You may be aware that on the 26th of May 2012 the year-long grace period for an EU Directive comes into force regarding the use of cookies on websites. Specifically it requires user “consent” to the usage of cookies having been “informed” so they can make a decision.
We salute the premise of the law, in that it is about protecting privacy which has sadly been abused by a tiny minority. Unfortunately the law that is being implemented, and how this is being done is – in our personal view – being done badly.
What Cookies Do
There are several things that cookies do, but broadly they fall into these rough categories (technically there are four, but they’re very boring and technical categories). Note: these are generalisations for simplicity.
Session Cookies
If you log into a site then it needs to remember you are logged in and match up you with your account. Most session cookies tend to expire, eg. when trying to book a ticket if you don’t do it within a particular time you might get a ‘session timeout’ message.
Remembering Cookies
Many sites remember little things, eg. your postcode to show you the weather on a news site, or a username and password (when you tick the box). This is common-place functionality, aimed primarily at making your experience of a site better. Other examples include shopping baskets on websites which need to recall what you’ve put in the basket for obvious reasons.
Tracking Cookies
Google Analytics is probably one of the most well-known tracking systems, which helps a website owner to see what people look at. For the most part this is completely anonymous, eg. 1,000 people looked at the homepage, then 400 looked at the service page while only 50 looked at the about page.
A good analogy to this would be a shop owner looking at how people moved around the shop and then deciding to prioritise where they put certain products; both so it was easier for customers to find them and also to highlight important things to the customer. Tracking cookies help site owners ‘see’ what is happening.
‘Evil’ Cookies
Ok, we made that one up. But essentially this is what the legislation is about, cookies which track way more than could be considered ‘necessary’ under data protection, especially when it gets personal. Eg. they might track every site you visit, your personal preferences, etc.
In the most part this is how advertising is personalised to you, though it is controversial whether that is helpful. Unfortunately we highly doubt that such ‘evil’ cookie providers will pay much attention to this legislation; and site providers that use their ads are unlikely to be aware of these cookies.
Ironically to remember that you don’t want cookies on your site requires a cookie, though this comes under an ‘essential cookie’ category which a website can set without getting ‘prior consent’.
A Motoring Analogy
Although the previous section should give an idea about why cookies are useful, it is a bit more difficult to explain how important they are. Hence this motoring analogy about why a user not understanding/selecting ‘allow cookies’ is important.
Any motoring fan will know that in higher end cars you can ‘Turn off Traction Control’. If you didn’t know what ‘Traction Control’ was and had an option to turn it off (after all it has the word ‘control’ in it which must be bad) then you might well turn it off.
Unfortunately ‘Traction Control’ is all about helping you stay stuck to the ground and not sliding around. Hence turning it off is only best for the more experienced driver, usually on a race circuit. The same is true for cookies, for most users they are really helpful and only worth turning off if you understand the implications.
UK Legal Guidance
Implemented by the Department for Culture, Media and Sport (DCMS) along with the Information Commissioners Office (ICO) the advice is – in our opinion – unclear and muddled. Certainly the conclusion seems correct in focus:
We remain firmly convinced that the UK implementation [of the EU Directive] is correct that it is good for business, good for consumers and addresses in a proportionate and pragmatic way the concerns of citizens with regard to their personal data online.
Unfortunately the letter before you read this is non-specific about how to implement the legislation, what is compliance and even how to define the term ‘consent’ saying in one paragraph that it doesn’t have to be ‘prior’ and in the next that consent is usually given beforehand from a legal perspective.
Recent ‘clarifications’ have been more confusing in the lack of specificity, eg. who or what will get prosecuted and what would qualify for the maximum £500,000 non-compliance fine. Although it was good to read that tracking cookies like Google Analytics were low on the regulatory hit-list it was clear this was still included as an issue.
Indeed clarification over BT’s implied consent is only expected this May, and when you have to comply with the law in the same month that’s cutting it fine. Surprising then that they mention ’11th hour’ implementation as not being acceptable when it’s unclear what will be acceptable to implement.
Why is this Cookie Law a problem?
Normally we don’t comment on web and print legislation as broadly, it tends to make sense. Things like having contact details on websites in sensible places, company numbers, data protection laws, etc. However it seems that this law fails in two areas:
1. Users will be confused
It doesn’t seem like it is clear for users in the implementation; in fact the opposite. When you visit a site you are usually going there for a reason, eg. whatever is on that site, not learning about cookies. Hence it’s likely that you’ll just click the ‘go away/ opt-out’ option and miss out on potential functionality.
2. Compliant small businesses and individuals will lose out
If you’re surfing a site with this ‘Allow Cookies’ option versus a site without it then rather than bother to read all the detail about cookies or concern yourself with this ‘Allow’ thing you’ll just go with the site that looks more ‘normal’. Of course there are potentially ways of doing functionality without using cookies, but retooling how a function works on your website is much easier said than done, and often quite expensive. This is especially problematic for small organisations and individuals.
Essentially compliant EU businesses will lose out to non-compliant Global business, and with the web being global, both in what we can access and how it is built this makes alterations more expensive – i.e. a developer of a global website product (often very small teams) may not be bothered to alter it for a specific geography as it is just too much work.
Other Opportunities
Web browsers certainly could provide a lot more protection from tracking cookies and potentially differentiate between the different types of cookie, alerting users when present. Although there is mention of this in various bits of documentation it’s a bit of an after-thought and as it would be voluntary (not legislated) the big browser-makers aren’t exactly known for their compliance.
What Others Are Doing
This varies from going so heavily down the compliance route that it significantly impacts on the browsing experience to almost nothing at all in BT’s infamous stance. That is, they are assuming an opt-in with an option to opt-out. Many sites are simply doing nothing, either from ignorance or deliberately deciding to see a test case and hence clarification of the guidance.
Although apparently the response/ fines will be ‘proportionate’ you can be fined up to £500k for serious breaches. Unfortunately much of the reason for this is that systems, which are globally developed, don’t necessarily have this functionality to identify which cookies your site creates, how to turn them off or provide the functionality alternatively.
Hilariously the ICO’s own website continually asks you if you do or don’t want to use cookies and can’t remember your selection if you decide to not use a cookie. #Fail.
What freshSPRING Is Doing
Of course we don’t want to see our clients caught out by this and are making sure we have solutions to help alter the sites we have built to comply as closely as possibly with this guidance. This is a large task but although we think the law is ‘crazy’ that doesn’t change the need to comply. Unfortunately we are having to charge for this additional service as it’s a lot of work and development. It is only available for current freshSPRING clients on a first-come / first-served basis – see our shop to order it online.
We are also seeing this as an opportunity to upgrade systems and we will also be ensuring all sites (especially older ones) are using the latest code, eg. for Google Analytics, which will hopefully mean automatic upgrades for those cookies in future.
We are also reviewing the existing provisions with a view to making code more widely available to allow other sites to comply. This is particularly important for smaller sites where cookies are set (eg. Google Analytics) but made by someone without HTML skills.
Further Reading
You may wish to find out more about cookies, regulations and potential implementation:
- Information Commissioners Office (ICO) Guidance (look at the PDFs linked specifically)
- Cookiepedia – provides a decent explanation of cookies, though is provided by a commercial concern: CookieLaw, who have created a plugin to help website owners (note: we do not endorse this tool in any way)
- Blog Article on recent meeting hosted by ICO/ DCMS a particularly useful blog article on CookieLaw (see previous item)
- Open Letter from ICO and DCMS
- PWC Research for DCMS regarding Cookie Awareness
We have spent the last year building and supplying consent solutions if they are of help they can be found at:
http://demos.dev.wolf-software.com
Very interesting info!Perfect just what I was looking for!