We’ve been following a discussion thread begun by podcaster Tony Whitmore (http://tonywhitmore.co.uk/) on the UK legislation covering the use of software cookies (sadly the baked goods are already subject to regulation and taxes).
All cookies are covered by the legislation. Regulation 6 requires that the user is given clear and comprehensive information about all cookies used, and that the user has given consent for each one.
Implied consent may be sufficient; the ICO’s guidance is not exactly clear. But then the legislation is so broad, achieving clarity is quite difficult. At least the ICO itself has a large cookie notification and consent box on the site.
It seems likely that a lot of software will be setting up cookies by default and many users will not be aware this is happening. Over to Tony…
I’ve seen the news articles about the new laws concerning cookies. From what I can tell from the ICO (Information Commissioner’s Office) website, there is no exemption from this law for personal or non-profit making websites.
A brief check of my personal website shows 7 cookies are being set as a result of using WordPress and Google Analytics. Accordingly it seems I should be advising users of these cookies, giving them a chance to consent and change their mind.
So, has everyone else done this?
[ Err, no. ]
Well, I choose to use WordPress and Google Analytics and is seems that their default behaviour is to use cookies. I could of course use static HTML pages and log analysis and not create any cookies for users, but would lose a lot of functionality!
I don’t think that WordPress’ cookies are particularly intrusive, they are used to detect if someone has logged into a session – which no-one other than me does on my sites. Google Analytics is more intrusive as it tracks more detailed web use and reports it to Google.
But WordPress.org says “there are cookies for logged in users and for commenters”, so it should be OK for a site where the average user just views the pages. One could try arguing that a user who interacts with a site by logging in or adding a comment should expect cookies to be involved.
Some further testing has shown that all the cookies that weren’t being set by Analytics were being set by WordPress plug-ins rather than WordPress itself. Anti-spam plug-ins and “share me” buttons seemed to generate them. WordPress itself only set any cookies after the logging in.
I’ve browsed a few pages on the site, but still can’t be sure I’ve “caught” them all. It shows how much hard work it’s going to be to generate and maintain a listing of cookies used on the site…
Here’s the list of cookies I’ve found on my site: http://tonywhitmore.co.uk/blog/privacy/. As I mentioned, I can’t be 100% sure I’ve got them all though!
Clear as Mud
To quote the ICO guidance:
“At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie. For consent to be clearly signified by the browser settings it would need to be clear that subscribers had been prompted to consider their current browser settings and, had either indicated in some way they were happy with the default, or have made the decision to change the settings.
Browser settings are part of the solution and you will increasingly be able to rely on these as part of the mechanism for satisfying yourself that you have a users consent to set cookies. [but] for now, you will need to work on implementing another solution.”
You need to explicitly tell users what cookies you set, what they are used for and allow them to opt out of having them set. I’ve seen a number of companies and organisations changing their website to reflect these requirements too. Relying on users to exercise their intellect is not enough it seems….
Brad chips in:
“Many sites will [work without them]. It can be a painful experience though. Having to enter your name and address *every* time you order something from a supplier is just one example.
Site cookies aren’t really the issue though, it’s third party cookies. That is, the ones that track your movements across the web. They’re used to target you for certain things. Advertising is the most common.”
Tim B uncovered this from the guidance notes:
“In a domestic context there will usually be a subscriber (the person in the household paying the bill) and potentially several other users. If a user complained that a website they visited was setting cookies without their consent the website could demonstrate they had complied with the Regulations if they could show that consent had previously been obtained from the subscriber.”
So this means that we have to hold records about who’s accepted, in a way that can be corroborated with the user’s first visit to the site, and which should be sufficiently independent to be admissible in a court of law.
Incidentally, the guidance also makes reference to the 2003 law, requiring, amongst other things that sites make use of cookies, which they are and what they do. Now, I’m not aware that any sites have been publicising what they’re storing on your PC (excluding a site-name and brief description in the cookie itself, if you’re lucky), and I’m not aware of any action taken (or any resultant panic thereof). So if we assume that the 2003 law was successful only in keeping people employed, and didn’t change the content of the web, I see little reason to think that this revision will be any different.
Net Neutrality
The Net Neutrality lobby gives the new regulation a thorough drubbing, for example, in the comments on the Techcrunch story:
“On Saturday, May 26, the UK implements the first phase of the law, so website owners are scrambling to ensure they are in compliance (assuming they even know about it). As we’ve said before, we think it’s dumb and will make it much harder on European startups.”
The entire focus on cookies is utterly insane. It’s also incredibly disingenuous and hypocritical for governments to pile on essentially useless cookie restrictions while simultaneously themselves genuinely subverting their citizens’ freedom of speech and privacy on the Internet, via pervasive and expanding surveillance, censorship, and government-mandated tracking and data retention regimes. (Lauren Weinstein)
This all begs the question whether this law is at all enforceable or is just a sop to the privacy lobby, in which another technically ignorant government thinks it can mandate a technical solution to a problem that is beyond its control?
Next time we’ll look at some of the measures you can take against cookies. AJS
Links
- ICO guidance
- Download the ICO’s cookies guidance (pdf)
- Read more about cookies in the ICO guide to the Regulations
- The ICO has published cookies advice for members of the public that sets out some of the steps people can take to protect their online privacy. There is also a short video to explain what to can do if you are concerned about cookies.
- Feedback and reporting cookie concerns: the ICO is also inviting people to report the sites they have concerns about by using the ‘Report your cookie concerns’ tool.
Image Credit: originally posted to Flickr as Free Macro Chewy Cocolate Chip Cookies Creative Commons by D. Sharon Pruitt
Allan J Smithie 
I like your fantastic web site. Just what I was searching for!
Best regards, Ron
I appreciate you for sharing!