ICO warns: Just six months to comply with EC cookie rules The Information Commissioner's Office won't begin enforcing the new cookies law for another six months yet - in the meantime, the regulator has issued a reminder to web outfits warning them to prepare to comply with the legislation. On 25 May 2011, the implementation of the revised e-Privacy Directive passed with a whimper …
Most of this I am happy with and accept as being on the right track. However the regulations apply to persistent and session cookies (page 4 of their guidance pdf). This has evidentially been written by some arts muppet who does not have the first clue as to how a real web site is written.
Each page refresh to a web server starts afresh, completely unrelated to any previous page served up. This is not how a user sees it: they think of it as a conversation - a session. This sort of session cookie is used to tie the page hits from a user together so that they are related. The session cookie is ONLY returned to the domain that set it, expires when the browser is closed and, generally, is not recognised by the server if unused for 1/2 hour or so.
There is also little distinction on the purpose of a cookie. A request for a larger font size is considered the same as one that record the user's name, the privacy implications of these two are worlds apart.
Much too great an emphasis on the wording of a poorly drafted law rather than what the intention is.
The ICO's own web site:
They make great show of how to do it, but when I agreed to it storing that cookie on my machine and I found:
* 2 cookies from www.ico.gov.uk
- session cookie
- ICOCookiesAccepted - permanent cookie that expires in 2 years.
* 5 cookies from ico.gov.uk ---- which is a cross site cookie -- a site that I did not agree to.
cookies that vary from being session to permanent which expire varying from 1 hour to 2 years.
It's a EU-wide law and the European Commission is pretty good at enforcing such law even on "foreign" companies. Easily done when they almost always have EU-based subsidiaries in order to trade. The European courts, whilst not fast, are still faster and toothier than their US counterparts and increasingly uphold Commission findings. And, inasmuch as Google has already agreed to randomise the last octet for Google Analytics, you can seem them starting to fall into line.
Its been open season on UK internet users for some years...
"The ICO has not contacted any independent IT experts for their view on Webwise... The ICO are not technical experts so encouraged Phorm to be transparent and directly engage with technical experts to address concerns raised by such experts about the safeguards and nature of the Webwise product"
These are the people we expect to enforce cookie legislation? You're pulling my leg.
Meanwhile, old salts just dig up their old log file analysers and set up the webserver to start dumping a copy of the logs for each site in a folder somewhere and hardly notice the inconvenience. It's not like there is a critical need for the extra info gathered through a cookie most of the time.
You don't get the same detail or accuracy from log analysis that you do from javascript and session-based analysis. For a start session cookies help you separate distinct users using the same proxy. As this can happen anonymously - randomise the last octet of the address - there is little reason for it not to be used. One thing I'd like to see would be a "cookie manifest" for websites listing the name, purpose and duration of cookies as the BBC advocates (http://www.bbc.co.uk/guidelines/futuremedia/technical/cookies.shtml )
Of course, this is exactly advertisers don't want. But the law has been passed and the Commission will ensure it is enforced. It also sets a precedent for the next battle which will be the myriad bits of data requested and stored on mobile devices.
I have a list of companies that I'm going to check on the 25th May to ensure that they've implemented the change. If not, I'm going to submit a complaint to the ICO just to see what, if anything, they're prepared to do.
In my experience the ICO is extremely reluctant to prosecute companies. They will not prosecute a company for failure to comply with the PECR2003, and they will not prosecute companies for failure to comply with Section 11 of the DPA98. So I want to see if they're going to prosecute companies for failure to comply with the cookie legislation and if so, why the duplicity? Why enforce one section of the Act but not another?
I'm booking the day off work and if you're listed on my website I'll be checking out your site.
Webmaster www.mindmydata.co.uk
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
