back to article 90% of visitors declined ICO website's opt-out cookie

As we know, no one is on time in implementing the EU's cookies directive. Well, two countries managed to get their laws in place in time, the other 25 didn't bother. The UK has given everyone a year to comply, a year longer than we're supposed to have. Not fixing your website doesn't seem to be an option, given the £500,000 …

COMMENTS

This topic is closed for new posts.
  1. Chad H.

    So....

    When will El Reg begin asking me if I want Cookies and milk?

    1. Frumious Bandersnatch
      Trollface

      we've all been softened up for this already

      One fine day the Reg will ask if you want a platinum cookie, and most people will jump at the chance since they know what a wondrous thing it is. Most people won't read the fine print, obviously.

  2. Thomas 18
    Thumb Down

    opt in opt out

    Fundamentally they want to go from opt out (find the software that blocks them) to opt in (tickybox). It's no wonder they end up with a massive difference.

    http://danariely.com/2008/05/05/3-main-lessons-of-psychology/

    (for folk who love the thinky sciences)

  3. Alien Doctor 1.1

    LSO may go here if it's allowed

    Sorry, had a day off and am a bit wobbly: why not fuck up the LSO's rather than cookies? LSO's are evil nasty bastards that deserve all they get.

    So what if I visit something with flash on - I want to leave the site and have no traces, yes I'm an anti-CCTV, privacy-issue twyt et.c. : when I leave a site I do not want anything left on my PC; in fact I really object to the idea/fact that you (sites) can write to my storage with no permissions when I have set some of the stringest policies I can.

    Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers.

    1. Paul Johnston
      Alert

      Pardon?

      What have the London Symphony Orchestra done to upset you so much?

    2. Destroy All Monsters Silver badge
      Meh

      "not your fucking bottom lines or deals with advertisers"

      No bottom lines? Enjoy your boy-scout supported circa-2000 website crap with lousy spelling and a couple of thumbnails. That you can't find coz no search engines.

      1. Paul Shirley

        @Destroy All Monsters

        I find all those advertising supporting flashy sites do a bloody good job of stopping me finding what I'm really looking for. Usually so busy trying to look pretty they either forget to put any meat on or hide it under so much flashing crap it's not findable.

        That 'circa 2000' bare web has a lot going for it. Perhaps if folk stopping pissing pounds away on graphics they could afford pennies on real information. And just maybe the more useless ones will just bugger off and stop polluting the web if the cookie ban fscks up their business plan enough ;)

      2. itzman

        So?

        Possibly. But that's why you have paid portals.

        Not advertising paid portals.

        I run a teeny website. I mentioned it. Someone else said 'hey look at this' and before I knew it,. hits from all over.

        I subscribe to the FT. dozens of links for people who are interested in economies, finance etc. Its worth paying the journalists to assemble the links.

        And that's the point. Its worth paying for...if its worth paying for

        1. Anonymous Coward
          Facepalm

          @itzman

          and yet here you are commenting on an ad-funded free website. Oh the irony...

    3. Mikey
      Trollface

      Title? Title!

      "Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers."

      So from this, can we assume all of your machines are permenantly offline, with no additional access to them excepting the keyboard, mouse and monitor? Because that would obviously be the best security, and you seem to be very concious about that. Or maybe you use a machine that's heavily locked down to Fort Knox standards, and you gov-wipe the HDD at least 6 times afterwards prior to restoring the image again?

      Or, you know, you could just use the internet like a normal user, and stop being a petulant child who whines about every percieved injustice in case anyone actually listens ;O)

    4. bogwart
      Happy

      But apart from that, Mrs Lincoln...

      Why don't you tell us what you really think?

  4. Richard Fletcher
    FAIL

    ICO complies?

    I don't think ICO complies as they use a session cookie, to use the session cookie without permission one needs to say that the cookie is "essential to the site function". They say "This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser."

    I don't think an "Online notification form" is essential.

    But hey, since they decided it is for them, perhaps it is for me too, though it's hard to tell as I can't find the "online notification form" that is so essential for the site to function...

    1. This post has been deleted by its author

    2. Anonymous Coward
      FAIL

      Re: ICO compiles?

      They don't comply because they install a cookie without your permission

      It's no use installing a cookie then telling you about it. They have to tell ask beforehand.

      The sessin cookie idea is rathy crafty because most people won't realise that all the information gathered is being stored on their server instead of locally, it will still be collected. The minor plus side is that the cookie expires when the session closes, however, even that that won't prevent them from connecting the dots to build up a profile from further sessions.

      Big fail on the part of the ICO.

      1. CD001

        Session has nothing to do with it

        You can install ANY cookie as long as it's for the essential functioning of the site ... the specifications don't say anything about expiry dates. If you wanted to, you could store a session that lasts indefinitely and tie that into data held in the database between visits, as long as it's essential for the functioning of the site of course - so session and user authentication cookies are fine.

        However, anything that's used merely for analytical or ad-tracking purposes (indeed anything that's not essential) requires an explicit opt-in.

        So the ICO is actually obeying the law - they even set a cookie which tells the site that you've opted out as that's "essential" to ensuring that they don't place any other cookies (a saner alternative, admittedly, would be to set a cookie that says the user has opted IN and therefore, if that cookie isn't set, then treat them as having opted out... but hey).

      2. Colin Millar
        Boffin

        Building a profile from sessions

        If you can do this then you ain't using session cookies.

  5. Dave Murray
    Alert

    The Death of European Websites

    Worse than that, only European sites will be affected by this reduction in recorded traffic so advertisers will see sites in other parts of the world as having more traffic and representing better bang for thier buck. It is now no longer economically viable to run an internet company in Europe unless you have a paywall. That'll help our economic recovery. Well done EU!

  6. MarcusArt
    FAIL

    This policy will sure need a turn-about

    This cookie opt in farce is beautifully illustrated on the ICO website. The header is taken up with a message to op out. You click continue to get rid of the box and it tells you that you have to opt-in to continue! Not sure if the website completely works without cookies?

    It's another classic: Europe.UK.Gov.IT.Web.fail.

  7. Graham Marsden
    Thumb Up

    "Over 90 per cent of site visitors...

    "...declined to accept a Google Analytics cookie"

    So just like all of us who block GA using NoScript...

    1. Chris 3
      Facepalm

      Why, as a matter of interest?

      Don;t you like the idea of the Web site that you're using doing basic analytics to improve their Web site?

      1. Tony Green

        Things like Google analytics are a pain in the arse

        So many times I've sat waiting for a page to load and I see my browser saying it's waiting for ssl-google-analytics.l.google.com, s.ytimg.com or ad.be.doubleclick.net. So as far as I'm concerned, they're getting in my way so I'm going to block them.

        1. Doctor_Wibble
          Black Helicopters

          banned some domains here

          Various domains are banned here at Castle Wibble for precisely the same reason. The first time I became aware of google analytics (amongst others) was courtesy of the 'waiting for...' bit.

          I have them resolving to an internal web server and the logs show the vast quantity of information passed on via request (with its referrer data) which I am glad is no longer subsumed into the various third-party data mountains.

          It wasn't entirely down to being impatient - numerous sites have these things on their checkout pages and I didn't fancy the idea of someone's dodgy coding 'accidentally' handing my card details to some untrusted third party. Untrusted because I chose to trust the website/retailer, not their stats collector.

        2. Jaruzel
          Megaphone

          Totally Agree

          As a small web-shop owner, I've had google-analytics installed since day one, but once the cookie monster law appeared over the horizon I looked into replacing what GA does with my own bit of code. After about 1 hour of fiddling with a bit of javascript and some backend ASP I ended up with almost the same data being collected but as an integrated (not third-party cookies) function in my site. It also ran much faster (at the page load end) than GA as well.

          My point being, there are many Analytic systems out there but people continue to use Google's because it's free. Which is a shame, because bit by bit Google are strangling web innovation with their one-size fits all solutions. Most people don't bother looking at alternative ways of doing things because there's almost always a Google product that will do most of it for them...

          Welcome to the turn-key Web, leave your ideas at the door.

  8. Anonymous Coward
    Anonymous Coward

    I block them with noscript

    All the tracking sites etc get blocked automatically.

    1. Anonymous Coward
      Anonymous Coward

      Do you block

      Omniture?, including the ssl ones?

      1. Chronos
        Thumb Up

        Re: Do you block

        Omniture? Blackholed on the firewall and has been for years. This is just a small portion of my blockthetossers script:

        ${addcmd} 205.216.15.64/27 # Omniture confirmed ARIN

        ${addcmd} 205.216.7.128/28 # Omniture confirmed ARIN

        ${addcmd} 207.108.181.0/24 # Omniture confirmed ARIN

        ${addcmd} 216.143.122.0/23 # Omniture confirmed ARIN

        ${addcmd} 216.194.125.0/24 # Omniture confirmed ARIN

        ${addcmd} 216.52.17.0/24 # Omniture confirmed ARIN

        ${addcmd} 65.119.25.152/29 # Omniture confirmed ARIN

        ${addcmd} 66.150.208.0/24 # Omniture confirmed ARIN

        ${addcmd} 66.150.217.0/27 # Omniture confirmed ARIN

        ${addcmd} 66.151.137.0/24 # Omniture confirmed ARIN

        ${addcmd} 66.151.146.192/27 # Omniture confirmed ARIN

        ${addcmd} 66.151.152.0/24 # Omniture confirmed ARIN

        ${addcmd} 66.151.244.0/24 # Omniture confirmed ARIN

        ${addcmd} 66.235.128.0/19 # Omniture confirmed ARIN

        ${addcmd} 67.133.240.0/24 # Omniture confirmed ARIN

        ${addcmd} 70.42.134.0/24 # Omniture confirmed ARIN

        ${addcmd} 74.201.95.0/27 # Omniture confirmed ARIN

        Anyone else you'd like to ask about? Audience Science? Experian? Because those and many, many others have been blocked for the same length of time. Hardly any performance hit because Radix trees are quite efficient at this sort of thing. I see it's now becoming trendy, which means most people will get it horribly wrong. Ho hum...

        1. Anonymous Coward
          Anonymous Coward

          you missed some!!!

          see title

  9. Dangermouse

    Slight mistake here...

    The article should read "....There's only one site I know of which *PARTIALLY* currently complies with the law: the Information Commissioner's site."

    ico,gov.uk does indeed have the clicky ticky box, however if you go to the jobs section on the main page it launches a new tab at ico.jobs.

    No clicky ticky in sight there....

    Ho hum.

  10. Justicesays
    Facepalm

    Self selecting sample

    I'm going to guess that a large number of the visitors to the ICO website will be people who are concerned about privacy and their personal data.

    This figure may not be as high on other websites.

  11. Hayden Clark Silver badge
    FAIL

    Tracking website use with Google Analytics

    ... is for the lazy.

    According to TFA, they are counting site visits using GA. Why not simply count visits using a script on their own server? Oh, sorry, the expensive content management system we paid for can't do that, and they have no process for chucking a few hundred quid at a Perl-savvy contractor to write one.

    1. Anonymous Coward
      Anonymous Coward

      Yeah, make sure they feature match the rest of the list as well

      http://www.google.com/analytics/features.html

      1. nyelvmark
        FAIL

        Huh?

        http://www.google.com/analytics/features.html

        returns error 404 (not found) for me.

      2. Hayden Clark Silver badge
        Unhappy

        Well, yes obviously..

        .. but the ICO FOI data implies that GA was the *only* way they have of actually measuring site views and unique site visitors.

        Since the ICO doesn't have advertising on its pages, it must only be using GA for tracking usage within the site. That kind of tracking should either be implemented locally, or built in to the ASP.NET application that runs it. In fact, the law (and the clumsy ICO site implementation) illustrates the problem. Site owners have used services like Google Analytics as a simple usage tracking system, whilst compromising the privacy of site visitors by adding to GA's record of their browsing habits.

      3. CD001

        Piwik

        http://piwik.org/

        GA clone running in PHP/MySQL that you install on your own hardware.

  12. Andy Morrell

    .com & .co.uk hosted in US?

    Ok so someone answer me this.

    I have a .com hosted in the US, do I need to change?

    I have a .co.uk hosted in the US, do I need to change?

    what about .net?

    Is it based on who the domain is registered to?

    I haven't been able to find a straight answer, I know it's government and laws so there probably isn't one but does anyone know?

    1. nyelvmark
      Unhappy

      Yes, you do.

      It doesn't matter where the domain is registered, or where the site is hosted. If the business operates in the EU, it's subject to this law. Or at least, that's what the sainted Neelie Kroes says, and she ought to know. So to evade the law, you need to move your business registration and company seat out of the EU.

      Looks like good news for the Isle of Man, Channel Islands etc.

  13. itzman
    Thumb Up

    Indeed

    Lets face it, if you could watch TV without adverts, and surf the net without hugely slow bandwidth wasting flash adverts why wouldn't you?

    And as you so rightly point out, who will pay then?

    My guess is that we will be pay per click some day. minuscule amounts. But we will pay.

    And be free of advertising forever.

    I personally cannot wait. If I want to research a product, fair enough.

  14. Frumious Bandersnatch

    I can understand outsourcing your ad links

    But surely a web server who wants geolocation data can just get it from their access logs, which store IP addresses. Shouldn't be too hard to collate those data with referring page information on the advertiser's site, or simply capture the click on the server and use a redirect to actual advertiser. Or is disintermediating Google just too costly/troublesome for most?

  15. Scarborough Dave
    Unhappy

    I really don't know what to say on this Law

    So now I may end up in the situation of having less information which helps me manage our website.

    We have no adds and flash!

    But the thought of having to have a popup at the front of the site, makes me think “forget third-party analytics!”

    Until you realise that stats from your server are generally "polluted" with robot spider visits.

    Personally, if only the EU people would get a proper job, then maybe the rest of us can get on with ours!

    1. Anonymous Coward
      WTF?

      Ditto...

      ... I use Google Analytics to figure out which links should be on our Landing pages, the idea being that the most popular always get on the landing page making for a quicker journey to the most popular tasks.

      Yup, I know we have server logs and such like but we don't have the money to throw at developers to get something in house that provides the kind of info GA does.

      I know upper management are gonna insist on website surveys to replace the lost data which means all the work we've done to improve our site and site confidence with the users will be lost.

      I get why the EU is doing it but I would like the UK to be successful in it's discussions of implementing this in a better way via the Browser manufacturers.

  16. JP19

    Don't need no stinkeen cookies

    And in other news Tescos new online banking service uses browser fingerprinting tech from arcot without telling you never mind asking for permission.

  17. Anonymous Coward
    Anonymous Coward

    Since i have a year, ill wait a year

    Since the ICO has given UK webmasters a year to get it sorted then ill take my full 12 months thanks very much. But since the websites i run are of an 'adult' nature i doubt many people are going to go running to the police to report that a google analytics cookie was still on the websites after the 12 months has expired, and besides I opted for the whois privacy service of my registrar so the address the domains are registered to Suite 200, Olympic blvd, Los Angeles, US of A. along with 1556154 other domain names so good luck tracing them to me.

    AC for obvious reasons

  18. Charlie Clark Silver badge
    FAIL

    Okay, I'll bite

    "But the way we know [where a visitor is from] is by the cookies".

    Mr Worstall has managed plumb new depths after the "standards" fiasco. This statement is entirely untrue, cookies are used for maintaining state and if you really want to know where some is from you can always use the HTML5 Geo extensions to ask their permission.

    Is this the end of journalism on El Reg as we know it? Or just a cunning plan by El Reg to show us what we will have to read if we don't opt-in into snooper cookies?

    A few answers to other questions in a possibly vain attempt to stop the spread of ignorance:

    * LSO's are covered just as much as http cookies;

    * If free analytics are really worth that much then why are they given away? Answer because visitors are unwittingly paying the price by providing lots of personal information about their browsing habits; there are alternatives

    * Snooping advertisers are selling the information they gather on your customers to your competitors;

    * Omniture already conforms to European data protection legislation. Same origin cookies would be preferable with scrubbing (anonymisation of the IP address) as soon as possible

    * The legislation will not be the end of the world as we know it

    1. Anonymous Coward
      Anonymous Coward

      sure?

      Omniture conforms?

      So how does the front end of my site tell the Omniture beacon to not fire the t() call or the noscript ... oh *I* have to wrap the beacon in some conditional code do I ???

  19. AlistairH

    Lord who?

    It was Lord Leverhulme, not Lord Lever

  20. Anonymous Coward
    Anonymous Coward

    accept cookies for session

    firefox has for sometime now had the option to 'ask every time' when third party cookies are planted - always click 'for session' + 'use my choice for all cookies from this site' unless it is a site I plan to use again etc.

    Just need all the other borwsers to have this feature and then there is no need for this new directive?

    1. Tomato42
      Thumb Up

      browsers

      Yeah, it looks like they hit the nail from the wrong side.

      Requiring browsers to have the above mentioned behavior as default would actually change something for better.

    2. CD001

      IIRC

      Bizarrely, IIRC, that's why we've got a year's grace - I think someone in UK.gov actually heard about this idea (I'd be beyond bloody amazed if they thought it up themselves) and actually pushed the idea of working with the browser makers to simplify their cookie processes so that, by default, the (spirit of) the law is complied with.

      i.e. the user/browser configuration setting determines whether the user wants to accept cookies - their permission is taken as being given (or not) based on those settings and the websites don't have to do anything.

      It's an iffy one with Google Analytics mind since their cookies seem to originate from the domain of the site you're visiting - therefore first-party/third-party permission systems don't actually work.

  21. Smoking Man
    Happy

    Some addons to FF..

    Adblock+, Ghostery, BetterPrivacy, GoogleAnalytics Opt-out, NoScript.

    Should keep most of the crap out. If you called me mad, you might be right :-)

    1. Jimmy 1

      Just another Googly.

      Googles own opt-out extension is nothing more than a cunning PR job as clearly described by Noscript creator Giorgio Maone over here:-

      http://hackademix.net/2010/05/26/google-analytics-opt-out-snake-oil/

      The Noscript solution deals with the bullshit elegantly and terminally. Ciao, Giorgio.

  22. Anteaus
    Coat

    Get us OUT!

    It would be great if the year deadline were academic because we were no longer in the EU by that time.

    Then, the Whitehall shredders will need to do some serious overtime on all those thousands of unwanted laws.

    1. CD001

      Yaaay

      Then we'd have NO oversight when Phorm/BT/whoever wanted to hand UK.gov a bung to allow them to operate illegally (granted UK.gov seems to be pretty much ignoring the court proceedings levelled at them from the EU) - depressingly the ONLY people looking out for the rights of the "little people" in the UK are in Brussels!

      To be honest, I'm beginning to think we need to throw all the UK politicians into the North Sea and ask Germany if they'd like a new province.

  23. Phil Endecott

    What does Google Analytics give me, exactly?

    OK, so have have various websites and I have regular server logs for them which I look at occasionally. I can see referrers, and which pages are more popular, and what browsers people use, and if I could be bothered I could geolocate the IP addresses. What exactly would I get by adding Google Analytics?

    Is it the case that people are using Google Analytics just to do stuff that they could achieve themselves by looking at their own logs?

    1. Anonymous Coward
      Anonymous Coward

      oh, nothing really*

      interesting things like bounce rate, site speed, SERP click through against results position etc etc etc etc

      *when I say nothing, probably everything

    2. Tom 7

      Google Analytics gets you

      practically nothing - I block it just about everywhere I can.

      My favourite sites are ones that 'check' to see if you use it and screw up if you don't - nose face spite thingie.

  24. Anonymous Coward
    FAIL

    Visibility - not very

    A big fail on the ICO's part. I clicked the link to the site and spent 10 seconds or so waiting for the prompt to appear. I thought initially that because I've visited it in the past it wouldn't appear. Then I noticed the very unintrusive box at the top of the screen. Not very noticable at all if you follow UI guidelines. I'm looking at the main part of the page, not the header where I expect to find banners, headlines, menus or the name of the website.

  25. Amos
    Boffin

    @Phil Endecott

    Yes exactly so. Its pure and simple outsourcing of analytics tasks to Google.

  26. Andrew Jones 2
    FAIL

    I am still very unclear on this whole nonsense.

    OK here are my questions - I hope someone can answer?

    1) If I have to ask a visitor the "first" time they visit my site - I presume I am checking to see if they have a cookie from my site that let's me know they are accepting my cookies. If the cookie does not exist then presumably I have to assume they have never visited my site before and therefore they need to be asked if they will allow me to send them cookies. The only way I can know throughout the rest of their session on my site that they don't want cookies from the site is to use a server session based on their IP address to store that information?

    Thus if the session is ended on the server the next time they load any page on my site - I need to pop up that message again (otherwise how do I know if they have been asked already - short of storing every visitors IP address in a database - which seems to me to more of a privacy concern than a cookie would be)

    2) Third Party Analytics -

    Technically if I use Statcounter or Google or whoever to gather data on how people use my site - it is not MY site setting the cookie - it is Google or Statcounter or whoever. My server sends no code to the browser at all asking it to store a cookie.

    3) Application?

    Who exactly in the UK does this affect?? is it EVERY website? Just business? Does Charity come under the regulation?

    4) Implementation?

    Why is it that this news is really only being covered on tech news sites?

    If this is really as important as people make it out to be - there should be headlines across the web, there should be FREE services to help individuals to clean up their websites.

    The first non-business website to get hit with a fine for this stupid crap will literally kill the internet overnight. "Mr Smith of Leeds has been fined £100,000 because his website left a small text file on a computer after the user of the computer visited his website." You mean his website did what 99% of websites have done ever since Internet Explorer 3? All (decent) browsers allow to deny or accept cookies on a site-by-site basis (or just switch them off entirely). All browsers allow you to clean your cookies (and temporary internet files) out whenever you like.

    This makes me wonder how long it will be before people start having to pay fines because they got a virus on their computer.

    1. Steven Roper

      Using IP addresses as a means to identify returning visitors

      is a really bad idea. Most ISPs have their customers on dynamic IPs that can change every hour or so. Added to that, a lot of people come through anonymising proxies or VPNs (especially in this day and age of web blocking and censorship) which can be completely misleading as to their location and identity.

      I myself use a lesser-known but blisteringly fast VPN service with tunnels to several countries to get around things like Hulu and BBC geolocation, or to confuse location-tracking websites when I don't want them to know where I'm from. I know several people who now subscribe to VPNs in the face of the Telstra/Optus voluntary censorship coming up in Australia. This market is only going to grow in future, and it means for web developers that IP addresses are no more an effective means of tracking state than the user-agent string.

      Ultimately there are two ways of keeping state around a website: cookies and session-ids. Cookies have the disadvantage of being easily blocked by the visitor (and of now being covered by this law), but they also have the advantages that they automatically maintain state once set without any further action needed from the web designer, and that they maintain state when the visitor leaves the site.

      Session-ids OTOH are embedded in the url (or postdata for form submissions) and have the advantage of not being easily blocked by the user or being covered by laws, but have the disadvantages of losing state if the visitor leaves the site, and that every intra-site link on every page must carry the session-id.

      Either way is a much better way of maintaining state than an IP address.

    2. CD001

      Tuppence worth

      1: the ICO sets a long-term cookie that states that you've opted NOT to allow them to set cookies. This means that if that cookie is there, the visitor won't see the message asking them if they want to accept cookies every time. You are allowed to do this as it comes under the "essential functioning" clause of this cookie law.

      2: This is one bit that's REALLY not explained - if you're using Google Analytics it's their service that's placing/using the cookies, although, because GA cookies appear to originate from YOUR domain and because YOU'VE installed GA to track YOUR customers I'd guess YOU might need to obtain consent. I have absolutely NO idea what would be the requirement if you were to embed a YouTube video on a page on your site however...

      3: Technically it applies to everyone, including charities. In reality I'd be amazed if a £500,000 fine was levied as "Joe's WordPress Blog" for instance.

      4: Implementation is entirely up to you - make it bright red, flashing and annoying if you like. If you want to protest make it bright red, flashing, annoying AND provide a brief reason as to why you have to legally get permission from your visitors with a link to the relevant EU website.

      In short, the sky isn't falling - people will still be able to have Blogger/Blogspot sites and Facebook accounts, Google will still advertise and the world will go on.

      About the ONLY changes you might expect this to have would be that web-devs will need to look at which third party software they incorporate into their site and whether that software places cookies (Google Analytics) and targeted advertising may need to rely on traditional methods like targeting the demographic of the site's visitors rather than the individual visitors themselves... just like people have been doing in print advertising for more than 100 years.

      In short, if you're in the UK, investigate how you might logically implement it but otherwise ignore it for now - whatever the hell is implemented in a year's time will probably be radically different (and knowing UK.gov a lot more restrictive, imposing and unworkable).

      I'd still love to know what you'd do with regards to an embedded YouTube video though :\

  27. Old Tom
    WTF?

    Session cookies

    So I can't go <?php session_start(); ?> without asking first?

    Therefore, I have to have a separate page with an 'accept cookies?' dialogue before I can send the visitor to the page they wanted. What if they type in the url of a page that uses sessions?

    I see the ICO didn't do that, they created the session cookie anyway.

    1. CD001
      Thumb Down

      Wrong

      Try to read something about what you're commenting on before commenting - you'll look like less of a plank.

  28. Mike 137 Silver badge
    Stop

    More than just "cookies"

    Having participated in a UK forum on this legislation I feel I should point out that Mr. Roper is mistaken on an important count. The European legislation does _not_ just relate to cookies in the strict technical sense - it relates of all tracking methods, and the exemption for functionality is being very narrowly interpreted.

    The underlying aim of the legislation is self-management of personal privacy, so that makes perfect sense. I have actually raised the issue of server-side session-to-session state with the ICO and have been told it does come within the remit of the legislation unless it is strictly and solely used for direct benefit to the user.

    1. Andrew Jones 2
      FAIL

      re: session state

      So -

      We are required to know whether or not the visitor has or has not clicked the box to allow cookies.

      If there is no cookie on the machine - we display the message.

      We must display the message continuously on every page of the website until the visitor finally gives in and clicks the box....

      Sounds a bit like harrasment to me. My partner however has pointed out that it probably won't be long until 3rd party extensions for the major browsers provide a way to automatically tick the box without having to see the message,

      I can see the web becoming a very ugly place if every website in the EU carries a message (and you know some websites will actually have a popup message rather than a tiny notice at the top of the page where most people aren't looking) on every bloody page of the site.

      As for those people on a shared hosting platform - the bit in php.ini that changes whether a php session is passed on the address bar or in a cookie - is that overrideable on a site by site basis or is it a global server wide setting?

      People better check "session.use_cookies" is set to 0 but we also better make sure we store some sort of unique identifier related to the Session ID for each visitor because - as the PHP Manual states -- "URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example."

      Don't want to get into trouble with the law because Mr Smith sent Mr Jones a link from a shopping website which contained a session id in the link. Mr Jones is now suddenly logged in to Mr Smith's online account and can make purchases via Mr Smith's account details......

      And yes the law says you can use cookies if they are essential - but online shopping *can* work without cookies - it is just not as secure - doesn't make it any less "functional" though.

  29. Atonnis
    Meh

    Sweet :)

    Although I'm absolutely cheered by the wonderful news that people are starting to wake up to saying 'f--k off' to the endless tracking going on, I know in my heart that web sites will just make sure that their site doesn't work unless you accept the tracking cookies, even if they could just make it work anyway.

  30. Anonymous Coward
    FAIL

    @Since i have a year, ill wait a year

    You do know that your real address is also stored right? and law enforcement can request it from the registry?

  31. jimbarter

    just one more thing...

    1. there are no adds on the ICO site.

    2. they may not be able to count 'visitors' but they can still count page requests and impressions

    3. that was two more things...

    All the tracking you need can be done by yourself, without cookies, has no-one heard of server logs?

    ...unless of course your business relies on targeted advertising, as noted above, the ICOs doesn't.

  32. stubert
    Devil

    Mmm cookies nom nom nom

    You can't really track time taken on a page, bounce rate etc. without session detection as in order to pull those stats together you need to be able to associate one page request with another as part of a single user journey. You can detect general page flow using the http referrer and the current url to build general stats as to the direction of travel and from where it came.

    With a session cookie (the sort you use to remember that a user is logged in by associating the browser with a server side data structure), you can do everything you can do normally but behind the scenes using a server as a relay between an analytics service and the end user. You could do so without cookies using the session id through the url method as metioned by Steven Roper above.

    Cookies are not the problem it is the usage of the data gathered and that isn't remedied by this law simply because there are other ways to do it. If you wanted to store something on a user's machine there is localStorage and many other new data mechanisms. If you want to track a user and sell their data you can use other mechanisms that do not require anything to be stored on the users machine.

    Cookies seem to me to be the fall guy for a deeper problems and that is being cavalier with data collected about your users. If you wanted to provide targeted ad space you can do so without providing ad companies any data about your users you simply tell the ad company what type of ads to serve and keep the to whom bit private. It is undeniably easier to just insert a couple of lines of third party code into your page though...

  33. Anonymous Coward
    Unhappy

    We use Analytics + No targetted advertising

    I don't understand why some people on here find it difficult to understand why a lot of websites and web masters use Google analytics.

    You say you can just look at your log files? Seriously? Do you really think I have the time to go crawling through log files everytime my CEO wants a report on the latest onsite activity? Sure I could feed the logs through some log processing package, but why when I can just link up analytics, and the CEO can look at stats until his little heart is content.

    GA is easy, it gives loads of stats (more than just number of visits/page impressions) and it is all really valuable.

    We don't sell advertising space on our site, or have any interest in 3rd party advertising. We do have an interest in improving our site, and identifying where users may be having issues.

    It seems to me that this law causes a lot of problems for legitimate businesses and websites.

This topic is closed for new posts.

Other stories you might like