Feeds

back to article UK cookie law compliance takes effect today

From today the UK's Information Commissioner's Office will begin enforcing the EU's revised ePrivacy Directive that requires website owners to be upfront with their users about the information they collect. The so-called cookie law was implemented on 25 May 2011 by Brussels officials, but getting the legislation transposed …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by its author

FAIL

Why should anyone comply? The ICO is a joke frankly!

I reported one large UK educational organisation for persistently spamming me despite being asked to stop on five separate occasions (including once in writing). ICO's response was that they couldn't help despite the organisations concerned clearly having no understanding of how to operate and maintain their own database.

So my guess is that we'll hear of a few high profile cases in the papers of the ICO taking action, but for the rest the ICO will sit around going "not my problem mate".

6
2
Silver badge
Facepalm

Bloody annoying

Whats worse, the fact that cookies existed or the annoying little pop up boxes that now keep keep appearing telling us cookies are about?

Someone develop something that erases the little annoying pop ups please.

10
0
Silver badge

Re: Bloody annoying

As far as I can see, if I don't accept a tracking cookie from a site I'll keep getting pop-ups telling me the site needs my permission to install cookies. Government mandated nagware, great...

14
0
Holmes

Re: Bloody annoying

Also annoying is the fact that you accepted cookies is stored ... in a cookie.

So those of us who expire all cookies when the browser is closed (and have been doing so for years) have to agree every time we return to a site in a new browser session.

So how long before the "accepted cookies" cookie becomes the standard long term tracking method because it's the one cookie people are least likely to remove because of the annoyance factor?

11
0
Silver badge
Facepalm

Re: Bloody annoying

Maybe in the days of Netscape 4/IE 6 'something had to be done' but now every browser under the sun now comes with a reasonable set of cookie controls and if that's not enough there's Do Not Track which appears to be gaining traction and add-ons like ABP/NoScript/RequestPolicy et al...

This is why politicians shouldn't be allowed to legislate in technical matters. Just because they can't find the cookie options in the preferences dialog it doesn't mean that an area with a population of 400 million people + everyone who visits from outside that area should be badgered with fecking annoying pop ups saying 'ooh, we use a feature of HTTP headers that's been in use for about 15 years, are you really okay with that? By the way, if you can find the cookie controls, see you next time!'

And so the next popular add-on for browsers will be a technical solution which will identify the 'are you okay with that?' cookie and preserve it while disabling the rest or letting them get wiped when the browser closes.

7
0
Thumb Down

Re: Bloody annoying

You, someone that understands technology, may well feel that way. The vast majority of people do not, yet many of them would be upset to find out just how much they are tracked and monitored across the internet.

There is no need for 90+ % of the cookies that collect in the browser, just take a look at the list that accumulates sometime. Cookies should be reserved for logins, basically. You can do most of the rest with session ids as parameters in a URL. These irritating popups (I have yet to see one) shouldn't be there either, until someone tries to use a function for which cookies are essential.

I mean, taking el reg as an example, why should anyone need a cookie to read the site? Other than those few of us that log in to make a comment, it seems completely unnecessary and serves to do nothing more than track people, which is unacceptable.

2
7
Thumb Down

Re: Bloody annoying

Session parameters in a URL? Why would you use such a clumbsy tool when you could use an (almost) universally accecpted method of dropping a harmless text file on a user's computer?

5
0
Silver badge
Thumb Down

Re: Bloody annoying

If someone objects to being tracked, there's the Do Not Track option. It could be one of the basic configuration options shown on first run.

Session IDs in the URL are madness and got dropped by the end of the 90s.

1
0
FAIL

Re: Bloody annoying

Bloody annoying all right; El Reg's cookie pop-up keeps popping up on iPhone despite having already clicked I'm Fine With This every time, and I'm sure it won't be long till this is happening everywhere, and with confusion and uncertainty comes opportunity for mischief.

5
0
Thumb Down

Re: Bloody annoying

@Liam - Why bother with session parameters at all most of the time? Just why are sessions even tracked on most sites? Seriously, unless you are an online shop or an account based service, there's no need, and the negatives of cookies outweigh the positives.

I'll say it again - why the hell does a site like el reg need to use cookies unless people want to log in and comment? For the other (larger) part of the user base, there's just no need.

@Dan - When 'Do Not Track' is actually respected by the shadier side of the advertising business (i.e. Never) then that's a fine solution. Until then, yes a lot can be done with session ids in URL parameters (which I don't believe went out in the 90s), and in a hell of a lot of cases there's just no need for a cookie in the first place.

1
5
Silver badge
Thumb Down

Re: Bloody annoying

Totally agree with you here, I would rather NOT have a nagware box, but expect sites to track me(making it my responsibility to clear cookies etc), than have the nag box..

Most sites NEED a cookie to function, and basically that means they have a pretty good get-out clause for that cookie...

I.E. go to Amazon, no cookie warning, BUT they put a session cookie in, wow, shocking....

This whole thing about cookie permission is a farce..

4
0
Anonymous Coward

Re: Bloody annoying

Like the Reg "The Register uses cookies. Some may have been set already...blah blah blah...If you continue to use the site, we'll assume you're happy to accept the cookies anyway" I delete all cookies when I exit the browser, I set my browser to ask before accepting cookies. So yes, by the time this box pops up I have said ok, so could you please remove that grey bar at the botton of the page without me having to click on it. I mean, its not as though these modern wide screens have an excess of vertical pixels is it.

Still not as bad as the BBC site which wastes 5+ lines at the top of the page so I have to scroll down to read the content.

1
0
Silver badge

@David

From the user's point of view nothing can be done with session IDs in the URL as if you delete them by hand they keep coming back and if you share the link with someone else or a search bot crawls your site it's a possible security problem.

However properly managing the cookie permissions allow you to reject session IDs on a per site basis if you really want to. Otherwise you can wipe them on exit.

The shadier side of the net can track you with flash cookies, DOM storage, local DB, history sniffing and more. They are only going to take advantage of the 'are you okay with this' message to install malware as someone mentioned here. Do you think premium SMS scammers and 070 fraudsters and the like respect the TPS and Ofcom?

Far better to push for DNT as in the states (and it's not often I say something like that) than annoy everyone with messages that give the impression that 'cookies are bad, m'kay'.

A perfectly good solution to a technical problem (storing state using a stateless protocol) has now been made clumsy to use by clumsy legislation, not just in the UK but across the whole of the EU.

1
0
Thumb Down

Re: @Dan

WHY DO YOU NEED STATE?

Why is nobody going to answer this question - why in hell's name does a site like the regneed to bother with state for anyone other than logged in users? Why do 90% of the sites out there set multiple cookies when I'm just passing through to read something?

Sure, session ID's could be a security risk if used for sensitive things, nobody's suggesting you can't use cookies where you actually need to, for user accounts and purchasing operations. How many of the sites that set cookies do you think actually use them for this?

If I leave my browser unprotected it quickly accumulates hundreds to thousands of cookies of cookies. I but from maybe three sites, and have user accounts at another ten at most. The rest of the cookies are for tracking of various forms and these are what the legislation aims to reduce, an operation which I'm 100% behind.

2
2

Re: @David

Further to that - one hopes this becomes just another weapon in the arsenal to take down scammers, at least if based in europe.

0
2
Silver badge

Re: @David

I think El Reg and every other site are perfectly entitled to find out which areas on the page/headlines/stories generate most clicks on their own site. If you don't agree with that then you can disable cookies for that site's domain. In addition many 'top stories now' boxes/tickers/false windows on the page/pretty effects to increase the site's appeal need to store temporary data somehow.

There really doesn't need to be a giant warning on every website, it doesn't help the end user in any way.

0
0
Stop

Re: @David

Right, so now we get to the bottom of it, you don't need those cookies. It's not going to break the internet to ditch 99% of them, and you consider yourself entitled to track users activities.

Those are (at best) 'nice-to-have' features that allow you to track what goes on with your site, and at worst are precisely the sorts of behvaiours this legislation seeks to make more difficult.

I'm glad we've got to the bottom of this - there is no technical reason that most cookies can't be ditched.

1
3
Silver badge
Facepalm

Re: @David

Giving the client a reasonable set of privacy controls allows the user to make decisions, works for both legitimate and dodgy sites, and doesn't make browsing clumsy.

Mandating messages on the server side doesn't really allow the user to make decisions (it's just 'we need cookies to work, click here to agree' or some sites like BT will give you server-side cookie controls that really are more transparently covered to the user with client-side controls, and remember if the user is interested enough to find server-side controls then they will certainly have already found the client-side controls which have the advantage of working for every site and being standard for that browser not dependent on the server), only works for legitimate sites, and makes browsing clumsy.

Some people like the features I've mentioned. Try and use an AJAX web mail service without them. Just because you miss the days of Mosaic doesn't mean it should be inflicted on everyone by law. If politicians ever hear about the other features I've listed above that dodgy sites could use then we might as well turn off the Internet because browsing is going to turn into a form of masochism.

Just because you maintain that the lack of a message might trip up a dodgy site or two doesn't mean that it's necessary to inconvenience the users who use the vast majority of legitimate sites. Do you really think they're going to bring down e.g. The Pirate Bay over this when they've been going for years? What does the directive allow EU governments to do as a sanction for not complying? Fine them (if they can be found). Not take down the site. Not put the owners in prison.

0
0
Anonymous Coward

Re: @Dan

Trouble is, the legislation is toothless. Look at the BBC site: the important cookies, that is the ones which track you as an individual, are described as "essential" and no opt-out is permitted.

Mind you, El Reg isn't any better: "Click the button to accept our cookies. And by not clicking the button, you still accept our cookies". So much for informed "consent".

I predict there is now going to be a huge market in new browser add-ons which block all cookies except specific static ones which say you've accepted cookie policies - thus making the whole business of browsing far more tedious than it ever was before.

0
0

ICO just a figurehead

I get the impression that the ICO just seems to be only interested in pursuing large companies and organisations in order to create a nice headline splash. I once reported someone that I used to work for as a driver, as he was in the habit of persistently passing on other drivers' personal details to other drivers and third parties without permission. Got pretty well nil response there from the ICO. He also passed on MY details (address, etc.) to one of the notorious, so-called private parking enforcement companies that got on the gravy train, instead of passing the paperwork directly to me to deal with. I reported this also and the ICO said is was OK to do this if the person concerned suspected that there may be follow-up legal action, which sounds distinctly vague and like some sort of get-out to me. Preposterous. Incidentally, I ignored the parking company's threats and allegations and never got any more correspondence from them. Just a try-on.

3
1
Mushroom

Annoying

I'm already mighty pissed of with the directive causing lots of pop ups on just about every she I visit. Effing irritating. Another nail in the coffin for the eu as people find out how much its laws actually affect them - for no real benefit.

5
3

Re: Annoying

Really? Not a single site I regularly visit has had any visibility of asking for cookie permission.

I get the premise, but stupid EU directives are stupid.

1
3

Re: Annoying

Not even El Reg? It's the only compliant site I've seen.

2
0

Re: Annoying

Yep, el reg and the BBC.

0
0
Silver badge
Meh

Re: El Reg is compliant?

No visible cookie warning on El Reg at all for me.

The only UK sites I've seen with any cookie info banners are the Graun and the BBC.

I just checked on another machine (similar OS/browser to this one) and there was nothing on the Graun or the BBC. Not sure why it's showing on some sites and not others.

0
0
Anonymous Coward

Re: El Reg is compliant?

it appears at the bottom of the screen on El Reg sites, but I suspect if you've noscripted the site it may not work.

0
0

Re: Annoying

The Guardian too.

0
0
Anonymous Coward

Re: Annoying

And screwfix as well. (not a dating site)

0
0

Does El Reg really think its compliant?

Interesting attempt by the Reg, but does it actually think that the bottom 'we're using cookies, we presume you're OK with that' banner makes it compliant?

8
0
Anonymous Coward

Re: Does El Reg really think its compliant?

The sad thing is I'm guessing that is enough for compliance.

Although click here to accept cookie, or navigate website and auto-accept cookie is shit. why no don't place cookie? Accept cookie or don't view website, smells like shrink-wrap-eula to me.

4
0

Re: Does El Reg really think its compliant?

Isn't this the problem? The ICO guidelines are so vague it could be interpreted any number of ways. What is an essential cookie exactly?

0
0
Bronze badge

Re: Does El Reg really think its compliant?

Rather than being motivated by compliance it looks to me as though the new regulations have provided an excuse for a nag banner with the aim of getting more readers to turn off cookie blocking, thus increasing advertising revenue.

4
0

Re: Does El Reg really think its compliant?

an "essential cookie" is one that is required for the functionality of the site, the main generally accepted one is sessionid

0
0

This post has been deleted by its author

Holmes

Re: Does El Reg really think its compliant?

The only way to turn the banners off on most sites is to allow a cookie, looking at the scripts some sites run (which I allow), they will put this banner up until you allow them to set cookies. Others like elreg have put it into the html so greasemonkey or something to strip it out. Should be easy enough although some like the bbc are not displaying the banner if I block all their cookies.

0
0
Anonymous Coward

Re: Does El Reg really think its compliant?

"Accept cookie or don't view website, smells like shrink-wrap-eula to me."

Sounds like, for many sites, we'll have a choice: accept tracking, or effectively censor what we see simply on the basis of not wanting to be tracked. Sounds much more appropriate for the Soviet Union.

Imagine if public libraries were like this. "Yes, you can browse, but some of the books you can only open if you agree to the authors/publishers/distributors/advertisers tracking you." Or bookshops, or newsagents. You get to the till. "Before we sell you this book, you'll need to agree to being tracked. You don't have to agree, but if you do still buy this book, we'll assume that you do agree anyway."

What next? Compulsory supermarket loyalty cards? Except they won't be compulsory. You just won't be able to buy anything without them.

3
2
Silver badge
FAIL

Re: Does El Reg really think its compliant?

It is more than that. There is a request from El Reg asking about cookies (with, I note (as do others) no NO option). So, okay, we are nice, we like El Reg, we write comments, so we grant permission to them (and, note, THEM alone) to store cookies.

El Reg carries advertising. The website is still in breach because the advertisers never asked, never provided an opt-out, and god knows would likely never be granted permission by the masses.

This legislation is a farce if it thinks El Reg asking counts also for the unknown quantity of unknown advertisers in unknown countries collecting unknown data who neither care about nor are obliged to respect El Reg's privacy policy. Put simply, El Reg (and others) just don't have the moral right to ask this question on behalf of (undisclosed) third parties.

0
0
WTF?

Re: Does El Reg really think its compliant?

>>provide visitors with sufficient information to make a decision on whether they are happy for a cookie to be placed on their device<<

Saying we're using cookies covers that? Should say what data and why?

>> and obtain consent before placing a cookie <<

der, my browser is set to accept cookies, I could set it not to - I have given consent.

0
0

In essence all you seem to need to do currently is put up a privacy policy and state what cookies are used (including 3rd party ones) and tell people how to block cookies if they want. Or if you're more paranoid, then you could do like www.bt.com at the very bottom of their pages.

Beyond that it's pretty much a useless piece of legislation and £500,000 fines...yeah right!

2
1
Facepalm

Accept malware

This site uses cookies. Some may have been set already. Read About Managing our cookies. Please click here to unwittingly accept the installation of malware on your machine under the guise of accepting cookies.

This is going to be a dream for botnets!

It will be safer to install a browser extension to automatically accept genuine cookie requests to prevent my 9 & 11 year old users from filing their machine with dross. Are these cookie requests going to be certified?

Double facepalm.

6
1
Silver badge
Mushroom

Re: Accept malware

Yes, ' if you are happy with our cookie policy tick here, and if you do not want to accept our cookie policy tick here'......

Ah Dimitri, we have another mugs details to pick over!

Once we start to see the headline EXPLOSION IN MALWARE DUE TO NEW COOKIE LEGISLATION we can be sure the law will change again.

1
0
Thumb Up

I'm scared!

Is this cookie stuff more frightening than an alligator or tiger or dodgy wee spider? Stuff like that?

1
0
WTF?

Pop up blocker

Anyone got an opt-out popup blocker? Why should i need to click some random link?

0
0
Alien

Re: Pop up blocker

Try this:-

http://www.disobey.com/ghostsites/2005/11/fabulous-and-somewhat-sleazy-x10-pop-up.html

0
0

How this should have been done

Mandate that all new browsers should have an easy button to click to list all cookies in use on a given site, their contents, expiry terms, and (if technically feasible) a description of what they are. Whilst I'm as much against evil ad networks as the next guy, ultimately this is locally stored information, over which the user must take some personal responsibility and accountability - but mandating some simple tools that would work for all websites would sound better to me.

Typically with these things, it's going to take some (expensive) test cases before anyone really knows for sure what the ICO wants or is trying to get out of this.

2
0
Silver badge
FAIL

Re: How this should *really* have been done

Kick out the people and Euro Parliamentarian Fogies and hand the the saved tax feeder sustenance back to the civvies.

3
3

Re: How this should have been done

Better than this, just mandate a cookie policy being listed on a privacy page and force people to support the x-do-not-track header. Anything else is already covered by the Data Protection Act.

Now every site in the UK is going to have these annoying popup bars and companies will just move their e-commerce elsewhere.

1
0
Pint

Re: How this should have been done

I use the "Edit This Cookie" extension in Chrome for this very purpose - great when debugging.

0
0
Bronze badge
Facepalm

@Gaz Davidson

*Better than that*

Every browser should have a tool for managing cookies...

Oh no wait.

Not just me or has the EU actually broken the internet with it's obtrusive popups - and likely broken accessibility too (which would put any site that fancies complying with this law in breech of other law)? Hey lets take a div and ram some content into it with what is in effect a legal notice. Yeah great plan that'll work.

Maybe if they EU had bothered to model the solution they might have noticed the fact that they were fecking everything up. Thumbs up if like me you have sites and no intention of complying even if it ends up in court.

0
0

Page:

This topic is closed for new posts.