Yet Another Cookie Crumbling Crisis Looms

Here we go again. From 25 May 2011, a new EU e-Privacy directive comes into force. If you trade within Europe, the law dictates that explicit consent must be obtained from all web visitors being tracked with cookies.

The directive specifically targets behavioral advertising. Web visitors must be fully informed why particular adverts are being shown and what information is being stored in cookies. However, cookies required for system login or shopping baskets are excluded from the new rules.

In the UK, the Department for Culture, Media and Sport (DCMS) is defining a set of rules detailing the steps businesses must go through to comply with the new law. Unfortunately, those recommendations are unlikely to completed when it comes into force. Ed Vaizey, minister for Culture, Communications and the Creative Industries, stated:

The delay will cause uncertainty for businesses and consumers.

Therefore, we do not expect the Information Commissioner’s Office (ICO) to take enforcement action in the short term against businesses and organizations as they work out how to address their use of cookies.

Yesterday’s cookie article on the BBC News website was the first warning many developers received. Panic ensued.

Directive Déjà Vu

We’ve been here many times before. When cookies first appeared in the late 1990’s, they were heralded either as a technological miracle or a virus-like threat to online privacy. Since that time, there have been several attempts to regulate the industry and thwart cookie misuse. It won’t work.

I understand why some consider behavioral advertising to be abhorrent and why authorities want to protect people’s privacy. However, attempting to increase privacy by legislating cookies is a like trying to control obesity by banning donuts.

A company profiting from behavioral advertising is hardly likely to have a change of heart. Even if they did, alternative cookie-less tracking can be implemented with technologies such as:

  • HTML5 local storage. Browsers alert users about the storage of local data but, in my experience, most people click “Yes” without reading or understanding the message.
  • Browser finger-prints. The combination of IP address, user agent, browser configuration, installed plug-ins, screen depth and other factors make your browsing session unique. Test your uniqueness at panopticlick.eff.org.

Your Site is Tracking Users

Even if you didn’t know it, your website is probably tracking users. Most sites are a mish-mash of technologies including:

  • advertising
  • analytics systems
  • embedded media such as YouTube videos
  • widgets such as maps or search boxes
  • third-party code such as a jQuery or WordPress plug-in

Cookie-based user tracking could be implemented on one or more of those systems. Those cookies may be first-party (your domain) or third-party (another domain). Those domains may be owned by a business affected by the EU cookie legislation — or they might not be.

The David Naylor site illustrates how ludicrous cookie warnings could become.

Will Anyone be Prosecuted?

It’s all well and good making this legislation, but can it be enforced? It’s easy to check whether a site is using cookies but how do you identify illegitimate ones? Would the authorities need to obtain a warrant to audit your software and data? What if your data center is outside the EU?

The new legislation is still open to interpretation but I doubt evil corporations using nefarious cookies will be concerned. For the rest of us, the most immediate effect will be a rise in spam emails claiming your site breaks EU law.

If you’re beginning to panic — don’t. The following actions should prevent a visit from EU lawyers:

  1. Create a privacy policy page and link to it in the footer of every page.
  2. Explain your use of cookies and, where necessary, link to the privacy policy of any third-party systems, e.g. Google Analytics.
  3. Link to a cookie resources site such as aboutcookies.org which explains how to control and delete cookies.

Just don’t hold your breath for official — and workable — cookie recommendations.

Win an Annual Membership to Learnable,

SitePoint's Learning Platform

  • Wolf_22

    This is something I’m willing to take a gamble on… I’ll worry more about making sure I return DVDs on time than I will this.

  • PeteW

    Thanks for a good, balanced article, Craig – your advice seems sensible, and your ‘Here we go again’ chimes with my initial reaction. That said, I’m still horrified that a law has been passed:
    a) Without being thought through at all;
    b) Targeting a technology, rather than specific abuses of it;
    c) Without clear guidance on what law-abiding citizens need to do to avoid prosecution;
    d) Potentially (depending on final guidance) making European websites less accessible, usable, competitive and economically viable;
    e) Requiring online merchants to ask customers permission to track and aggregate activity within their own virtual premises – when the right of any retailer to do the same in the real world is unquestioned.

    My personal concern isn’t simply whether or not anyone gets prosecuted, or what we can do to avoid that. It’s that technophobia should not be enshrined in law, and that politicians are paid to make laws only after proper consideration, which patently isn’t happening.

  • w2ttsy

    What’s the bet that cookie driven integrations like Google Analytics will be replaced with SDKs that allow you to imbed the data inside your site code?

    Instead of cookies, all the data will be collected and sent back to an internal collective intelligence engine, and then GA will request that via a web service.

    Facebook have already got around this whole issue by using their own ad network and then tracking their users via the profile content. No need for cookies when all the information collected is in the data you’re adding to your profile.

    • PeteW

      Yep, there are alternative technical solutions – but then the user data currently stored in cookies will be stored even further beyond the user’s control, on remote databases. Many small firms will struggle with this, especially as Data Protection may then require them to secure said databases. Finding workarounds for incompetent legislation doesn’t make it competent legislation, or justify the salaries of those who came up with it – that amounts to fixing the symptom instead of the problem.

  • Stormrider

    I’m pretty sure this is all a lot of fuss over nothing as well, and that a simple statement in the privacy policy ought to do enough, but at least it is getting discussed and looked at in detail by a lot of people to enable us to come to this decision!

  • Anonymous

    Would someone please build a “Whack the MEP Dunce” app for iPhone and Android.

    • PeteW

      Heh – I am hoping that all public sector and politicians’ websites across the EU will be required to comply fully before the ICO starts on the private sector. :-)

      • Anonymous

        I doubt it – most public authorities have made their developers redundant!

  • goldfidget

    Thanks for another well thought out article Craig. It will be interesting to see how this law plays out, especially with Google analytics. Still, as you point out, there are plenty of other ways to track a user.

    Here’s one I just came up with that uses images in the browser cache. You could:

    1. Set image caching to maximum in the page header.
    2. Embed 64 one pixel images in your footer labeled 0.png to 64.png
    3. If in a single request, from a single IP, all 64 are requested within a specified time period, you have an untracked user. Generate a 64 bit tracking number and return a subset of images that correspond to the 0 bits. For the 1 bits, return 404.
    4. If, from a single IP, within a specified time period less than the full 64 were requested within a time period, you have a tracked user. Return 404 for all the requested images. You now have a list of all the 1 bits in your 64 bit tracking number.

    You could do all this in the background after the page loads with a little bit of javascript. Baroque I know, but I imagine there’ll be plenty of solutions like this floating around until the market settles.

  • Alistair Warwick

    Thanks. This is very helpful advice.