back to article Got a website? Pay attention, Cookie Law will come

Small businesses need to be careful of the European Union cookie law - although so far most countries seem to be ignoring it. Many websites drop cookies, a small piece of software, onto visitors' machines to help with navigation, page view counts and to remember users' log-in details. But changes to European privacy law last …

COMMENTS

This topic is closed for new posts.

Page:

  1. Ellis Birt 1

    Most of uw will have longer than just a year of grace.

    @Derichleau,

    Even then, they will only act when there is a complaint.

    New regulations = empty words.

  2. Gary F
    FAIL

    Have the EU produced a guide to explain their new law?

    With the £billions we pay to the EU, surely they have produced a simple online guide to help the industry understand their new law and to explain clearly how we should modify our websites to accommodate it? In particular, small businesses who have their own website or are in the business of building websites cannot afford lawyers to help interpret the raw legislation. The EU, in their great wisdom to rule over us, must have produced a wiki or something useful to help?

    Look at the comments so far. Lots of speculation and discussion, but no one has been able to point to EU documentation to make anything 100% crystal clear.

    This law is a shambles and so badly thought out. I can't see how implementing compliance can NOT ruin a user's experience.

  3. Richard Porter
    FAIL

    Surely the best solution...

    is for the browser to control whether you accept or reject cookies, or decide each time, as I expect most do already. Who's going to update all the legacy sites out there?

    Btw software can include data but data on their own are not software.

  4. Anonymous Coward
    Anonymous Coward

    Phorm - UK is excempt from EU law

    The government has demonstrated that the UK does not need to comply with EU data privacy laws.

    Legally I take this as precedent.

    Still moving my hosting to Azerbaijan though :-)

  5. Anonymous Coward
    Joke

    Modal dialogue popup with big red text...

    ... Yep, that's what we'll implement.

    Every time a cookie request is made, we'll popup a modal dialogue box which says "This site is going to put a cookie on your computer. Yes / No" - it'll have flashing red text in comic sans.

    But in order not to have the popup appear every time, we'll have to store a cookie for the popup, so we'll need to fire another modal dialogue box to ask the same question.

    However, that pop-up will also require a cookie, so we'll have to fire another modal dialogue box to ask permission for that too.

    It's all getting a bit confusing. I know, we'll just store the data in the URL string and hide it with url rewriting - brilliant idea! - that'll solve everything.

  6. Anonymous Coward
    Facepalm

    Big Government

    Big government, small brains, dumb laws.

    Daniel (a Libertarian)

  7. Nick Ryan Silver badge

    Oh good

    yet another law to show just how forward thinking our lords and masters are. It will protect us against the unscrupulous websites that prey on and steal our personal details, about our children no less. Is nobody thinking of the children?

    Or, on the other hand, it's yet *another* layer of annoying beurocracy that legitimate businesses have had foisted down their throats and will be ignored by those that were abusing it in the first place.

  8. John Latham

    Change is possible

    Two subdomains.

    cookies.blah.com uses cookie sessions.

    nocookies.blah.com uses URL-based sessions.

    All search engine traffic goes through cookies.blah.com, so users would generally hit that first. If they have no cookie set, pop up dialog. If they say yes, set cookie. If they say no, redirect the URL to nocookies.blah.com preserving path and querystring.

    Might be a problem stopping the nocookies URLs from spreading through inbound links, but maybe you could do something with URL referer, e.g. bounce requests back to the cookies subdomain if the referer is off-site,.

    Or you could do the same with a path, e.g. blah.com/nc/xyz (no cookies) and blah.com/yc/xyz (yes cookies).

    I think this is relatively straightforward to do in spring framework (for instance), although I wouldn't particularly like to have to retrofit it to a site on a tight budget.

    Google Analytics is a going to be painful though.

    Anyway, interesting technical challenge but stupid law. People should take responsibility for their own user agents.

  9. Eeep !
    Facepalm

    But isn't all data just a program waiting for the right interpreter ?

    On my computer there are files that contain text - this is just data. The same file content is the same data whether the name is xyzzy.txt or xyzzy.c or xyzzy.py or xyzzy.java - just data.

    Passing the content of all of these files (all the same) to a word processor or c compiler or python interpreter or java compiler produces different results - some consider the content to be data to be displayed, some data to be compiled, some data to be executed.

    So a cookie is data just like a .txt/.c/.py/.java file - but for some they consider the extension of the file to make the data different. So, define a cookie with the name '"Z80" that should have a hex string value (valid Z80 op-codes only) any website or browser that can read the value of the cookie can 'execute' the Z80 instruction on an emulator.

    Is the cookie data or a program ? The name of the cookie is identifying the content/value of the cookie as a program, much like the .txt/.c/.py/.java extension of the file, and could possibly be considerd to be an instruction to execute the content as Z80 machine code.

    How about cookie name "bash" and the value "rm -rf *" ?

    So the presense of a cookie with a particular name CAN cause different behaviour at the server or client that recognises the cookie name, and the value of the cookie can do the same. No cookie of "alreadysignedin" instructs the server to act as if the user is not signed in and a login page should be shown, and presence with a value of "<valid session-id>" instructs the server to do all sorts of things, valid session verification, specific user information such a nickname and discount vouchers are displayed in the page.

  10. Anonymous Coward
    Unhappy

    Sigh

    Two pages of twaddle. I can remember when cookies were tasty. I'm too old.

  11. Anonymous Coward
    Devil

    Silver lining...

    If you only have to ask for consent for Cookie that match the definition of software... ie contain executabel script code.

    and for the scoffers, YES, I have seen such cookies!

  12. Criminny Rickets
    Big Brother

    Permission

    Would a small disclaimer at the top of the home page work?

    Something like "This website may or may not use cookies to either enhance your enjoyment of this site or track the usage of pages on this site. If you do not agree to our use of cookies, please click on your HOME button, otherwise, continued usage of this site implies your consent to the usage of cookies from this site."

  13. mikeoneill

    Cookie button

    The CookieQ button (http://cookieq.com) removes cookies from visitor's browsers unless they have opted in to cookies at your site. You can give them a default opt-in period which they can override, and they can manage their cookie consent from one page, where they can also withdraw or give their consent to cookies at any time.

  14. Harry Tansey
    Flame

    How did this ever happen?

    Overly restrictive!

    The restrictions on using session cookies and analytics cookies, such as Google Analytics cookies, is ridiculous. Session cookies merely get over the fact that http is stateless and allow features such as a vote to work without the user then being able to vote again - can you imagine "when you vote for your favourite choice would you please accept this cookie, because if you don't you can vote as many times as you wish"... or the amount of log on forms that have to be polluted with "blah blah, cookie, blah blah...." ... that'll do a great service to web design!

    Not to mention ICO themselves drop a session cookie without asking... let's face it, storing a number on a user's browser really isn't that intrusive, to do without just means a lot more work behind the scenes to achieve the same goal.

    Why shouldn't a website owner be able to track a user's visit around the site to see how the site is used, or to help with problems? It's not like you can opt out of CCTV in a physical store.

    Yes, third party cross-site advertising is intrusive, and this is where the effort of enforcement should be placed, not on routine functionality used unobtrusively by millions of websites.

    It's bad enough if you are capable of doing something about it. What about those web site owners who use code developed by third parties or open source? Have the EU investigated the effects on such people who'll have to pay (in time and/or money) to "fix" their web sites?

    This is a total waste of time and money. Why should UK/EU site owners be disadvantaged by all this extra effort and polution of the user experience?

    The web industry should be up in arms about this. Where are the protest sites?

Page:

This topic is closed for new posts.