Small businesses need to be careful of the European Union cookie law - although so far most countries seem to be ignoring it. Many websites drop cookies, a small piece of software, onto visitors' machines to help with navigation, page view counts and to remember users' log-in details. But changes to European privacy law last …
"Businesses must get users' consent before installing cookies and follow rules in storing and accessing information gathered from them."
This has already been interpreted by many advertising companies and approved in the UK as "showing a certain icon on screen when a cookie is placed" - apparently this implies explicit consent.
Also "must get users' consent before installing cookies" apparently allows for users to give permission after the event.
" and approved in the UK"
Anyone who doesn't block adverts deserves everything they get.
That's for behavioural ads only
I can explain
Session cookies, for example to remember what you have placed in a shopping basket, are allowed.
If you want to store data across browser sessions, you have to ask, otherwise, when someone visits your site again, it will be like it is the first time they have ever done so. Not fatal from a user experience point of view.
Ever worked with users? In my experience they'll click Yes or OK just to make the box go away!
As you say though, they won't have a clue what they're doing
session cookies are not really 'allowed'
you still have to gain explicit consent.
It even applies to analytics cookies. So, to see where people go on your website, you have to gain their explicit opt-in consent. Yep, you can't watch people walking around your shop. Not allowed.
Every single site we operate will have to be changed at the cost of many thousands of pounds to my clients (a few hundred quid a pop).
I have to explain it to them and bear their wrath because they have to spend money for no 'benefit'. It's a shambles and no-one in the web dev. world seems to be grasping this nettle because it just seems like such a waste of effort and time.
"In my experience they'll click Yes or OK just to make the box go away!"
"To continue further in your enjoyment of our website we require your acceptance of a cookie to enhance your experience here"
It's exactly that attitude which got us into this situation in the first place, the current eonviroment of self-regulation *scoffs* means that people's ignorance is being exploited by all kinds of otherwise legimite outfits so now big, broadly written laws have to be written to try and correct the situation.
The costs of updating websites is moot as everyone has to do it and as for users lack of understanding, well it's the responsiblity of those of us who do understand the implications to impart that wisdom upon others, not simply bear their wrath.
Session has nothing to do with it
It's nothing to do with the session - certain cookies are allowed WITHOUT consent providing they are "essential to the functioning of the website/service" ...
So, cookies that are allowed without consent (though you should still have a page explaining what they're for) would include things like a cookie that holds the contents of the user's shopping basket or an authentication cookie that allows to site to verify that the user is logged in.
Cookies that would REQUIRE consent would be things like analytics cookies (including Google Analytics) or cookies that save user preferences - basically anything that is not absolutely necessary for site to function.
Where I loose the plot a bit is with third party cookies - say for instance your site is using Google Analytics - well, that's based in the US and I'd guess Google aren't going to put a little pop-up that says "track me please", so it would, presumably, be up to the site owner to gain consent from their visitors to allow Google to track them?
So does that mean -
That Google analytics code will have to pop up cookies on your behalf?
To be fair
It was up to the site owner to use Analytics so why shouldn't it be up to them to explain the cookie.
To say that they don't is a bit like saying that a site that provides a Direct Debit form shouldn't contain details of the DD guarantee. Even though it isn't their guarantee.
How do you know?
How can a site owner provide information about what Analytics cookies may or may not be doing? They don't know, and Google are hardly going to tell them.
To use the DD analogy, its a bit like being required by law to print the details of the guarantee on the form, but the bank refusing to tell you what the terms of the guarantee actually are.
This is just the EU getting back at the interwebs for giving so much air time to the likes of Nigel Farage.
Way 2 go, Nigel. Gotta root for the 'underdog'.
It is a little bit crazy in some ways is this law. Not all cookies are malicious.
And just to add as good advice as ever - we should all be using secure cookies!
You can pass session tokens in URLs, that used to be quite common. It is however, very lame, and results in lots of ugly looking links.
Wasn't there some talk of this not applying to 'session' cookies which were required for the functionality of the website?
titles suck more than our leadership
Session ID's via the URL apart from being hideous are also horrible from a security point of view. Just about the easiest way to pass your session to your mate. Consider this scenario:
Me: Bloody hell, these are some fantastic cigars and rum. Dude check out these (copying and pasting link to him via IM).
Mate: Being a bit more tech savy perhaps, realises he has picked up my session to some website to which I am already authenticated with pre-stored credit card details decides he is going to go on a shopping spree.
A little far fetched and certainly hypothetical, but it could happen.
P.S. I am not that fucking thick!
Could we stop redefining 'ugly'?
Let's. An URI isn't "ugly". Your uncle may be ugly; industralization of a pretty forest is ugly, but an URI is simply an address, and beyond the "theregister.co.uk" bit it ain't meant to be human readable.
Just stop setting unnecessary cookies.
While I would love to fully agree with you about the URL, how many times do you see things advertised on the TV or in the media some place as domain.com/product ?
Some things after the actual domain do need to be humanly readable, but mostly, yes I do agree with you.
Granted this is all going to becoming less relevant with this current fad of putting "Search for XYZ online" in ads these days.
Errm, no, not necessarily
URL session tracking is fine, as long as a robust set of login criteria including remote IP address are tracked, it's blinded with a nonce value, it's hashed and it's compared every page view with the value stored in the DB. You should also use a cookie in tandem with it, which since it's for authentication isn't covered by this (admittedly braindead) legislation.
Cookies ARE NOT software.
Perhaps you guys need to do a slight bit of research before you spew garbage...
"Cookies ARE NOT software."
Yeah but, they are.
Reminds me, some guy was telling me "a computer case is NOT hardware". *SIGH*
some people just need to stop smoking crack.
PS. I still think the cookie law is somewhat stupid. I bet the guy who wrote the law didn't even know what a cookie was until 3 pages in to it.
Cookies are data, not software
"...cookies, a small piece of software..." Well, I guess you could put some code in a cookie and find a way of executing it but this is really stretching the definition of software.
Since when was a Cookie a piece of software? It is a chuffing text file!
Indeed. A cookie is most certainly not software.
Software comprises instructions that are executed by the computer.
That annoyed me, too. If the reg. is going to patronise its techie readers, it might try to do so accurately.
And, if it can't do so accurately, then there's nothing wrong with the house style of doing it sarcastically - that's been working well for some time now.
"Software comprises instructions"
It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is.
This website is software because it comprises instructions for recreating the site on the client machine. The image file software contains the instructions that tell the image rendering software how to draw The Register logo, while the font software on your computer is a precise set of instructions for recreating text on the screen.
That is if you draw the arbitrary conclusion that software has to contain instructions, which of course, it doesn't. A help file is software, as is porn. Even though you could say that both comprise instructions for recreating images on the screen, that is besides the point.
I would say that any collection of intangible data that means anything to either the user or the computer, is software. Does your Windows executable stop being software when you copy it to a Mac? What about if you encrypt it as well? Now suppose that you have an encrypted file that MIGHT contain an executable, but you are not sure, is that software? Or does it only become software after you decrypt it? Does the fact that it CAN be decrypted not mean that it was software all along?
The software on my harddrive is hardcore, no soft-porn.
However, software != data
The information in a cookie is data. At no point on any platform is the content of the file executed or converted by means of compilation or interpretation to instructions that can be executed by a processor.
Therefore, although a cookie may fall into a broad categorisation of software as in 'anything that is not hardware', in my book as well as most other people's, it's just data. It is not a program that can arbitrarily do anything it wants, it contains information that is processed in carefully defined ways by the web browser.
The important issue at stake here is that less technical users will be scared of cookies because they don't understand them. The IT security industry is at this very moment busy telling every computer user to be careful of running malicious "software" on their computer lest they are defrauded or have their identity stolen. Therefore, by terming a cookie as "software" we are unnecessarily inducing FUD.
Ultimately, many websites will be broken and many headaches will be caused for businesses and web designers alike as a result of this FUD. This will make conducting business online more complicated and expensive and for this reason I disapprove of anything that will add to it (even if it is semantically correct).
Are Colleges dumbing down?
Cookies not program code???????!!!!!!!!!!!!!!!
Has the rush to etch-a-sketch drag and drop programming meant the people no longer read books like Niklaus Wirth's "Algorithms + Data Structures = Programs"
Oh Sorry, written in 1976, replaced by OOP and the Agile manifesto.
"It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is."
Software is described as a series of instructions, yes, but they are programed instructions compiled into code that a computer can execute. Those instructions can include the reading and processing of data, and that data can be used in decision making within the software, which can then affect the software's behavior.
A Cookie is, by definition, data. It is not software as it can not be executed by a computer. Instead, software can read a Cookie and take the content to determine how the software is to behave.
Or look at it another way: I go to a website for the first time: The website can't find a cookie, but it is still able to function properly. If I delete the cookie it creates, it will still work: It will just loose the setting, preferences and other data it was storing on my PC.
So rather than referring to Cookies as instructions, it would be safer, and perhaps more accurate, to refer to them as preferences and/or settings.
A cookie could be seen as an instruction...
if you take it as a mnemonic for what the server has to do. Sure, it's generated by the server, rather than programmed by hand, but you're basically turning the web into an interpreter, generating single-use programs that take the cookie as one of their input instructions and return different output based on that. Sounds pretty much like a procedure call in any other programming language.
Well, that's one possible argument....
No, it's just data, no different from a row in a db table. You could store user preferences in a db table or in a cookie - they're simply different methods of storing and passing data.
EU Web Laws
Bunch of shite
This is of course, utterly daft
We already had that, back in the early days of the web it was common to see sites pop up alerts asking for permission, it was terrible UX and broke functionality when users clicked no.
Perhaps the EU should mandate marquue's and flashing text be mandatory on every page to complete this trip down memory lane?
Small pieces of software?
That's really what you're going with?
talk about shutting the barn door after horses have bolted...
As far as I understand it from a site I just read to gen up on this, LSO objects and all other means of storing information on the local machine to track a user's activity are covered by this law. As such the term 'Cookie' as applied to this law is misleading.
What about non-commercial sites?
I presume this applied equally to non-commercial websites?
Does anyone know for sure?
I emailed the ICO regarding who is affected by this rule and their response was (edited to important bits):
"Organisations that are operating in the UK (regardless of whether their website is technically hosted elsewhere) would be subject to UK law.
Obviously organisations operating outside the UK would need to comply with legislation which is local to them. If this is in the EU similar legislation to our own will exist."
Commercial, non-profit, hobbyist et al are all affected.
The Cookie Crunch
Yes, it applies to all websites, irrespective of whether commercial or not. Basically, anyone using Google Analytics is captured, there are even cookies used in code such as .NET. It's clear that the legislators didn't think through the potential impact of this enough before pushing it through; now you have a range of responses across Europe, from German sites switching off analytics, through to French sites ignoring it and saying it doesn't apply to them, to UK site owners being unaware or burying their heads int he sand.
Does anyone know if this also affects non-profits?
how does it define 'users'?
Since when was a cookie "software"? Cookies are just key/value pair data that are stored and retrieved based on specific domains by a browser; and only because that browser implements cookie handling. There is no "software" that gets installed, nothing "helps websites", they're just strings that a website can ask the browser the store when its pages are loaded, so that it can read the values it asked to be stored sometime later when that same browsers opens the same website's pages.
So, "many websites ask your browser to store cookies, bits of text that are stored for a website, which are sent back to it everytime the website is loaded by your browser. Making use of this standardised data storage system in your browser allows websites to easily (although not securely) deal with navigation, page view counts and sometimes even log-in details"...?
Will we be allowed to
store a cookie with your cookie storage permission status?
Three things I'd like to point out at this juncture, other than the aforementioned.
Firstly, isn't there some kind of clause for not having to get user permission if it explicitly is required for core functionality? Such as carts on a shopping site wouldn't have to because that's considered core functionality.
Secondly, localStorage is not considered part of the mandate as far as I know, meaning you could shove the cookie data into that and call data with AJAX calls appending it to the URL.
Thirdly, yes, you can avoid it to a degree by making things handle sessions through the URL as above but that would easily make things worse because I'd be willing to bet the majority of developers aren't smart enough to avoid session fixation when it's not provided for them by a framework.
I'm waiting to see what El Reg's UI for this looks like... ;)
as a user outside the EU visiting the .co.uk version of El Reg I hope I don't have a diminished experience because of this :)
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16