back to article Got a website? Pay attention, Cookie Law will come

Small businesses need to be careful of the European Union cookie law - although so far most countries seem to be ignoring it. Many websites drop cookies, a small piece of software, onto visitors' machines to help with navigation, page view counts and to remember users' log-in details. But changes to European privacy law last …

COMMENTS

This topic is closed for new posts.
  1. mpcooke3

    Lawyers

    "Businesses must get users' consent before installing cookies and follow rules in storing and accessing information gathered from them."

    This has already been interpreted by many advertising companies and approved in the UK as "showing a certain icon on screen when a cookie is placed" - apparently this implies explicit consent.

    Also "must get users' consent before installing cookies" apparently allows for users to give permission after the event.

    1. Ejit
      Stop

      Really

      " and approved in the UK"

      Citation required.

    2. Anonymous Coward
      Anonymous Coward

      Advertising companies.

      Anyone who doesn't block adverts deserves everything they get.

    3. Anonymous Coward
      Anonymous Coward

      That's for behavioural ads only

      Not generic cookie use. For that, I'd suggest an icon of a half-munched cookie with the legend, 'This site uses cookies. Bite me!'

  2. This post has been deleted by its author

    1. jonathanb Silver badge

      I can explain

      Session cookies, for example to remember what you have placed in a shopping basket, are allowed.

      If you want to store data across browser sessions, you have to ask, otherwise, when someone visits your site again, it will be like it is the first time they have ever done so. Not fatal from a user experience point of view.

      1. frank 3
        FAIL

        session cookies are not really 'allowed'

        you still have to gain explicit consent.

        It even applies to analytics cookies. So, to see where people go on your website, you have to gain their explicit opt-in consent. Yep, you can't watch people walking around your shop. Not allowed.

        Every single site we operate will have to be changed at the cost of many thousands of pounds to my clients (a few hundred quid a pop).

        I have to explain it to them and bear their wrath because they have to spend money for no 'benefit'. It's a shambles and no-one in the web dev. world seems to be grasping this nettle because it just seems like such a waste of effort and time.

        1. MrCheese
          Megaphone

          Bravo

          It's exactly that attitude which got us into this situation in the first place, the current eonviroment of self-regulation *scoffs* means that people's ignorance is being exploited by all kinds of otherwise legimite outfits so now big, broadly written laws have to be written to try and correct the situation.

          The costs of updating websites is moot as everyone has to do it and as for users lack of understanding, well it's the responsiblity of those of us who do understand the implications to impart that wisdom upon others, not simply bear their wrath.

        2. CD001

          Session has nothing to do with it

          It's nothing to do with the session - certain cookies are allowed WITHOUT consent providing they are "essential to the functioning of the website/service" ...

          So, cookies that are allowed without consent (though you should still have a page explaining what they're for) would include things like a cookie that holds the contents of the user's shopping basket or an authentication cookie that allows to site to verify that the user is logged in.

          Cookies that would REQUIRE consent would be things like analytics cookies (including Google Analytics) or cookies that save user preferences - basically anything that is not absolutely necessary for site to function.

          Where I loose the plot a bit is with third party cookies - say for instance your site is using Google Analytics - well, that's based in the US and I'd guess Google aren't going to put a little pop-up that says "track me please", so it would, presumably, be up to the site owner to gain consent from their visitors to allow Google to track them?

          1. g e

            So does that mean -

            That Google analytics code will have to pop up cookies on your behalf?

          2. bobbles31

            To be fair

            It was up to the site owner to use Analytics so why shouldn't it be up to them to explain the cookie.

            To say that they don't is a bit like saying that a site that provides a Direct Debit form shouldn't contain details of the DD guarantee. Even though it isn't their guarantee.

            1. Just Thinking

              How do you know?

              How can a site owner provide information about what Analytics cookies may or may not be doing? They don't know, and Google are hardly going to tell them.

              To use the DD analogy, its a bit like being required by law to print the details of the guarantee on the form, but the bank refusing to tell you what the terms of the guarantee actually are.

    2. Anonymous Coward
      Anonymous Coward

      erm

      Ever worked with users? In my experience they'll click Yes or OK just to make the box go away!

      As you say though, they won't have a clue what they're doing

      1. Elmer Phud
        Pint

        Boxing clever

        "In my experience they'll click Yes or OK just to make the box go away!"

        "To continue further in your enjoyment of our website we require your acceptance of a cookie to enhance your experience here"

        Sorted.

      2. This post has been deleted by its author

    3. iamzippy

      Yay, Pish

      This is just the EU getting back at the interwebs for giving so much air time to the likes of Nigel Farage.

      Way 2 go, Nigel. Gotta root for the 'underdog'.

  3. <user />
    Stop

    null

    It is a little bit crazy in some ways is this law. Not all cookies are malicious.

    Granted some are bad and are used for profiling your web browsing habits etc etc, but then, just about every website you log in to uses cookies to establish a session. If you refuse to accept cookies, how the fuck will you establish a session in the stateless web?

    Perhaps the law needs a little refining so it only applies to advertisers etc and not people needing to use cookies as an integral part of their web apps.

    And just to add as good advice as ever - we should all be using secure cookies!

    1. lurker

      Sessions

      You can pass session tokens in URLs, that used to be quite common. It is however, very lame, and results in lots of ugly looking links.

      Wasn't there some talk of this not applying to 'session' cookies which were required for the functionality of the website?

      1. Anonymous Coward
        Pint

        titles suck more than our leadership

        Session ID's via the URL apart from being hideous are also horrible from a security point of view. Just about the easiest way to pass your session to your mate. Consider this scenario:

        Me: Bloody hell, these are some fantastic cigars and rum. Dude check out these (copying and pasting link to him via IM).

        Mate: Being a bit more tech savy perhaps, realises he has picked up my session to some website to which I am already authenticated with pre-stored credit card details decides he is going to go on a shopping spree.

        A little far fetched and certainly hypothetical, but it could happen.

        P.S. I am not that fucking thick!

        1. David Gillies
          FAIL

          Errm, no, not necessarily

          URL session tracking is fine, as long as a robust set of login criteria including remote IP address are tracked, it's blinded with a nonce value, it's hashed and it's compared every page view with the value stored in the DB. You should also use a cookie in tandem with it, which since it's for authentication isn't covered by this (admittedly braindead) legislation.

      2. Windrose
        FAIL

        Could we stop redefining 'ugly'?

        Let's. An URI isn't "ugly". Your uncle may be ugly; industralization of a pretty forest is ugly, but an URI is simply an address, and beyond the "theregister.co.uk" bit it ain't meant to be human readable.

        Just stop setting unnecessary cookies.

        1. <user />

          @windrose

          While I would love to fully agree with you about the URL, how many times do you see things advertised on the TV or in the media some place as domain.com/product ?

          Some things after the actual domain do need to be humanly readable, but mostly, yes I do agree with you.

          Granted this is all going to becoming less relevant with this current fad of putting "Search for XYZ online" in ads these days.

  4. Anonymous Coward
    FAIL

    Cookies ARE NOT software.

    Perhaps you guys need to do a slight bit of research before you spew garbage...

    1. The Alpha Klutz

      "Cookies ARE NOT software."

      Yeah but, they are.

      Reminds me, some guy was telling me "a computer case is NOT hardware". *SIGH*

      some people just need to stop smoking crack.

      PS. I still think the cookie law is somewhat stupid. I bet the guy who wrote the law didn't even know what a cookie was until 3 pages in to it.

      1. Jerome 2
        Facepalm

        @TAK

        Cookies are data, not software

  5. Anonymous Coward
    FAIL

    Software?

    "...cookies, a small piece of software..." Well, I guess you could put some code in a cookie and find a way of executing it but this is really stretching the definition of software.

  6. <user />
    WTF?

    null

    Since when was a Cookie a piece of software? It is a chuffing text file!

    1. Anonymous Coward
      FAIL

      Software

      Indeed. A cookie is most certainly not software.

      Software comprises instructions that are executed by the computer.

      1. The Alpha Klutz

        "Software comprises instructions"

        It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is.

        This website is software because it comprises instructions for recreating the site on the client machine. The image file software contains the instructions that tell the image rendering software how to draw The Register logo, while the font software on your computer is a precise set of instructions for recreating text on the screen.

        That is if you draw the arbitrary conclusion that software has to contain instructions, which of course, it doesn't. A help file is software, as is porn. Even though you could say that both comprise instructions for recreating images on the screen, that is besides the point.

        I would say that any collection of intangible data that means anything to either the user or the computer, is software. Does your Windows executable stop being software when you copy it to a Mac? What about if you encrypt it as well? Now suppose that you have an encrypted file that MIGHT contain an executable, but you are not sure, is that software? Or does it only become software after you decrypt it? Does the fact that it CAN be decrypted not mean that it was software all along?

        The software on my harddrive is hardcore, no soft-porn.

        1. Anonymous Coward
          Happy

          However, software != data

          The information in a cookie is data. At no point on any platform is the content of the file executed or converted by means of compilation or interpretation to instructions that can be executed by a processor.

          Therefore, although a cookie may fall into a broad categorisation of software as in 'anything that is not hardware', in my book as well as most other people's, it's just data. It is not a program that can arbitrarily do anything it wants, it contains information that is processed in carefully defined ways by the web browser.

          The important issue at stake here is that less technical users will be scared of cookies because they don't understand them. The IT security industry is at this very moment busy telling every computer user to be careful of running malicious "software" on their computer lest they are defrauded or have their identity stolen. Therefore, by terming a cookie as "software" we are unnecessarily inducing FUD.

          Ultimately, many websites will be broken and many headaches will be caused for businesses and web designers alike as a result of this FUD. This will make conducting business online more complicated and expensive and for this reason I disapprove of anything that will add to it (even if it is semantically correct).

        2. Field Marshal Von Krakenfart
          Headmaster

          Are Colleges dumbing down?

          Cookies not program code???????!!!!!!!!!!!!!!!

          Has the rush to etch-a-sketch drag and drop programming meant the people no longer read books like Niklaus Wirth's "Algorithms + Data Structures = Programs"

          Oh Sorry, written in 1976, replaced by OOP and the Agile manifesto.

          Teacher Icon.......

        3. PatientOne

          @ Klutz

          "It is by interrogating the Cookie that the browser finds out 'what to do', if that is not an instruction, I would love to hear your definition of what is."

          Software is described as a series of instructions, yes, but they are programed instructions compiled into code that a computer can execute. Those instructions can include the reading and processing of data, and that data can be used in decision making within the software, which can then affect the software's behavior.

          A Cookie is, by definition, data. It is not software as it can not be executed by a computer. Instead, software can read a Cookie and take the content to determine how the software is to behave.

          Or look at it another way: I go to a website for the first time: The website can't find a cookie, but it is still able to function properly. If I delete the cookie it creates, it will still work: It will just loose the setting, preferences and other data it was storing on my PC.

          So rather than referring to Cookies as instructions, it would be safer, and perhaps more accurate, to refer to them as preferences and/or settings.

          1. nineworlds

            A cookie could be seen as an instruction...

            if you take it as a mnemonic for what the server has to do. Sure, it's generated by the server, rather than programmed by hand, but you're basically turning the web into an interpreter, generating single-use programs that take the cookie as one of their input instructions and return different output based on that. Sounds pretty much like a procedure call in any other programming language.

            Well, that's one possible argument....

            1. magnetik

              data

              No, it's just data, no different from a row in a db table. You could store user preferences in a db table or in a cookie - they're simply different methods of storing and passing data.

    2. Robert E A Harvey
      WTF?

      IWGTST

      That annoyed me, too. If the reg. is going to patronise its techie readers, it might try to do so accurately.

      1. Anonymous Coward
        Go

        Or...

        And, if it can't do so accurately, then there's nothing wrong with the house style of doing it sarcastically - that's been working well for some time now.

  7. Anonymous Coward
    Anonymous Coward

    EU Web Laws

    Bunch of shite

  8. jubtastic1

    This is of course, utterly daft

    We already had that, back in the early days of the web it was common to see sites pop up alerts asking for permission, it was terrible UX and broke functionality when users clicked no.

    Perhaps the EU should mandate marquue's and flashing text be mandatory on every page to complete this trip down memory lane?

  9. system
    Facepalm

    Small pieces of software?

    That's really what you're going with?

  10. Herr Ober
    Trollface

    yah...

    talk about shutting the barn door after horses have bolted...

    What is the use of cookies with LSO Objects, Web Bugs and referral tracking, not to mention browser identification algorithms around?

    1. Novex

      re: yah...

      As far as I understand it from a site I just read to gen up on this, LSO objects and all other means of storing information on the local machine to track a user's activity are covered by this law. As such the term 'Cookie' as applied to this law is misleading.

  11. R.Moore

    Businesses only?

    Does anyone know if this also affects non-profits?

    1. Gwaptiva

      And...

      how does it define 'users'?

  12. Mike Kamermans
    Thumb Down

    software?

    Since when was a cookie "software"? Cookies are just key/value pair data that are stored and retrieved based on specific domains by a browser; and only because that browser implements cookie handling. There is no "software" that gets installed, nothing "helps websites", they're just strings that a website can ask the browser the store when its pages are loaded, so that it can read the values it asked to be stored sometime later when that same browsers opens the same website's pages.

    So, "many websites ask your browser to store cookies, bits of text that are stored for a website, which are sent back to it everytime the website is loaded by your browser. Making use of this standardised data storage system in your browser allows websites to easily (although not securely) deal with navigation, page view counts and sometimes even log-in details"...?

  13. John Burton

    What about non-commercial sites?

    I presume this applied equally to non-commercial websites?

    Does anyone know for sure?

    1. Sir Barry

      ICO response

      I emailed the ICO regarding who is affected by this rule and their response was (edited to important bits):

      "Organisations that are operating in the UK (regardless of whether their website is technically hosted elsewhere) would be subject to UK law.

      Obviously organisations operating outside the UK would need to comply with legislation which is local to them. If this is in the EU similar legislation to our own will exist."

      Commercial, non-profit, hobbyist et al are all affected.

    2. Gilberthill

      The Cookie Crunch

      Yes, it applies to all websites, irrespective of whether commercial or not. Basically, anyone using Google Analytics is captured, there are even cookies used in code such as .NET. It's clear that the legislators didn't think through the potential impact of this enough before pushing it through; now you have a range of responses across Europe, from German sites switching off analytics, through to French sites ignoring it and saying it doesn't apply to them, to UK site owners being unaware or burying their heads int he sand.

  14. Wibble

    Numpties

    Impractical, unworkable, broken, knee-jerk reaction created by numpties to a 'problem' that afflicts numpties.

    Ignore it as everyone else sure as hell will.

  15. Gwaptiva
    FAIL

    Will we be allowed to

    store a cookie with your cookie storage permission status?

  16. Anonymous Coward
    Mushroom

    Hmm

    Three things I'd like to point out at this juncture, other than the aforementioned.

    Firstly, isn't there some kind of clause for not having to get user permission if it explicitly is required for core functionality? Such as carts on a shopping site wouldn't have to because that's considered core functionality.

    Secondly, localStorage is not considered part of the mandate as far as I know, meaning you could shove the cookie data into that and call data with AJAX calls appending it to the URL.

    Thirdly, yes, you can avoid it to a degree by making things handle sessions through the URL as above but that would easily make things worse because I'd be willing to bet the majority of developers aren't smart enough to avoid session fixation when it's not provided for them by a framework.

    I'm waiting to see what El Reg's UI for this looks like... ;)

    1. OffBeatMammal

      shudder

      as a user outside the EU visiting the .co.uk version of El Reg I hope I don't have a diminished experience because of this :)

  17. Anonymous Coward
    Stop

    Like to see

    How this affects a UK business with its site hosting abroad.

  18. Anonymous Coward
    WTF?

    So, I ask a user for permission to store a cookie.

    How do I record the refusal of that permission? Can't be based on IP- they might be behind a NAT router. Can't be based on a unique identifier- that's just as much an invasion of privacy as the cookie. If I don't record it, and keep asking the user, I foresee the user either leaving my website or installing some addon/tweaking some setting to blanket allow.

    1. Mattyod
      FAIL

      Yup they really haven't thought this through...

      website: Can I store a cookie?

      user: no.

      // Next page

      website: Can I store a cookie?

      user: no

      // Next page...

      We should at least be able to store cookies so that we know the user doesn't want us to store cookies. Oh wait...

      1. Richard 12 Silver badge
        FAIL

        @Mattyod?: Erm, no.

        Landing page: "Can I store a cookie?"

        User: No

        All other pages: "Is there a landing page cookie? If yes, store my cookie/modify landing page cookie. Otherwise do nothing."

        That's not exactly rocket science, is it?

        1. sabroni Silver badge

          @ Richard 12

          That's fine for all the sites that force you to go via the landing page. However, websites often allow any page to be a landing page (to allow bookmarking, for example, or to send a link to a friend). For those sites your solution won't work. Think it through...

          1. Richard 12 Silver badge

            No, it still works.

            Any user who doesn't go through the landing page doesn't get any cookies.

            Still not seeing the problem here.

            - Remember, we're talking about tracking cookies here, not the cookies required to run shopping baskets.

            The 'restricted' cookies are really those are related to advertisements and web metrics. So, you can only trace people through your site that have been to the landing page.

            It might be possible to use referrer to help here as well.

            Aside from all of that, if you have a "Do you want a cookie? Yes/No" question, you can be sure that almost everybody will say yes.

            1. Chris Harrison

              @Richard 12 - No it still doesn't work.

              You need to stop refering to 'The landing page' as if every site has one. Landing pages are the rule not the exception.

        2. Chris Harrison
          FAIL

          @Richard 12 - Utterly missing the point

          Richard 12 wrote:

          Landing page: "Can I store a cookie?"

          User: No

          All other pages: "Is there a landing page cookie? If yes, store my cookie/modify landing page cookie. Otherwise do nothing."

          That's not exactly rocket science, is it?

          ====

          No Richard that isn't rocket science. If it was, then the rocket wouldn't leave the ground.

          I run a couple of sites with around 330 pages between them, except for 2 pages on each site, every page shows in my stats as a landing page and is searchable. Do you think this is an uncommon model?

    2. Anonymous Coward
      Anonymous Coward

      or..more likely

      ..a blanket block.

    3. Anonymous Coward
      Anonymous Coward

      Simples...

      Just open a dialog saying "You said no to our storing of a cookie that's important to the functionality of our site. We're gonna respect this, but do you mind if we put a cookie in your jar to record that you don't want other cookies?

      Click No to be repeatedly harassed

      Click Yes to have the quiet life, but the site still may not work without the cookies you originally refused!"

      1. Shakje

        Surely that just doubles the harrasment level?

        User doesn't read the dialogue apart from the word cookie, clicks through, now every time they're going to see two dialogues instead of one, get doubly pissed off, and leave quicker.

  19. BoldMan
    WTF?

    Software? WTF?

    Cookies ARE NOT software! its nothing more than a piece of text! PLEASE get your facts straight, its bad enough with the mainstream press being totally clueless without our favourite tech news site also being dumb!

  20. Ian Tresman

    No privacy issue

    There is no privacy issue, cookies are stored on the users own machine, and usually contains no private information anyway.

    I would be more concerned about the megabytes of HTML and scripts that a website runs on a user's machine, and are stored in the user's cache.

  21. Novex
    Thumb Down

    What's the point with IPv6 coming in a 'few' years time?

    I've just read up a bit on this law, and one point raised in the FAQs on the site I used was the upcoming IPv6. As that will make it pretty much essential that each device has a unique and static IP address, then any tracking will use IPv6 address and be completely out of the user's control. Since IPv6 implementation will have to happen at some point in the not so distant future (arguably within 5-10 years) then this ill conceived and highly impractical to implement law is, at best, very short term from a legal perspective (most laws are around for centuries). IPv6 seems to make it a waste of time, money and effort.

    1. Anonymous Coward
      Headmaster

      (sorry)

      What's the point with IPv6 coming in a 'few' years time?

      !==

      What's the point, with IPv6 coming in a 'few' years time?

    2. lurker

      Proxies

      I'm no expert on IPV6, but as far as I know it doesn't rule out the existence of proxies, which hide the end-device's IP address (whether VI or IV). And even 5-10 years in the future I suspect that you are likely to have a situation where many devices are actually running IPv4 internally behind an IPv6 'gateway'.

  22. Anonymous Coward
    Facepalm

    This article totally misses the point

    As mentioned by AC 9:03 above, explicit consent is only required if the cookies are used for things over and above the expected functionality of the site,

    I.e. It really only messes things up for unscrupulous advertising companies, not to mention any names of course.

  23. Peter Fox
    FAIL

    Wrong way round. It's the READING that matters.

    Site A gives me a cookie to do something useful to me and perhaps something statistical for the site owner. No great problem there. But if site B has a look at what cookies I've got and what's in them (even with A's permission) then I'm not so sure.

    Compare it to going shopping and being given a receipt in each shop. What would you say if shop B looked at all your accumulated receipts?

  24. batfastad
    Facepalm

    Why only small business?

    Why is it only small businesses that need to make sure they're compliant?

    I'd like to see a business with the turning circle of Paypal/Ebay become compliant.

    And does it only apply to sites hosted in the EU?

    I'd like to see how websites in Europe would cope if they could no longer store a session ID on a user's machine... I predict a boom in the US hosting market and goodbye to most internet banking services etc. And probably most EU internal sites... The OAMI EU community trademark registration system uses a total mess of cookies.

    The only cookies we use are to store a session ID for an authenticated users session. Then any personally identifiable is stored in the session on the server.

    But surely they should be complaining more about that! Storing a user's personally identifiable info on a their own machine actually sounds much better than storing it in a session on a potentially insecure server somewhere! But the fact that cookies are open to exploitation is mainly down to the HTTP protocol and browsers' cookie implementations.

    Anyway, can't wait to see their faces when they discover that HTML5 contains a module for offline data storage. (Incidentally I predict that module has a very bright future... as the primary method for malware injection).

    What a waste of time.

  25. Destroy All Monsters Silver badge
    Big Brother

    Yes, it's 1996 again!

    The Great Cookie Panic Breakout back then was a pleasure to behold (I also remember Conservatives discovering Porn On The Internets and faking up statistics about Rimm Jobs, but that's another matter).

    Meanwhile, it's not like the Department of Motor Vehicles is using your data for things over and above the expected functionality of the bureaucratic make-work scheme.

    1. MrCheese
      Boffin

      Counts your stars you're in America

      The DVLA (Driving & Vehicle Licensing Agency) have no qaulms flogging data for the number/license plate database to advertisers just to make a fast buck.

      1. DavCrav

        My information comes from Gone in 60 Seconds

        Doesn't the responsible US authority flog it off to anyone who asks, not just companies?

  26. Anonymous Coward
    Thumb Down

    cookies are just part of the page

    Cookies are just part of the page that the user implicitely requested. What their browser does with the cookies is entirely under the user's control.

    Not only is the EU directive ridiculous but the UK laws that are being (mis)used to enforce it don't even mention cookies and it is quite questionable whether they even apply to the situation.

    If law makers wan't to meddle in technical matters, the least they can do is try to understand what they are talking about. The kind of measures that are being asked are completely impracticle in all but the simplest of situations.

    1. Ian Yates
      Thumb Down

      /sigh

      Unfortunately, while I'm a big believer in the freedom to be anonymous online, I agree with the AC: I think this directive is mostly a waste of time.

      Yes, I'm not an average user so I understand that a) a cookie is *not* a piece of software, and b) I am in control of said cookies.

      What actually needs to happen is for all browsers to implement simple and secure cookie policies (i.e., never share cookies across domains, zero-day security bugs excepted). The whole idea of forcing every website to ask a user if they can store cookies is a joke, when this would be far simpler to be implemented at the browser level - oh, wait! it already is!

      Hats of to the EU for raising awareness of the evilness of cookies and the lives they've destroyed, but I don't really see what problem they've solved here. The companies that want to track you will continue to do so in another way.

  27. Ellis Birt 1
    FAIL

    direct.gov.uk does not comply! Who does and who does not might be surprising!

    direct.gov.uk is in breach of the directive!

    as is the UK's largest employer www.nhs.uk

    as for www.number10.gov.uk, they have had nearly a month

    Come to think of it can www.parliament.uk claim parliamentry privilege to carry on storing those ever-so intrusive Google Analytics tracking cookies?

    at least when we go online to complain about all this Government prying into our privacy, the ICO will ask for permission to use cookies!

    Surprisingly, GCHQ and CESG do comply because they don't use analytics (is it that they already know who you are and what you are about to think?)

    So I thougfht i'd trot down to my Local (tory) MP's web site to lodge a complaint. But I come across yet another illegal tracking cookie on www.conservatives.com, just to be fair, I check out the other main parties. Reknowned for their attitudes to personal privacy, www.labour.org.uk don't fail to meet expectations with the all too familiar Google Analytics javascript.

    Oh Well, surely the Lib. Dems will be championing the cause for Europw and our privacy. Yet another disappointment... _gat._getTracker("UA-xxxxxx-x") but no sign of anyrequest for my permission.

    Oh Well, I'm sure my privacy will be safe when I go and see where this directive came from - safe in the knowledge that I won't find a cooke named something like "ec_exit_survey" without beuing asked - oh, it does exist!

    Well, I'm sure we can find somewher that the law is obeyed, maybe where it was passed www.europarl.europa.eu (right click, page Information) ... surely the cookie called __utmz must be there in error - but it contains my search terms - FAIL

    Disgusted! I think I'll have to get back to work and just forget all this scaremongering!

    1. Anonymous Coward
      Trollface

      @Elias

      Before carrying out such a scientific and wide-ranging study, don't you think it would have been a good idea to have a basic understanding of the law first?

  28. monosodium

    Move along, nothing to see here...

    They can start enforcing this proposed law right after they start enforcing DDA compliance...

  29. Anonymous Coward
    Anonymous Coward

    ICO

    The ICO has an implementation of this live right now

    www.ico.gov.uk

    See how nice it looks? /sarcasm

    See how it fails gracefully when you click Continue without ticking the box /sarcasm

    I like a bit of sarcasm

    i think the ICO are doing us a favour by showing how crud it is, shame they dont sell stuff or carry advertising

    1. Anonymous Coward
      Anonymous Coward

      Still learning

      I guess they are trying to lead by example... I think the most interesting thing is the commented out script in some of the pages:

      <!--<script src="/scripts/gatag.js" type="text/javascript"></script>-->

      Unless I'm very much mistaken they used to use Google Analytics (aka Big Brother's Sneaky Snoop Code) for the site and have removed it as you need an even bigger pop-up before that can even ask to set a cookie.

      Bye, bye snoopy code. And for all those about to mourn the loss of such "free" services, ask yourselves why they are free in the first place.

    2. iamzippy
      FAIL

      It Surely Sucks

      For an option this 'important' you'd expect them to not camouflage it, like it's just another one of your lame toolbar add-ons.

      Act in haste - repent at leisure. QED.

  30. Tim Walker

    What about CMSes?

    Hypothetical situation: A small business or organisation, decides they need a Web site. The only member of staff they can call on who has any Web nous at all, decides that the site should be based on a content management system (CMS), so that anyone who can type text into a PC can update pages.

    It doesn't really matter which CMS is chosen, but let's assume they go for a free, open-source one like WordPress or Drupal. Now, I don't know what use these systems make of cookies, but I imagine I can take it as read that they do use them for certain features.

    The question here is: would the cookies be the responsibility of the site's administrator(s), even if they were unable to make any low-level changes to the CMS? Even more so: if the site was hosted on (say) wordpress.com, where the site owner has no power to make low-level cookie-related changes to the CMS?

    This is "digging" a bit for effect, but I really wonder if people have thought through the implications of this law...

    1. Just Thinking

      Drupal

      AFAIK with Drupal, as a modular CMS with many individuals contributing open source modules, it is very difficult to know how cookies are used, and next to impossible to do anything about it.

      I doubt that this lets you off the hook though. You always have the option to not use a CMS (you would need to code the site yourself, or pay someone else to do it, or just put up with a crappy html only site).

      If your "site" is hosted on another site, I think that would be entirely different. I am not responsible for El Reg's cookie policy just because I sometimes post comments here. Surely the same is true if you post some pages on Wordpress.

    2. iamzippy
      Facepalm

      @Tim - Trouble At T'WordPress

      I can tell you that you can't log in to WP without cookies. Multi-user WP look out. WordPress without cookies can be as sad as a very sad thing.

      Doesn't help that they use that 'nonce' string in the cookie, either.

      Gonna be a whole lotta head-scratchin' going on...

  31. Anonymous Coward
    Anonymous Coward

    title

    They could ban javascript as well, downloading and running random code from the internet? No thanks.

  32. Anonymous Coward
    Anonymous Coward

    Wording.... Not just cookies.

    By "Cookie" they actually mean any information stored on the subscriber's terminal

    equipment, that is any data, hidden input fields are probably also included.

    Is there a UK draft of this new law or does the EU wording have the force of law in the UK?

    1. Ejit

      Force of Law

      http://www.legislation.gov.uk/uksi/2011/1208/made

  33. lurker

    Google Analytics

    This could be a pain in the neck for the huge amount of people using Google Analytics to handle their site's usage statistics.

  34. tony 33

    they already agreed

    you can turn off cookie storage (although wont be able to do much on most sites) so doesn't that already mean you agree if set like this?

    maybe a browser update to set all browsers so you have to 'allow from this website' unless you go and change it

  35. JamieL
    WTF?

    Block ICO cookies and the baner goes away

    OK, so I try out paranoia settings: tell my browser to delete all cookies and not to accept any more from anyone.

    Then visit the ico.gov.uk site. Lo: the banner asking me about cookies has gone, and neither is there any indication that parts of the site won't work any more... Does that mean it now _does_ work?

    1. janimal
      WTF?

      what would be the point

      In asking if they can store cookies if you have already disabled the ability to store cookies before visiting the site?

  36. Anonymous Coward
    Anonymous Coward

    Most cookies are gratuitous rubbish

    I rarely allow sites to set cookies (El Reg is an notable exception) and most sites function perfectly well without them as far as I can see. There is an over-use of these, as well as wholesale tracking via google-analytics and double-click et al, and it would certainly be nice to see that law rein in whats happenning on the internet. This is the wrong law, but a step in the right direction.

    Whats needed is a restriction on the direction of travel of information.

    Storing user preferences etc locally, with a view to configuring what the user sees is acceptable, iun my opinion. The issue prompting laws like this are is the erosion of the expectancy of privacy (in the UK) and these are real issues we should stand up for (or lose them).

    When I visit eg www.mylocaltownsomething.co.uk I do not expect google to know about it, nor for them to cross link my use of that site with history from another site and use that to target me or sell on my information to a 3rd party, however thats essentially whats happenning right now - the difference is that at present google et al are largely dealing in large volumes, so most people are indifferent to it. However I doubt its beyond them to identify you uniquely if needs be. If this were happenning I think we would see people take notice and demand laws, and that alone is possibly why google and their kind will be careful we never really notice this.

    V, because he understood what was happenning, and what was needed :)

  37. Nick Gisburne

    Endless questions?

    Do we have your permission to use cookies? You say no. How then do you save this information (without using a cookie) so that the next page you visit knows that you were already asked the question and doesn't need to ask again? <== Ignore this way of working, obviously - I was just daydreaming.

    Surely to get permission to use cookies you'd simply disable the whole site and leave a homepage which says 'click here to use cookies and to gain access to the site'. No big re-engineering job necessary - once you're in it will work exactly as before.

  38. Anonymous Coward
    Anonymous Coward

    Dark Nerd thanks for the link , . . . .

    . . . . tried the www.ico.gov.uk and noticed that they had to store a cookie without consent: "One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice."

    Then they point to privacy notice for details on how to delete etc and just one of the links quoted for more information, http://support.microsoft.com/kb/899918 starts with "The ASP.NET session state is a technology that lets you store server-side, user-specific data. Web applications can use this data to process requests from the user for which the session state was instantiated. A session state user is identified by a session ID. The session ID is delivered by using one of the following methods:

    The session ID is part of a cookie that is sent to the browser of the user.

    The session ID is embedded in the URL. This technique is also known as a cookie-less session.

    Session IDs are a 120-bit random number that is represented by a 20-character string. The string is formatted so that it can be included in a URL and it does not have to undergo URL encoding. For example, the string may be used in cookie-less sessions. The most commonly used method of delivering session IDs is by using cookies to store the session IDs."

    I'm sure most end users will be grateful for that info!

    I agree with hassling the marketing companies that share cookies etc but couldn't they also argue that the session tracking is shared with 3rd parties who generate revenue which funds the site and therefore essential to it's core functionality of helping the user by displaying products and services that match their lifestyle based on their browser activity?

    The situation is best described in the last paragraph on the privacy page of the ICO website:

    "This cookie is used to record if a user has accepted the use of cookies on the ICO website."

    1. iamzippy

      Not As Daft As It Seems

      If you've ever worked with cookies, you'll know that the acceptance cookie actually makes sense.

      It is kinda subtle, though.

  39. Dave Murray

    Proper article needed

    Rather than yet another article saying "oooo cookie law is coming to get you" but with no real content we need an El Reg article that explains in plain English what the requirements of this law are. I've tried reading the ICO site but it seems to be written in some kind of uninteligable government lawyerese.

  40. g e

    perhaps a UX like this might work?

    is session active?

    yes --- continue as normal

    no --- redirect below

    .

    .

    Ask user if they want a cookie

    yes -- continue as normal

    no -- redirect below

    .

    .

    Present info to user that they are not allowed to continue using your wesbite as it needs a cookie setting which they have refused. Present a form inviting them to vent their spleen at beaurocracy@eu.gov.

    Just need to get an email addy out of the beauro's that people can vent to...

  41. Bruno Girin

    Out-law

    Here's the page on the subject from out-law: http://www.out-law.com/page-10510

    Note that paragraph: "An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though."

    I read this as saying that cookies used to keep a user session alive once the user has logged in are covered by the exception and don't require consent because the fact that you've logged in is an explicit request for the service. Same for a cookie that keeps shopping cart details: the fact that you've added an item to your basket is an explicit request for the service.

  42. Derichleau
    Thumb Up

    No need to panic

    The Information Commissioner's Office has given us 12 months grace to get our website sorted out.

  43. ZweiBlumen

    Wait for ICO and Europa

    I certainly won't be worrying about this until the ICO's website and Europa.eu comply.

    Does anyone know "for sure" :-) whether this applies to Session cookies?

  44. Ellis Birt 1

    Most of uw will have longer than just a year of grace.

    @Derichleau,

    Even then, they will only act when there is a complaint.

    New regulations = empty words.

  45. Gary F
    FAIL

    Have the EU produced a guide to explain their new law?

    With the £billions we pay to the EU, surely they have produced a simple online guide to help the industry understand their new law and to explain clearly how we should modify our websites to accommodate it? In particular, small businesses who have their own website or are in the business of building websites cannot afford lawyers to help interpret the raw legislation. The EU, in their great wisdom to rule over us, must have produced a wiki or something useful to help?

    Look at the comments so far. Lots of speculation and discussion, but no one has been able to point to EU documentation to make anything 100% crystal clear.

    This law is a shambles and so badly thought out. I can't see how implementing compliance can NOT ruin a user's experience.

  46. Richard Porter
    FAIL

    Surely the best solution...

    is for the browser to control whether you accept or reject cookies, or decide each time, as I expect most do already. Who's going to update all the legacy sites out there?

    Btw software can include data but data on their own are not software.

  47. Anonymous Coward
    Anonymous Coward

    Phorm - UK is excempt from EU law

    The government has demonstrated that the UK does not need to comply with EU data privacy laws.

    Legally I take this as precedent.

    Still moving my hosting to Azerbaijan though :-)

  48. Anonymous Coward
    Joke

    Modal dialogue popup with big red text...

    ... Yep, that's what we'll implement.

    Every time a cookie request is made, we'll popup a modal dialogue box which says "This site is going to put a cookie on your computer. Yes / No" - it'll have flashing red text in comic sans.

    But in order not to have the popup appear every time, we'll have to store a cookie for the popup, so we'll need to fire another modal dialogue box to ask the same question.

    However, that pop-up will also require a cookie, so we'll have to fire another modal dialogue box to ask permission for that too.

    It's all getting a bit confusing. I know, we'll just store the data in the URL string and hide it with url rewriting - brilliant idea! - that'll solve everything.

  49. Anonymous Coward
    Facepalm

    Big Government

    Big government, small brains, dumb laws.

    Daniel (a Libertarian)

  50. Nick Ryan Silver badge

    Oh good

    yet another law to show just how forward thinking our lords and masters are. It will protect us against the unscrupulous websites that prey on and steal our personal details, about our children no less. Is nobody thinking of the children?

    Or, on the other hand, it's yet *another* layer of annoying beurocracy that legitimate businesses have had foisted down their throats and will be ignored by those that were abusing it in the first place.

  51. John Latham

    Change is possible

    Two subdomains.

    cookies.blah.com uses cookie sessions.

    nocookies.blah.com uses URL-based sessions.

    All search engine traffic goes through cookies.blah.com, so users would generally hit that first. If they have no cookie set, pop up dialog. If they say yes, set cookie. If they say no, redirect the URL to nocookies.blah.com preserving path and querystring.

    Might be a problem stopping the nocookies URLs from spreading through inbound links, but maybe you could do something with URL referer, e.g. bounce requests back to the cookies subdomain if the referer is off-site,.

    Or you could do the same with a path, e.g. blah.com/nc/xyz (no cookies) and blah.com/yc/xyz (yes cookies).

    I think this is relatively straightforward to do in spring framework (for instance), although I wouldn't particularly like to have to retrofit it to a site on a tight budget.

    Google Analytics is a going to be painful though.

    Anyway, interesting technical challenge but stupid law. People should take responsibility for their own user agents.

  52. Eeep !
    Facepalm

    But isn't all data just a program waiting for the right interpreter ?

    On my computer there are files that contain text - this is just data. The same file content is the same data whether the name is xyzzy.txt or xyzzy.c or xyzzy.py or xyzzy.java - just data.

    Passing the content of all of these files (all the same) to a word processor or c compiler or python interpreter or java compiler produces different results - some consider the content to be data to be displayed, some data to be compiled, some data to be executed.

    So a cookie is data just like a .txt/.c/.py/.java file - but for some they consider the extension of the file to make the data different. So, define a cookie with the name '"Z80" that should have a hex string value (valid Z80 op-codes only) any website or browser that can read the value of the cookie can 'execute' the Z80 instruction on an emulator.

    Is the cookie data or a program ? The name of the cookie is identifying the content/value of the cookie as a program, much like the .txt/.c/.py/.java extension of the file, and could possibly be considerd to be an instruction to execute the content as Z80 machine code.

    How about cookie name "bash" and the value "rm -rf *" ?

    So the presense of a cookie with a particular name CAN cause different behaviour at the server or client that recognises the cookie name, and the value of the cookie can do the same. No cookie of "alreadysignedin" instructs the server to act as if the user is not signed in and a login page should be shown, and presence with a value of "<valid session-id>" instructs the server to do all sorts of things, valid session verification, specific user information such a nickname and discount vouchers are displayed in the page.

  53. Anonymous Coward
    Unhappy

    Sigh

    Two pages of twaddle. I can remember when cookies were tasty. I'm too old.

  54. Anonymous Coward
    Devil

    Silver lining...

    If you only have to ask for consent for Cookie that match the definition of software... ie contain executabel script code.

    and for the scoffers, YES, I have seen such cookies!

  55. Criminny Rickets
    Big Brother

    Permission

    Would a small disclaimer at the top of the home page work?

    Something like "This website may or may not use cookies to either enhance your enjoyment of this site or track the usage of pages on this site. If you do not agree to our use of cookies, please click on your HOME button, otherwise, continued usage of this site implies your consent to the usage of cookies from this site."

  56. mikeoneill

    Cookie button

    The CookieQ button (http://cookieq.com) removes cookies from visitor's browsers unless they have opted in to cookies at your site. You can give them a default opt-in period which they can override, and they can manage their cookie consent from one page, where they can also withdraw or give their consent to cookies at any time.

  57. Harry Tansey
    Flame

    How did this ever happen?

    Overly restrictive!

    The restrictions on using session cookies and analytics cookies, such as Google Analytics cookies, is ridiculous. Session cookies merely get over the fact that http is stateless and allow features such as a vote to work without the user then being able to vote again - can you imagine "when you vote for your favourite choice would you please accept this cookie, because if you don't you can vote as many times as you wish"... or the amount of log on forms that have to be polluted with "blah blah, cookie, blah blah...." ... that'll do a great service to web design!

    Not to mention ICO themselves drop a session cookie without asking... let's face it, storing a number on a user's browser really isn't that intrusive, to do without just means a lot more work behind the scenes to achieve the same goal.

    Why shouldn't a website owner be able to track a user's visit around the site to see how the site is used, or to help with problems? It's not like you can opt out of CCTV in a physical store.

    Yes, third party cross-site advertising is intrusive, and this is where the effort of enforcement should be placed, not on routine functionality used unobtrusively by millions of websites.

    It's bad enough if you are capable of doing something about it. What about those web site owners who use code developed by third parties or open source? Have the EU investigated the effects on such people who'll have to pay (in time and/or money) to "fix" their web sites?

    This is a total waste of time and money. Why should UK/EU site owners be disadvantaged by all this extra effort and polution of the user experience?

    The web industry should be up in arms about this. Where are the protest sites?

This topic is closed for new posts.