ICC UK Cookie Law

[w_grace]

Hello,

Has anyone read the ICC UK Cookie boocklet? From here http://www.international-chamber.co....-cookie-guide/

What a load of hash! Effectively if you have any doubts about the cookies that your site uses, then it shoulb be rated as a Cat. 4 cookie and you have to ask and get permission.

If you use Google Analytics look out, read it the booklet and then read googles T's and C's and you just might figure out, that, guess what, you are going to have to ask every users, before they get on your landing page, if they are ok with it.

Worst thing is, if your in the UK, you are going to have to follow it, if your in Europe, then, it isn't going to matter so much.

[squire]

Thanks for that Grace. The Information Commissioner's Office UK has a PDF also giving advice about the new regulations:

http://www.ico.gov.uk/~/media/docume...egulations.pdf

[Stevie D]

What strikes me as crazy is the way you're supposed to get explicit consent before setting a cookie. But any method that is used to achieve this is going to be horrendously intrusive and disruptive, if users are required to accept cookies on each and every site they visit.

And the irony is ... what if they decline? They'll have to be asked the same question next time they visit the site, because the site won't be able to identify that they've already declined. Or else we'll be in a situation where website owners have to ask "Do you consent to having a cookie stored on your computer for the sole purpose of identifying you as someone who does not consent to having cookies stored on your computer?" ... I don't fancy being the first person to put that one in place.

I don't set any cookies myself on my websites, but I do use Google Adsense. If it's Google that is setting the cookies, and not my site, it seems absolutely barmy that I'm responsible for getting consent for something that I don't have any control over.

[squire]

What strikes me as crazy is the way you're supposed to get explicit consent before setting a cookie. But any method that is used to achieve this is going to be horrendously intrusive and disruptive, if users are required to accept cookies on each and every site they visit.

And the irony is ... what if they decline? They'll have to be asked the same question next time they visit the site, because the site won't be able to identify that they've already declined. Or else we'll be in a situation where website owners have to ask "Do you consent to having a cookie stored on your computer for the sole purpose of identifying you as someone who does not consent to having cookies stored on your computer?" ... I don't fancy being the first person to put that one in place.

I don't set any cookies myself on my websites, but I do use Google Adsense. If it's Google that is setting the cookies, and not my site, it seems absolutely barmy that I'm responsible for getting consent for something that I don't have any control over.

Google Analytics would be my main issue so it's not a major deal to remove this if worst comes to worst.

Some sites already complying are:

• http://www.eantics.co.uk/
• http://www.ico.gov.uk/
• http://www.wolf-software.com/about-us/press-releases/
• http://www.cookielaw.org/

What I notice though is that most solutions use JavaScript. If JavaScript is disabled on the browser then the visitor will not see the message or option to allow cookies in most cases. The ico.gov.uk link above seems to work when JavaScript is disabled but that isn't a 'fancy' looking implementation that most businesses/companies will want to have on their nicely crafted websites.

Your other point about the re-asking every visit is also something we've talked about in the office - it makes things very difficult for something so small. I do think users/visitors will get annoyed/frustrated at constantly having to perform an action when they visit a site.

The examples above though seem to only allow a user to select the 'Allow' option. This means the user will not click on a decline button; so on each and every page, they will receive the same message asking for the user to allow cookies.

[Sega]

@squire ;

it's like set the law for the small web designer, but forget the big fish and governments are closing in on net neutrality.

I think this will be very annoying. I did read something about this yesterday. It appears that Europe will follow suite of the UK. I have no idea why this law has been put to pass, and what this involves for us. I can't seem to get rid of that horrid pop-up on some of those examples.

The examples above though seem to only allow a user to select the 'Allow' option. This means the user will not click on a decline button; so on each and every page, they will receive the same message asking for the user to allow cookies.

Not very user friendly I am a little puzzled.

I see most of the rules created to protect, and baffle everybody at the same time complicating our simple lives. Apart from this law, what would happen if I was based in the UK (which I'm not) and did not comply with this cookie rule. I was hoping that Chuck Norris would pop out of my monitor and pull me into a world of Chun Kuk Do, were he would show me the error of my way.

[Mikl]

Worst thing is, if your in the UK, you are going to have to follow it, if your in Europe, then, it isn't going to matter so much.

Sorry, but that doesn't make sense. The legislation is EU-wide. The implementation date might vary from state to state, but in general the directive applies throughout. In any case, how can you be in the UK without also being in Europe?

Mike

[Stevie D]

The examples above though seem to only allow a user to select the 'Allow' option. This means the user will not click on a decline button; so on each and every page, they will receive the same message asking for the user to allow cookies.

Yes, but what other option is there? If they decline, you can't log their preference not to have cookies, because you would have to use a cookie to do that, and they don't want you to use cookies...

I suppose the alternative would be to set up a mod_rewrite so that anyone who declined the cookies was sent to a different subdomain, eg nc.example.com, which would serve them exactly the same pages but no cookies. I have no idea how you would go about implementing that solution though, and although it would allow people to bookmark the cookie-free version of the page, it wouldn't stop Google sending them to the cookie-yes version (because of course you would be using rel="canonical" to make sure everyone was sent to the cookie-yes version)...

[squire]

Yes, but what other option is there? If they decline, you can't log their preference not to have cookies, because you would have to use a cookie to do that, and they don't want you to use cookies...

I suppose the alternative would be to set up a mod_rewrite so that anyone who declined the cookies was sent to a different subdomain, eg nc.example.com, which would serve them exactly the same pages but no cookies. I have no idea how you would go about implementing that solution though, and although it would allow people to bookmark the cookie-free version of the page, it wouldn't stop Google sending them to the cookie-yes version (because of course you would be using rel="canonical" to make sure everyone was sent to the cookie-yes version)...

Unfortunately I don't think there is any other option Steve and in the circumstances the above method of only having the 'Allow' option is the only sensible approach. Users are going to have to accept the cookies or get used to these messages. I think as people who work on the web we want to offer the user the best experience possible and this new EU directive puts a dent in that.

[felgall]

Unfortunately I don't think there is any other option Steve and in the circumstances the above method of only having the 'Allow' option is the only sensible approach. Users are going to have to accept the cookies or get used to these messages. I think as people who work on the web we want to offer the user the best experience possible and this new EU directive puts a dent in that.

Surely a cookie to record the fact that the person declines your saving cookies on their computer would be considered a Category 1 cookie and you would therefore be entitlesd to set a cookie on their computer to record the fact that they have declined permission for you to store cookies on their computer. The document states that you don't need to ask permission to store category 1 cookies as they are required for the functioning of your site - and not having to ask the person repeatedly if they will accept cookies is surely a necessary part of the functioning of any site.

[Victorinox]

Hmm. One of my sites includes a blogger.com blog via a subdomain, which takes cookie management out of my hands. Will have to look into the ramifications of this.

Part of the challenge is to how to present the opt-in in a usable, friendly way. Familiarity via a degree of standardisation of format and positioning might help make the function appear less daunting.

I think it'll be a while before opt-ins are widely deployed, but it'll be worth having a statement of intent to hand in case the inspectorate come calling. The ICO's advice [188KB PDF] states:

What will happen to me if I don’t do anything?

The government’s view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.

[squire]

Surely a cookie to record the fact that the person declines your saving cookies on their computer would be considered a Category 1 cookie and you would therefore be entitlesd to set a cookie on their computer to record the fact that they have declined permission for you to store cookies on their computer. The document states that you don't need to ask permission to store category 1 cookies as they are required for the functioning of your site - and not having to ask the person repeatedly if they will accept cookies is surely a necessary part of the functioning of any site.

Yes, I agree with that and what Steve was saying. I probably came across wrong. I don't think there is any other option other than to ask for permission from page-to-page, until the user accepts.

[Victorinox]

Here's an interesting implementation...

[Stevie D]

Surely a cookie to record the fact that the person declines your saving cookies on their computer would be considered a Category 1 cookie and you would therefore be entitlesd to set a cookie on their computer to record the fact that they have declined permission for you to store cookies on their computer. The document states that you don't need to ask permission to store category 1 cookies as they are required for the functioning of your site - and not having to ask the person repeatedly if they will accept cookies is surely a necessary part of the functioning of any site.

I don't believe that would be the case. Cookies to determine whether you want to allow cookies would unquestionably be considered as 'Category 3' cookies:
“These cookies allow the website to remember choices you make ... These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise.”
and so would not be exempt from the legislation. There is no possible argument that using cookies to remember that you don't want cookies would constitute "essential functionality".

Here's an interesting implementation...

Love it

[squire]

Here's an interesting implementation...

Very good @Victorinox ;

[Victorinox]

econsultancy.com blog article on what they have done and why, with comments.

In short, they've chosen to audit their cookies and inform the end-user, but not provide an opt-in/out function. Though clearly not compliant, it seems a sensible minimal precaution until the practical application of the law becomes clear. (Mileage may vary depending on the toxicity of your baked goods.)