Update 26th May 2011: This just keeps getting better and better. The ICO have now issues guidance to say they realise there are going to be technical issues implementing this new legislation, therefore they are granting businesses a one year reprieve to come up with and test solutions to get everything in order. This seems to be a bit of a case of closing the barn door after the horse has bolted! For more information the ICO have released additional guidance and the BBC have also commented on the issue.
On Thursday 26th May 2011, the Privacy and Electronic Communications Regulations are changing in the UK as a result of the revisions made to the European Directive. The changes cover of a number of issues but the issue I’ve been focussing on recently is that of the changes in regulations to how cookies are used on websites. However these changes from what I can see are going to cause not only companies and developers issues, but more importantly will cause more inconvenience for users!
So what’s changing I hear you ask, well up until now the regulations required that websites which used cookies for storing information, informed users how the website used cookies and advised how they could opt out if they wished and gave instructions on how to do so using browser settings.
How Can a Website Comply?
In the UK the information Commissioner’s Office, in their guidance document have advised website owners that they should look at this in three stages:
- Review and make a list of all cookies and similar technologies (Flash Cookies; Settings in isolated storage) being used on your website and how they’re used;
- For each one identified determine how intrusive it is;
- Determine a method of obtaining consent for each one, which will provide the best experience for users of your website and which will fulfil your requirements. Then put together a plan to implement this.
Solutions and Irony
The irony of all of these changes is that the likely technical solution is to ask for permission to write a cookie to indicate whether or not the user is happy with cookies being used. However if a user does not allow cookies, the cookie can’t be written so what do you do then? Deny users access to your website? Prompt them on each request from your website? If you chose to disable the cookie(s), for example the Google Analytics tracking cookies, do you turn them off on an individual page basis, or do you disable them on a session basis?
Apparently there were consultations with members of our industry on these changes and discussions on how they will work. I can’t believe that these regulations have been passed in their current state, they are extremely unworkable and pose so many issues for maintaining a workable, compliant and usable web.
The most common instance of where websites write cookies are for the use of analytics services, i.e. Google Analytics. So far Google haven’t commented on whether they are changing their service to not need cookies, nor have they provided any guidance for website owners on how the service can be used if user’s deny cookies. So are site owners going to stop using the very, very popular service in order to improve the usability of their site but also lose the benefit of analytics – which ultimately are used to improve user experience? I wait with baited breath to see how major websites – Amazon, Play, Google; tackle this issue from Thursday in a way which won’t lose them users.
I think the major losers in all of this, are going to be the users, which these changes are attempting to protect – ah there’s the irony again! By creating differences in how websites comply, users will be left confused, harassed and frustrated when all they want to do is use a website to do something which they’ve been able to do for years be that buy a book, find information or post an update to their timeline.
What’s Your Opinion?
I’d be really interested to hear other people’s take on this. How do you interpret the changes? How would you implement the technical requirements? Do you think it’s workable? I look forward to an interesting discussion on this issue and seeing the many responses to this on a website near you!
Other Posts on This Issue
Craig Hawker has put down his thoughts on this issue in the form of an excellent blog post, which I recommend reading for additional commentary - The “EU Cookie Directive” (2009/136/EC) and you.