Here we go again. From 25 May 2011, a new EU e-Privacy directive comes into force. If you trade within Europe, the law dictates that explicit consent must be obtained from all web visitors being tracked with cookies.
The directive specifically targets behavioral advertising. Web visitors must be fully informed why particular adverts are being shown and what information is being stored in cookies. However, cookies required for system login or shopping baskets are excluded from the new rules.
In the UK, the Department for Culture, Media and Sport (DCMS) is defining a set of rules detailing the steps businesses must go through to comply with the new law. Unfortunately, those recommendations are unlikely to completed when it comes into force. Ed Vaizey, minister for Culture, Communications and the Creative Industries, stated:
The delay will cause uncertainty for businesses and consumers.
Therefore, we do not expect the Information Commissioner’s Office (ICO) to take enforcement action in the short term against businesses and organizations as they work out how to address their use of cookies.
Yesterday’s cookie article on the BBC News website was the first warning many developers received. Panic ensued.
Directive Déjà Vu
We’ve been here many times before. When cookies first appeared in the late 1990’s, they were heralded either as a technological miracle or a virus-like threat to online privacy. Since that time, there have been several attempts to regulate the industry and thwart cookie misuse. It won’t work.
I understand why some consider behavioral advertising to be abhorrent and why authorities want to protect people’s privacy. However, attempting to increase privacy by legislating cookies is a like trying to control obesity by banning donuts.
A company profiting from behavioral advertising is hardly likely to have a change of heart. Even if they did, alternative cookie-less tracking can be implemented with technologies such as:
- HTML5 local storage. Browsers alert users about the storage of local data but, in my experience, most people click “Yes” without reading or understanding the message.
- Browser finger-prints. The combination of IP address, user agent, browser configuration, installed plug-ins, screen depth and other factors make your browsing session unique. Test your uniqueness at panopticlick.eff.org.
Your Site is Tracking Users
Even if you didn’t know it, your website is probably tracking users. Most sites are a mish-mash of technologies including:
- advertising
- analytics systems
- embedded media such as YouTube videos
- widgets such as maps or search boxes
- third-party code such as a jQuery or WordPress plug-in
Cookie-based user tracking could be implemented on one or more of those systems. Those cookies may be first-party (your domain) or third-party (another domain). Those domains may be owned by a business affected by the EU cookie legislation — or they might not be.
The David Naylor site illustrates how ludicrous cookie warnings could become.
Will Anyone be Prosecuted?
It’s all well and good making this legislation, but can it be enforced? It’s easy to check whether a site is using cookies but how do you identify illegitimate ones? Would the authorities need to obtain a warrant to audit your software and data? What if your data center is outside the EU?
The new legislation is still open to interpretation but I doubt evil corporations using nefarious cookies will be concerned. For the rest of us, the most immediate effect will be a rise in spam emails claiming your site breaks EU law.
If you’re beginning to panic — don’t. The following actions should prevent a visit from EU lawyers:
- Create a privacy policy page and link to it in the footer of every page.
- Explain your use of cookies and, where necessary, link to the privacy policy of any third-party systems, e.g. Google Analytics.
- Link to a cookie resources site such as aboutcookies.org which explains how to control and delete cookies.
Just don’t hold your breath for official — and workable — cookie recommendations.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
