Cookie law: the gnarly truth

Cookie law: the gnarly truth

By Mark Steven on | 12 comments

To act in accordance with new EU legislation, websites must now gain consent for the use of cookies. Mark Steven, head of client services at CIVIC, looks at the new law and explains what to do to bring your site in line

The law requiring websites to gain explicit consent before storing cookies on users’ computers was passed in May 2011 but the ICO granted firms a year to comply before prosecuting any cases.

Put simply, the law requires you to gain consent before you start dropping cookies on your users' devices. There are one or two exemptions but they're quite narrow, so don't go thinking you're off the hook.

Apart from the odd lonely voice reactions from the industry have been entirely negative. Many see the law as fundamentally flawed, some hold out hope for a u-turn on the legislation and others vainly hope for a universal solution from browser vendors.

The bad news is that it's really happening: there will be no u-turn, there are no silver bullets and yes, unless you can avoid 'non-essential' cookies altogother, it's going to affect your website.

Why legislate?

But the law isn't altogether wrong-headed. In fact, while it poses some compliance headaches it's not a bad thing.

Big providers of web services such as Facebook and Google liberally use cookies to make their services work, track user behaviour, sell us things and personalise our browsing experience. They keep telling us that data is anonymised, that they only have our best interests at heart, and that they exist to make the world a better place.

Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online – not that it chooses to exercise that power, and laws exist to discourage it from doing so.

The legislation was brought in to begin to inhibit the reach of corporate interests into private lives. By and large that's to be applauded.

The gnarly truth

The self-regulatory, industry-wide model favoured by the Digital Advertising Alliance and the Internet Advertsing Bureau allows users to opt out of cookies set by behavioural advertising firms. The trouble is, it's nonsense.

It's opt-out, not opt-in. The law couldn't be more explicit on this point. It doesn't help webmasters who remain responsible for all the cookies distributed via their websites. And it's fragile: clear your cookies and your advertising preferences are lost.

So if you're cursed with the nagging feeling that you must abide by the laws of the land, you can't sit back and hope the DAA have got your back. There are a few steps you'll need to go through to bring your website into line:

  1. Audit your cookies and present clear (plain English!) information about them on your privacy policy.
  2. Include a mechanism for obtaining consent, before any cookies are stored (with one or two exceptions for things like load balancers and shopping carts).
  3. Make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.

Cookie hell

While most websites will be able to comply with a few simple tweaks to their code and the application of a consent solution, some third party apps will be badly affected.

Google Analytics is estimated to run on 90 per cent of websites. As an entirely cookie-based analytics solution it is not compliant with the legislation without the provision of explicit consent by website users. When the ICO tested this on their own site, only 10 per cent of users actually opted into the service.

Websites dependent on sales from advertising will be even harder hit. At the moment scripts from some ad networks deposit cookies in order to personalise ads on websites that users visit later. It's difficult to see how this functionality will survive when explicit consent is required in order to make it work.

Consent solutions

The ICO famously implemented an ugly banner consent solution on their site. Others are worse still. The prospect of a slightly more grim user experience for the next few years is now very real – with every other site sporting a different consent solution.

At CIVIC we've been collaborating with partners in government to create Cookie Control – a free, cross-platform  jQuery solution. The aim for us has been to make something as unobtrusive as possible, while providing whatever level of compliance you need.

Three degrees

For strict legal compliance, you really mustn't drop any non-essential cookies, including those used for analytics. But the ICO has said that it's looking for some positive steps and I think we can expect the agency to be helpful rather than adversarial in the first few months of enforcement. So choose a level of compliance that you can manage to get your head round now, with a view to doing more when you can:

  1. Baby Steps: Do a cookie audit and update your privacy policy with friendly information about your cookies.
  2. The fifty per cent: Adopt clear iconography like the Cookie marque developed for Cookie Control, advising that cookies are used on your site and linking to your privacy policy.
  3. Compliance freak: Do all the above and tweak your scripts so non-essential cookies aren't dropped without testing for explicit consent from Cookie Control.

The future

The only really decent solution for managing cookies and complying with the legislation is via the browser. Arguably the legislation would have been a whole lot better if it had placed a duty on browser vendors to implement site-level cookie management while forcing corporate networks with older browsers to upgrade. Such an approach would have ensured that web masters didn't have to deal with the issue and compromise their user-experience in order to comply. And it would have had the pleasant side effect of killing off Internet Explorer versions 6, 7 and 8.

If you can't wait for this day to dawn, won't compromise on user experience and want to stay on the right side of the law you have only one option; build your sites without using non-essential cookies. Ditch Google Analytics and most of the ad networks, and find other ways of doing the same old thing.

12 comments

Comment: 1

Nosbod
I like the cookie control prompt, but is this OK as users without JavaScript will not get it?

Comment: 2

timkeay
And just as the IE6 ball-ache was beginning to fade... :)

Comment: 3

@ Nosbod: We figured that in most cases you don't need to worry about users with JS disabled:

That's because typically non-essential cookies are dropped using JavaScript - Google Analytics for example. When you disable JavaScript, you disable these cookies.

Your application may still be setting some cookies but typically these fall into the exempted category: load balancers, shopping cart cookies etc, so you don't need to worry about those so much (though you still need to explain them clearly in your privacy policy).

Obviously there may still be some exceptions but I wasn't keen on developing something that works on every server-side environment, as well as supporting all the major browsers.

Comment: 4

Does it apply only to commercial entities or to everyone? For example if I have a personal blog does it apply?

Comment: 5

One law for everyone I'm afraid.

The ICO isn't exactly equipped with armies of enforcement agents though, so I wouldn't panic too much. I imagine it will be the major offenders / profiteers who will attract scrutiny.

In your shoes I'd just go for "Baby Steps" or the "Fifty percent".

To keep your site clutter free you could implement Cookie Control without having the interface pop up. That's kind of in line with the "fifty percent" approach.

Comment: 6

Hi Mark,

Really nicely done, simple and to the point.

Even though people may think waiting is an option it is still vital to show the ICO you are doing something - such as an audit

There is a great 2.5 minute video by @silktide that can help most people get the picture with a little humour thrown in

http://www.youtube.com/watch?v=arWJA0jVPAc

Comment: 7

Hi Mark,

There are several reasons this is a massive waste of time:

1. The Internet is an international medium. This means two things, firstly, that any UK based sites are at a disadvantage in trading on an international level. Secondly, it means that websites owned, managed and hosted in other countries are at a userbility, advertising and reporting advantage over UK domestic websites.

2. Assuming everyone is ok with loosing advertising revenue, visibility on their web statistics and competing on an international playing field with their hands tied behind their backs, I think it will be incredibly difficult to enforce. Is the ICO currently recruiting an army of people to go through all UK websites and make sure that they are annoying the user enough on every site they visit?

3. The legislation is going to have to be adopted by internationally developed Open Source software such as Wordpress. Are they going to bother? The UK is a very small place in the wider scope of the Internet. I'll have to find the plugin where you have if UK == true > .pointlesslyBotherUser

I think this is a particular challenge for hobby users.

4. Once everyone get totally sick of accepting cookies on every website they visit someone will end up creating a browser plugin to 'accept the damn cookie and leave me alone' - resulting in the internet as we know it today, but with some extra pointless bandwidth being dedicated to some JQuery pop-up being automatically accepted by the browser.

5. Are the big boys going to step in? Surely Google or Facebook are going to point out that what they are trying to achieve is ultimately worthwhile, but fundamentally flawed. I think if Google is going to loose a few berzillion ad-impressions, and a huge amount of browsing data from Analytics then they might bring the fight to the ICO and point out how stupid they're being? Or are they going to come up with some new 'biscuit' to circumnavigate the issue and buy themselves another 20 years of peace before bureaucratic nonsense comes to bother them again?

You're absolutely right about putting the responsibility on the browsers. Surely the ICO would rather regulate 9 or so browsers rather than millions upon millions of websites at the cost of the entire industry.

Surely it's our responsibility to take some of these points to the ICO and tell them what-for? Since they're wading into something without thinking about it, surely it's our responsibility as an industry to stand up and tell them how to achieve their goals without making the internet a horrible place to be?

Comment: 8

Hi @peterrichman,

Couldn't agree more that this has the potential to make a mess of the internet! But there's stuff that everyone can do to reduce the impact of this. To take your points one at a time:

1) Cookie Control has geo-awareness built in. When you configure Cookie Control you decide which countries you want to apply the consent solution for. You can do this at a granular level, e.g. "UK, Germany, France" or at a broader level, e.g. "Europe". You don't need to bother non-UK users with all the cookie compliance boll**ks.

2) In most cases you should still be able to earn revenue from clicks and impressions. Behavioural advertising is what's really under threat. Worth noting that Google and Mozilla have agreed to build an opt-out button directly into the browser. But that still won't represent a universal and therefore legally compliant solution.

With web stats what you really lose is metrics around return visitors. This is valuable data for commerce driven websites but not a major issue for anyone else. You should be able to go and make use of a Cookie-less solution like Piwik. I'm still betting (hoping) that Google will do something helpful with Google Analytics to make it work in cookie-less mode before May.

Also worth noting that some major government departments are ready to push their luck on analytics. So if you're not too risk averse, you might try the "fifty percent" approach mentioned above, for Analytics at least.

3) There's no need for software vendors like WordPress to worry about it. There are plenty of post-delivery solutions around (like Cookie Control) that can be configured and pasted into a site footer. Cookies used by things like Wordpress will invariably be for things like user logins - exempt under the legislation as they're essential for core site functionality.

4) That would actually be good :0... But it'll be worse than that... as there will be a diverse set of solutions in play, any "meta-solution" will struggle to implement a kind of global off switch for annoying compliance pop-ups. That said, I've been chatting to other developers of compliance solutions. We're thinking about getting together to hammer out some common values. Perhaps if we adopted a degree of technical uniformity this kind of thing would become possible.

5) Google has been lobbying the ICO for some time. Advertisers like Google have responded with their own (and I'd stress, non-compliant) opt out solution.

Let's not give the ICO too hard a time. This is a European Directive that every nation in the EU is expected to implement. The ICO have stressed that they want to see steps in the right direction, rather than strict compliance immediately.

In terms of taking the argument to the ICO, it's a difficult point to campaign on: can you really stand up and cry foul when effectively you're defending advertisers who make millions by accessing data about citizens without their permission? And of course, it's not really up to the ICO. You'd be better off writing to your MEP.

Comment: 10

As an industry we have seen these kind of regulations before and they get cast aside with great ease.
There is no internet police force because it would be like policing a nation of billions.

This is no different to the laws on enforcing triple A sites or more relevant the use of javascript.

There is nowhere for this argument or regulation to go except for browser side. The fact that it wasn't pushed there first is appalling. If you want to control the behavior of a website you do it with the viewing device not the site itself.

Think about your TV. If your favourite show comes in looking too orange, do you ring the network and tell them they're streaming in a colour tone that doesn't quite suit your taste? No, you grab the remote and change the saturation.

The browser is where this needs to happen purely by numbers, less browsers than sites/pages.

Comment: 11

Hi,

Useful article. However I was wondering how this affects both parties of affiliate marketing. I.E. If my website has an affiliate link to Amazon books, or if my website offers an affiliate scheme. Do either of these infringe the new law?

Thanks!

Comment: 12

@SamSchofield

Most affiliate schemes don't actually use cookies. They're just monitored via HTTP requests. So you may not need to worry. If you have affiliate code on your site, check for cookies to see what, if anything, is being dropped.

Cookies really shouldn't be necessary for affiliate click-through campaigns. In terms of advertising cookies are really only necessary for online behavioural advertising.
July issue on sale now!

The Week in Web Design

Sign up to our 'Week in Web Design' newsletter!

Hosting Directory
.net digital edition
Treat yourself to our geeky merchandise!

site stat collection