stored for a website, which are sent back to it everytime the website is loaded by your browser. Making use of this standardised data storage system in your browser allows websites to easily (although not securely) deal with navigation, page view counts and sometimes even log-in details"...?

4
0
FAIL

Will we be allowed to

store a cookie with your cookie storage permission status?

9
0
Mushroom

Hmm

Three things I'd like to point out at this juncture, other than the aforementioned.

Firstly, isn't there some kind of clause for not having to get user permission if it explicitly is required for core functionality? Such as carts on a shopping site wouldn't have to because that's considered core functionality.

Secondly, localStorage is not considered part of the mandate as far as I know, meaning you could shove the cookie data into that and call data with AJAX calls appending it to the URL.

Thirdly, yes, you can avoid it to a degree by making things handle sessions through the URL as above but that would easily make things worse because I'd be willing to bet the majority of developers aren't smart enough to avoid session fixation when it's not provided for them by a framework.

I'm waiting to see what El Reg's UI for this looks like... ;)

1
0

shudder

as a user outside the EU visiting the .co.uk version of El Reg I hope I don't have a diminished experience because of this :)

0
0

Page:

This topic is closed for new posts.