Help How to comply with website 'Cookie Law'?

Have designed / built a number of websites and trying to figure out exactly what needs to be done (and how) for clients and their websites, and the info out there seems to be 'yes comply with the law, but it's up to you how to do it'.

Reading the legal bit of it makes my mind glaze over.

Seeing the so-vague-it-may-as-well-be-meaningless* example copy people put on their websites, coupled with the fact people get freaked out by any kind of pop-up messages like this so they nearly always click no**, means this is going to be a pain in the ass right?

If the first thing I get is something like this - http://www.allaboutcookies.org/ - when I visit a website, I may not bother. Why do I have to already allow / disallow something before I've even seen what the content was? Maybe I could be overreacting a bit; there's those annoying, yes I'm over 13 or 18' things on some sites already, so I guess just an extension of that, but still....

There's some info about first-party cookies*** for website owners (tbh I thought this would already be in effect...) but for regular clients; ie who use Google Analytic software, or third party plugins on their WP blogs that add social media 'like' or +1 buttons, what do we do?

Do I need to put these kind of messages on WP installs for clients?
Can implied consent be assumed and covered in an e-commerce's T&Cs?

Is there anywhere that has concrete examples of how people affected can take steps? Otherwise I bet the majority of smaller businesses / freelancers without extensive legal depts. are going to risk sticking their heads in the sand....

Finally, are services like this: http://www.cookielaw.org/optanon.aspx, just expensive woowoo covering what could done by oneself, or actually worth considering; right now it's looking pretty attractive...

Thanks for any info in trying to untangle this...

*http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx "....help us make this website better...." Why? What for? vague and annoying copywriting imho

**example of 90% decrease in Google Analytics traffic after cookie opt-in: http://www.flickr.com/photos/vickyb/5859873960/in/photostream/

***http://blogs.webtrends.com/2012/04/more-on-the-eu-cookie-law-from-waw-london/

Interesting topic. For now I'm just keeping my head in the sand and I'm hoping that if enough over webmasters do so the problem will go away

This is a good take on it:http://www.slideshare.net/idea15webdesign/the-eu-cookie-law-wordpress-and-you-11427205
Makes me less scared, with resources, plain English, humour and links to a WP plugin....

Thanks, so after reading that I'm sticking with my 'head in the sand' approach at least until I see what approaches other sites take.

The bit about the ICO's site setting a cookie to save your preference about not wanting cookies saved

And you're not alone, I've consulted widely on this and no one (including some of the biggest companies in the UK) are taking this very seriously. The ICO is next to useless when it comes to explaining how they're going to enforce compliance. I've been to a few meetings on this and literally not one meeting made anything clearer, despite being with law firms, technical people, and those in attendance seemed to be doing the wait and see approach...

Well it says something that 19 EU member states have yet to even bother with *saying* they'd implement it tbh... I just envisioned panicking clients ringing me up at the end of May...

Yup.

Nobody really knows how this is meant to work. A lot of big companies are trying to deal with it by making people sign up to terms and conditions on joining their e-commerce site or whatever, but nobody know for sure if that's legally workable as far as I've been able to find out.

can you not just take the urban approach, but replace hob nob with cookie?

"hi, welcome to eme's site, have a cookie..."

The other problem is its not clear just how intrusive an opt in has to be...but it says you can't just update your privacy policy...

Seems to apply to tracking cookies, but not login cookies. Google must be shitting themselves. Analytics is fucked, maybe targetted advertising too.

The ICO (Information Commisioner's Office) have a cookie warning at the top of every page - until you tick the box and click 'continue' but it doesn't stop you using the site. As eme said, their PDF gives some info but doesn't recommend any particular course of action.

I've set up a test on my website in case any of my clients panic and want a cookie warning put on their sites:
http://reeddesign.co.uk/tests/cookiewarning/
This effectively stops you using the site unless you click 'accept' and if you click 'decline' it takes you to a page that gives you the option to reconsider. It's based on some JS I found on Google Code, so anyone's welcome to it if they think it's useful.

The fact that there's nothing on any other government sites (other than the ICO), the BBC or 10 Downing Street must say something.

If anyone has any definitive info I'd love to see it.

My understanding is that it applies to ALL cookies. I might be wrong.

Well the thing is Google along with Microsoft and Mozilla have brought this on themselves. They were asked to make the opt in at the browser level and basically said they couldn't be arsed and it'd take up resources to develop...this should be a browser level opt in. It's insane to expect 10s of thousands of websites to wrangle with this and the ICO, with it's staff of 300 odd to try and enforce compliance...

Definitely pointless - as is the law - but if clicking 'yes' to Ts&Cs keeps you legal, then surely this would too. You'd just lose 90% of your traffic.

The presentation shared by eme suggests not.

The ICO cookie info PDF would suggest otherwise:

and

Yeah, it's not exactly clear is it.

First-and third-party cookies, including login cookies, yes.

There is an ill-defined exception to the requirement for consent for cookies that are "strictly necessary" for the provision of a service.

I plan to add links saying that I use no cookies except when users are logged in, and except on pages bearing a "tweet this" button (these third-party cookies currently expire after a week).

I think I'll say that I've abandoned plans for FaceBook integration because it'd be too much work to keep up with their ever-changing policies.

From the guidance:

Activities likely to fall within the exception

• A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
• Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
• Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.

Activities unlikely to fall within the exception

• Cookies used for analytical purposes to count the number of unique visits to a website for example
• First and third party advertising cookies
• Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored [get consent when they change a setting].

The whole thing has the flavour of civil-service sarcasm: underlying message "these regulations are terribly written and we have no idea what they mean either".

I don't set/use cookies on the websites I build/manage. If I did I'd get users to agree to their use as part of some sign-up process, I suspect (in my case, I've no interest in tracking casual browsers).

The JISC legal FAQ on the new regulations and this seminar Are You Ready For The New 'Cookie Law? (I suggest you download the high quality verison) might help clarify things.

i think the channel4 site has added a thing for this..

"Like most websites Channel 4 uses cookies. In order to deliver a personalised, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. They are used only by Channel 4 or the trusted partners we work with."

Then an accept an close button

I've done this, this is what I did:

1) Check if cookies are enabled.
2) If so, check whether user has previously "accepted" cookies on our site.
3) If cookies are enabled but the user hasn't accepted cookies, then show the cookies banner on top of the page (some cookies, like CMS sesion cookie is already set, nothing I can do about it.)
4) Only when user has accepted cookies can we set other stuff that uses cookies, like analytics, twitter/facebook buttons etc.
5) Updated out cookies page with more info about each individual cookie.
6) Change embedded YouTube videos to use "privacy enhanced mode", which won't set a cookie unless the user clicks play. Normal YouTube embed code sets a cookie anyway, so we've undone that.

A right headfuck and a lot of work for no practical purpose whatsoever to be honest. Because of the different technologies around the site I had to write the same fucking script in asp, perl, and javascript.

But I can still use the Channel 4 website without clicking accept & close - much like the ICO website - so it seems pointless no?

ooof - way beyond my tech capabilities, so I'm back looking at that Optanon thing... for *every single client*

There's a thread on Wordpress, but again, it's trying to work out exactly what is meant by the law; trying to unwoolyify it before coming up with an answer...

Edited to add: Just found a free version like Optanon I think... Cookie Control

I don't think anyone really knows exactly what is meant by the law. Not even those that wrote it!

It's not as if cookies are the only way to uniquely track a user.

The ICO recently said they don't have an enforcement team to go after orgs not in compliance. They also said they're not going to go after anyone based on number of complaints but they would look at different sectors and highlight good practice.

This whole thing is bullshit.