Andrew's Blog

Random Thoughts of an ASP.Net Code Monkey

Cookies Law: Ah the Irony!

May 23, 2011 08:30 by Andrew Westgarth

Update 26th May 2011: This just keeps getting better and better.  The ICO have now issues guidance to say they realise there are going to be technical issues implementing this new legislation, therefore they are granting businesses a one year reprieve to come up with and test solutions to get everything in order.  This seems to be a bit of a case of closing the barn door after the horse has bolted!  For more information the ICO have released additional guidance and the BBC have also commented on the issue.

On Thursday 26th May 2011, the Privacy and Electronic Communications Regulations are changing in the UK as a result of the revisions made to the European Directive.  The changes cover of a number of issues but the issue I’ve been focussing on recently is that of the changes in regulations to how cookies are used on websites.  However these changes from what I can see are going to cause not only companies and developers issues, but more importantly will cause more inconvenience for users!

funny-pictures-cat-wishes-to-access-your-cookiesSo what’s changing I hear you ask, well up until now the regulations required that websites which used cookies for storing information, informed users how the website used cookies and advised how they could opt out if they wished and gave instructions on how to do so using browser settings.

In their infinite wisdom the European Union, and consequently the UK, have decided to change this and require that websites provide full information about how cookies (including Flash Cookies and Isolated Storage) are being used and ask users to opt in to the use of cookies.  The only exceptions to this rule would be where a cookie is “strictly necessary” for the function of a site, e.g. maintaining a shopping basket.  An example of a cookie which needs to be declared and in common use on many websites around the globe, are those created through the use of the Google Analytics service.

How Can a Website Comply?

In the UK the information Commissioner’s Office, in their guidance document have advised website owners that they should look at this in three stages:

  1. Review and make a list of all cookies and similar technologies (Flash Cookies; Settings in isolated storage) being used on your website and how they’re used;
  2. For each one identified determine how intrusive it is;
  3. Determine a method of obtaining consent for each one, which will provide the best experience for users of your website and which will fulfil your requirements. Then put together a plan to implement this.

It is no longer sufficient to users browser settings to indicate whether or not they wish to allow the use of cookies, due to the lack of sophisticated control of cookies, levels of variation between browsers versions and the fact that browsers are not the only way in which users access websites.

Solutions and Irony

I’ve been looking at possible technical solutions to this issue and still can’t find one which I like and believe will serve all interested parties well.  All of the possible technical solutions have advantages and disadvantages.  Some examples of the options I’ve been considering are Popup windows or splash screens, but these are often blocked by browser settings, can cause immense confusion and often inaccessible to users'; Requiring the acceptance of terms and conditions which detail required use of cookies is again unworkable as users would have to have accounts with which to access your website, how can you handle anonymous users?

The irony of all of these changes is that the likely technical solution is to ask for permission to write a cookie to indicate whether or not the user is happy with cookies being used.  However if a user does not allow cookies, the cookie can’t be written so what do you do then?  Deny users access to your website? Prompt them on each request from your website?  If you chose to disable the cookie(s), for example the Google Analytics tracking cookies, do you turn them off on an individual page basis, or do you disable them on a session basis?

Comments

Apparently there were consultations with members of our industry on these changes and discussions on how they will work.  I can’t believe that these regulations have been passed in their current state, they are extremely unworkable and pose so many issues for maintaining a workable, compliant and usable web. 

The intention behind these changes is good, in that the EU is aiming to protect user’s privacy and enable users to make informed decisions about what data is released and able to be used by third parties.  However by asking users for consent for permission to use cookies each time they try and access something on a website, after they have said they don’t want to allow the use of cookies, users will start accepting the use of cookies just so they can use the web.  Also as user’s won’t always access websites through the homepage, site owners will need to implement solutions which cater for every possible entrance to the site.

The most common instance of where websites write cookies are for the use of analytics services, i.e. Google Analytics.  So far Google haven’t commented on whether they are changing their service to not need cookies, nor have they provided any guidance for website owners on how the service can be used if user’s deny cookies.  So are site owners going to stop using the very, very popular service in order to improve the usability of their site but also lose the benefit of analytics – which ultimately are used to improve user experience?  I wait with baited breath to see how major websites – Amazon, Play, Google; tackle this issue from Thursday in a way which won’t lose them users.

I think the major losers in all of this, are going to be the users, which these changes are attempting to protect – ah there’s the irony again!  By creating differences in how websites comply, users will be left confused, harassed and frustrated when all they want to do is use a website to do something which they’ve been able to do for years be that buy a book, find information or post an update to their timeline.

What’s Your Opinion?

I’d be really interested to hear other people’s take on this.  How do you interpret the changes?  How would you implement the technical requirements?  Do you think it’s workable?  I look forward to an interesting discussion on this issue and seeing the many responses to this on a website near you!

Other Posts on This Issue

Craig Hawker has put down his thoughts on this issue in the form of an excellent blog post, which I recommend reading for additional commentary - The “EU Cookie Directive” (2009/136/EC) and you.

Comments (10) -

Terry Brown

Hey Andrew,

Very interesting post.  I wonder just how rigorously this will be adhered to by companies.

I know a lot of sites require cookies post login - I wonder whether this compliance could be achieved by simply updating T&Cs and getting folks to re-agree to them?  If not, they don't use your services?

It's not ideal, though in my market (online gambling), this sort of thing can happen from time to time so it's not jarring with what the users expect.

Terry Brown | May 23 2011 08:50

Andrew Westgarth

I'm really not sure how much it's going to be complied with.  Certainly initially I don't expect to see much change, the ICO advise on putting together a plan and rolling out the changes.  From what I've read they don't expect website owners to have this lot in place from Day One as long as the owners are aware of the issue and have a plan in place.

I just can't see it working and am really interested to see how the big boys and girls comply.

Andrew Westgarth | May 23 2011 09:29

shawty

Just read Craig Hawkers post and this one, some good points but I have to say I think it's just another Ill conceived Knee jerk reaction to make it look like they do something useful.

I've seen this so many times in the I.T industry, In the Comms industry and in the Financial sector and it's the same every time.  A group of so called peoples champions get together behind closed doors, come up with a half baked scheme that will cause more trouble than it's designed to prevent then launch it on said industry with little or no warning or guidelines.

Don't get me wrong, I applaud the idea behind what the intention is, but seriously how many users are going to regularly check thier stored cookies to see what's been saved?  I'm willing to bet not many, in fact so much so I'm willing to bet that most sites can continue to operate as they are at present with very few people actually grumbling at them about anything to do with this use.

In fact here's an in-sight into the complaints I think the ICO will continue to receive:

"I'm sick of all the advertising this website is pushing at me, it's recording what I spend and pushing more advertising spam at me... please make it stop."

For a normal site, that uses them simply and responsibly, there use will likely never get questioned.

shawty | May 23 2011 22:39

Andrew Westgarth

@Shawty I think you missed the point by informing users straight up and requesting opt in the ICO and EU are making users aware of what is stored/created because as you point out most users don't interrogate what is being stored on their machine by sites as most are ignorant that they even do.

I agree with making it more obvious to users however think that this ruling is unworkable.

Andrew Westgarth | May 24 2011 09:34

David Kemp

I cannot believe that guidance document:


not everyone who visits your site will do so using a browser.  They may, for example, have used an application on their mobile device.  


On my mobile device, the application that I use to look at websites is a browser. In fact, any program that renders HTML and communicates via HTTP is considered to be a browser - no matter what device they're on. Sure, there's WAP/WML, but nobody actually uses that do they?

I'm all for sensible laws around the internet, but surely all the money this is going to cost to enact and enforce would be better spent doing something useful, like upgrading the infrastructure in the UK.

David Kemp | May 24 2011 10:16

Bob

What will happen to small-time bloggers with Adsense and Sitemeter? There are millions of them.

Bob | May 25 2011 16:19

Phil Pursglove

How broadly are they likely to interpret this 'strictly necessary' business? Our main app is, effectively, multi-tenanted, we use a cookie to determine which tenant you're working on at any one time. Changing this would mean a large amount of rewriting for us :-(

Phil Pursglove | May 26 2011 11:38

Andrew Westgarth

Good point Phil, this is where the lack of firm details in the regulations is going to cause issues.  I'm sure you could argue strongly that the cookies are strictly necessary for the function of your application but who ultimately makes the decision?  You should be empowered to make the decision but what's to stop the Government deciding otherwise if they receive a complaint.

However as far as your user is concerned if they disable cookies the application won't work....

Andrew Westgarth | May 26 2011 11:44

Andrew Westgarth

Bob, very true, in fact I fit into that small category too, so it's a major headache for me too.

Andrew Westgarth | May 26 2011 11:45

WolfSoftware

We have already released a jQuery plugin to resolve this issue for Google Analytics

http://cookies.dev.wolf-software.com

We have put together a small site for people to be able to see how long they have left before the new law will start to be enforced.

http://countdown.wolf-software.com

We are also working a new plugin which will handle cookies of any kind

WolfSoftware | October 2 2011 12:40

Pingbacks and trackbacks (1)+

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading



MCTS

Post calendar

<<  November 2014  >>
MoTuWeThFrSaSu
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2014