The Hug Solving your technology problems ... with some bears

Blog

• Cutting Back on the Cookies?
• On SEO (and SEO Spam)
• Mapping on the Web
• Sometimes You Have to be Quick

Support

• Remote control
• Opus manual

Search

Cutting Back on the Cookies?

Written 02/06/11

Well the day has come and gone and the ICO seems to have blinked and effectively delayed by a year the date at which the changes to the new EU Privacy and Electronic Communications Regulations become mandatory on web site owners. I can't say I'm surprised.

The background to this is that the old regulations, which go back to 2003 and were widely ignored, said that if your site put cookies on the visitor's browser you had to indicate somewhere on your web site that you were doing this. The normal route was to add a "privacy policy" link of the type you can see at the bottom of this page.

Now pretty much every web site out there puts cookies on the visitor's browser unless the author lovingly coded the HTML by hand as every blogging tool, content management system, video player, et al uses cookies either to control some aspect of the user experience or to track how people are using the site (which is hard to do otherwise given that each page fetch is essentially a stateless transaction).

What has put the cat among the pigeons is a one line change in the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. Previously the wording said that you must ensure that the visitor:

1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
2. is given the opportunity to refuse the storage of or access to that information

That's now been changed so that it reads:

1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
2. has given his or her consent.

That reversing of the assumption of consent in clause (b) is a real game changer. As web site designers we can no longer assume that visitors will accept cookies, instead we must explicitly ask them if they will accept them before we put them on their browser. The ICO guidance says that about the only exception to this is cookies for things like processing shopping baskets.

So what's the implication of this?

Well for a start it means that the first time visitor to your nice web site will be met with a message asking if they will accept cookies to track their movements.

Do you want to inflict that on them? Or do you ditch hit logging using cookies. If you do then it means you can no longer reliably track return visits and although you can track progress through a web site by appending a tracking parameter to each internal URL it's clumsy.

And if you decide you will put up with first time visitors getting such a message (and you may have to, I have at least one site whose functionality depends on cookies) then it completely ruins the browsing experience for anyone who chooses not to accept cookies on your site as every time they visit your site you're going to have to ask them if they will accept a cookie off you. You have to do that as you won't be able to tell if you've seen them before because ... you can't set a cookie on their browser so you don't know you've asked them the question before.

People are very rapidly going to learn that the only response is "Yes" to any site they visit. So we're all going to re-code our sites just so that people can be asked a question they didn't want to be asked anyway.

What's going on here is using a sledgehammer to crack a nut. I think they're trying to "protect" users who don't understand that their browsing experience is being tracked across sites by advertisers by the use of various technologies, including the use of cookies.

But I'm not sure they've really understood the damage they're going to do if people take the regulations seriously: the time law abiding web site developers are going to waste making the changes demanded and the annoyance it's going to cause visitors to their web sites.

My prediction, for what it's worth, is that this one is going to die on its feet. The current situation is that the likes of www.number10.gov.uk and the EC's own web site ec.europa.eu are currently in breach of the Regulations which gives you a taste for how this is going.

And when we move to the enforcement stage, if it ever gets that far, you only have to look back at the previous Regulations and how well they were enforced, or far more seriously the Disability Discrimination Act 1995 where I believe the number of prosecutions is still zero, despite many, many breaches by web sites.

It's also obvious from the ICO guidance that despite what they say initially their real interest is intent to intrude on the visitor's privacy and they talk about a "sliding scale". For example they seem fairly sanguine about tracking anonymised data to help you improve your site (although that still theoretically requires consent) - which is generally how we're using cookies at The Hug.

So to conclude here at the The Hug we're currently intending to make no changes to our software or web sites in response to these regulations but we will continue to monitor the situation and, if you're a customer, don't hesitate to get in touch if you want to discuss this further.

«