here's looking at you kid
Is the reg conpliant? In the interest of balance and fairness I think we should be told. :)
Most government websites will fail to comply with new laws on cookies when the Information Commissioner's Office (ICO) begins formally enforcing them next week, the Cabinet Office has said, according to reports. Websites store cookies on a user's computer, but new EU laws say users should be given the choice whether they consent …
Is the reg conpliant? In the interest of balance and fairness I think we should be told. :)
The methods for obtaining user consent can include using 'pop-up' prompts on users' screens that ask for consent to cookies when the individuals access web pages.
What method is to be used to obtain consent to pop-ups? A cookie, maybe?
'consent' isn't 'prior consent'
see that link at the top right of the DCMS site?
that links to a page talking about cookie?
Moving on, nothing to see here (except a crap load of badly worded fuckery from the EU which should have been aimed at browser manufacturers getting them to add better cookie controls but which got sprayed all over the place by accident.
The best part about that link is how the web developer has worked the word 'Cocks' to sit just beneath the logo.
EU powering up a money printing machine and no doubt getting a lot more paper pushers employed with this piece of crap law.
Nobody cares except a handful of people with no friends.
Be compliant on time? Thats all i'm interested in :)
Had the marketing guys quiz us about this the other day as the web team had been hassling for permission, its a royal pain the ass!
Glad to see we are taking the same policy towards stupid European legislation as all the other victims of the EU - by basically ignoring it.
From the bottom of the article "However, it has also admitted that it is not likely to take action against website operators that use data analytics cookies, which measure the number of users of websites and how those individuals use them, if those operators have failed to meet the standards for consent for those cookies."
So Google Analytics is now fine. Hang on, wasn't the whole point of this legislation originally meant to be to stop companies like Google knowing everything you do online. Could this be a case where legislation intended to stop practice A only has ended up stopping a bunch of practices other than A?
Why does this not surprise me.
I think it is more the case of if it includes analytics then you are screwed. Our website runs on a "this has cookies that do this, dont like it then exit now" type approach. The same as tesco, sainsbury etc
That's the brilliant thing about this legislation. no one can say for sure.
The spirit of the law is about tracking and intrusiveness, So if cookies can be used to track you across multiple websites then they are highly intrusive and supposed to be the target of all this fuckwittery.
However Ed Vaizey and now the ICO said "er well we didn't really mean analytics cookies" "so we [i]probably[/i] won't fine you £500,000 for these"
Obviously they fail to realise that a big element of analytics is to see what site a visitor came from necessarily requiring an individual to be tracked across different sites.
It is all a huge fucking mess that if someone in a paid job who was actually accountable for their actions introduced something as vague and fucked up as this they would be sacked and never get a reference.
That's politics for you, you have to stretch incompetency to truly epic proportions to be held accountable for anything.
It gets better the more one thinks about it.. even if your website has third party adverts such as Adsense how can you be spanked for non-complience when you have no control over the code being used in the iframe?
>>how can you be spanked for non-complience when you have no control over the code being used in the iframe?
To quote from another article:
"But the ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties – for example from adverts provided by an advertising service. Sites that host advertising need to talk to their advertisers about what cookies the advertisers are serving up and then pass that information onto users.
"It's a complicated chain, I know," said the deputy commissioner, saying that they were in talks with advertising bodies about standards."
So, it's All Your Fault, even when it isn't...
"That's the brilliant thing about this legislation. no one can say for sure."
Ain't that the truth.
I'm really not one of those massive anti-EU nut cases. Really. I don't even read the Daily Mail.
But this is the second time I've been directly effected by a piece of EU legislation, and the second time I cannot believe the utter incompetence of those who wrote it (or the UK government that enacted it without eliminating the idiocy).
WEEE (Waste Electrical and Electronic Equipment) had this ambiguity where it said that it didn't apply to existing products, but it was utterly unclear whether this meant product lines that were already existing, or upgrade components for products that existed already. And there was no way of telling for sure. The official guidance was basically "read our minds and we'll take you to court if you fail." The confusion saw products removed from sale for legal reasons that were clearly compliant under either interpretation - small manufacturers just can't deal with that sort of uncertainty. (anyone dump their early PowerMac G4 computer because cheap CPU upgrades were withdrawn from sale at just the point in its lifecycle when you were looking for one? This was to save the environment...)
Does any informed person know here if session cookies are exempted? I'm hearing conflicting stories. There is a loophole that says something to the effect that consent is not required if said cookies are necessary for a site's operation, and many sites do rely on session cookies to operate as designed. On the other hand, you could argue that they're not properly designed if there is such a reliance...
It depends on what they are being used for, if it is to hold contents of a shopping cart or provide access to a users personal information these can be considered to be essential to provide a service the user has requested and will be fine.
However if they just store user preferences, then technically you are supposed to get permission to store the cookie, however these are low priority and PROBABLY won't be penalised.
No they are not exempt. The ICO used to claim it's session cookie was essential as they had a form on the site that needed it, and so everyone got it. Now they only use it for the form in question, so they are now actually doing it right. Which wasn't the case a couple of months ago.
I'm keeping GA cookies as it's essential I know what customers want from our website, it's a free way of keeping the site up to date with customer trends
It's only free to you. It's a third party cookie and unless you have an agreement with the third party that they will comply with your data protection policies that won't fly as you are effectively trading your users' personal data for an analytics services. Anonymising the data by stripping the last octet of the ip address is the way around that.
GA is in no way essential to your or any other website. You can find out all the same info by doing your job properly and analysing the logs. Selling your customers to Google is not free.
I suppose I could replace GA with some sort of browser fingerprinting. You can track someone quite effectively with a combination of IP address and the info they pass regarding their user agent. Doesn't leave a pesky cookie that someone can remove, or have any of those annoying first party/third party distinctions that can let people make decisions in their browser options either.
But I won't. I'm going to ignore this idiotic piece of legislation and carry on with Google Analytics. Which sets a first party cookie by the way, and if you suspect Google is using the data to do anything more than provide the site owner with statistics, why don't you sue them for lying in their terms and conditions, and stop bothering the rest of us.
I notice the ICO asks for permission for cookies as a whole both those essential for operation of the site AND for those that could possibly be considered highly intrusive (ie GA cookies)
Surely this isn't actually compliant in the spirit of the law. What if I want to allow the essential cookies but not the analytic cookies?
I will be complaining to them on the 26th May I think.
Even better try clicking the continue button without ticking the accept cookie box.
This just demonstrates what a complete pile of dogshite the whole thing is. It would be funny if it wasn't real life.
...right after they start enforcing the disability discrimination act for websites.
Which so far as I'm aware they have yet to do.
Oh and that reminds me... must get round to blocking GA.
Ghostery + adblock plus.
You will have to turn off ghostery for the new version of the Met office web site. Their new version introduced a few weeks ago won't work unless you are being tracked. The old one was fine
The DDA stopped in 2010. The relevant law now is the Equality Act. The onus is on affected users to complain. Under the law, there's no government body with a pre-emptive duty to enforce
Oh, is that the problem? I've been in correspondence with the Met Office about the new site, which doesn't work for me on this Kubuntu machine in Firefox (with ghostery and ad-block), nor yet with Chrome or Konqueror (obviously without ghostery or ad-block, but still working through a privoxy proxy). At no point have they suggested that I need to get myself tracked.
After I diagnosed it myself - they made no sensible suggestions- I got the following from one Sarah Martin:
Thank you for your email.
"The Met Office uses Webtrends Analytics to understand how people are using the website and identify areas that can be improved or removed."
I hope this helps.
Met Office Customer Feedback
I now use Meteox and Weather Underground which work even when their many trackers are blocked. If you want a blobby forecast instead of doing it youself Weather Online" seem just as good as the met orifice.
This is a mess. The UK is supposedly bound to enforce this policy. Trying to double guess what is allowed/not allowed is impossible. And most small operators using industry software haven't a clue whether they are spewing legal/illegal cookies or not. The only sensible way forward is for ICO to declare that enforcement (if any) will be in the form of a penalty notice detailing the offending cookies and suspended for, say, 30 days (or 100% discount) if the offending site is sorted.
Then we can rest easily in our beds, let ICO decide how they want to enforce it or not, and then do the necessary. Or nothing. Otherwise this law has the danger of creating much unnecessary work and waste while missing the point of safeguarding both the user and operator.
Many of my sites were created BC (before cookies). We commonly used ServerSide programming to insert markers in the delivered page that could be read when the user pushed a continue link. This is how the first shopping carts worked.
Now because no explicit file is stored on their computer apart from the normal web page - would it be exempt from this law?
Save me trying to sort some old legacy stuff. It would be a major loophole. But then was this legislation ever run past anybody with a grasp of the industry?
The law isn't actually reall about cookies. It is the storing of any sort of data client-side (I believe ) that allows the tracking of the user.
It sounds like your code is..
1) an essential part of the service being provided to the user
2) not storing tracking data on the users machine.
So you sound fine to be.
The best thing to do is go to the ICO, read the reams of vague non-technical advice. Read how they may or may not prosecute you on a whim and then come away probably knowing no more than you do now.
Clearly nobody who knew anything had any part in the drafting of this legislation. Which is about normal. See.. well.. just about every piece of internet related leglislation ever passed.
Sorry about the typos. I introduced my desktop to 250ml of sparkling water last Friday and 20 years of touch typing doesn't really prepare you for a little x61 keyboard. :/
>>I introduced my desktop to 250ml of sparkling water last Friday
I take it the desktop didn't like that very much
It has not spoken to me since...
At least non of us have got anything more important to be cocking around with on our sites than this stuff huh
The only other cookies used are the __utma, __utmb, __utmc, __utmz for Google Analytics and we have advised our users that they can opt out if they so wish by following Googles own guidance ( http://www.google.com/intl/en/privacypolicy.html ).
Anonymous as I am still currently implementing this on our site...
That's the whole bloody point.
although it wasn't accepted by the client, was a big box at the top which says.
Cookies are essential for modern websites to work. Get over it [ ] I've got over it.
Once ticked, cookies are permanently enabled for the site.
The whole thing is a complete nonsense. The ONLY sensible solution for this is a browser-based one, with browsers keeping track of what sites you have enabled cookies for or not.
Strange how, when someone like me puts a cookie blocker on their browsers, most things continue to work just fine without them.
Sorry if it spoils your revenue model, but I'm not keeping cookies around just because you think your site needs them. It most likely doesn't.
As I'm sure you know, some things won't work. Which isn't an issue for you since you are aware of what you've done, what it means, and can make an exception if you need to.
Discuss this with many of my customers, and all you'll do is make them hungry. It would be a problem, but this whole thing is so deeply flawed that I know I can ignore it without any consequences.
Cookie-free analytics is so hot right now...
If your only cookies relate to Google Analytics, unless you want to trash your website and your visitor tracking with a horrid cookie consent feature (that the majority of visitors will either ignore or deny), then your best bet is to just move to a cookie-free system, and wait for Google to add this as an option on their Analytics.
It doesn't just relate to cookies. Calling it the cookie law is deceptive because it applies to any data placed on the client's machine by a website for the purposes of identification or tracking. Someone could create a different implementation and call it 'crumbs' but if it stores anything client side for identification or tracking the PECR still apply.
As far as I know Google have been utterly silent on this and since our government is one of only a couple of countries dumb enough to write this into law they may well just ignore it until the whole thing implodes and is forgotten.
All that's gonna happen now is instead of a small unoffensive, easily removed file if you wear a tin foil hat, file, now all the people needing analytics and tracking will download all the information your browser knows about you and store it in a nosql database for mining!
Gee How great is that!
They should levy the maximum fine against everyone they can. (Wipe out the deficit quite a bit). Most of the things I wanted existed on the internet prior everyone turning into greedy scumbags.
If you want to do it then do it properly server side.
If there was a search engine that only allowed content that didn't use ad's or cookies I would definitely use it.
(The content providers who complain about the useless drivel they just get from other sites really irritate me.)
If people want a police state it should apply universally not just to easy targets.
Violation of this law is just the same technically as me uploading goatse to peoples machines. Surely it should be covered under not installing files on peoples computers without permission.
(Computer misuse act or whatever).
The thing Google does (did ?) certainly should be a crime to get around the Safari no cookies thing.
Itunes seems to have a habit of doing all sorts of crap in the background of computers.
Facebook itself is more of a problem than the purpotrator of - http://forums.theregister.co.uk/forum/latest/2012/05/17/facebook_account_hacker_jailed/
British culture is a lost cause.
The individual is meaningless for the purposes of website analytics and targeted advertising, the movements of a single user whilst of academic interest it is actually the movement of the ' herd ' as whole that influences changes. Tagging every one of them using a cookie, pixel gif, HTML5 storage,Etag and a slew of other methods is just a waste of bandwidth.
Besides, even without cookies chances are good a visitor can still be tracked. https://panopticlick.eff.org/ fess up if tells you your PC is unique!
In closing something else to consider is the Phorm debacle, whilst this was swiftly exterminated by the groundswell of the public at large being outraged its almost identical data collecting twin in the form of services like Cloudlflare have gone largely unnoticed by privacy advocates.