1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help How to comply with website 'Cookie Law'?

Discussion in 'computers, web and general tech' started by eme, May 3, 2012.

  1. eme

    eme turn a frown upside down!

    Have designed / built a number of websites and trying to figure out exactly what needs to be done (and how) for clients and their websites, and the info out there seems to be 'yes comply with the law, but it's up to you how to do it'.

    Reading the legal bit of it makes my mind glaze over.

    Seeing the so-vague-it-may-as-well-be-meaningless* example copy people put on their websites, coupled with the fact people get freaked out by any kind of pop-up messages like this so they nearly always click no**, means this is going to be a pain in the ass right?

    If the first thing I get is something like this - http://www.allaboutcookies.org/ - when I visit a website, I may not bother. Why do I have to already allow / disallow something before I've even seen what the content was? Maybe I could be overreacting a bit; there's those annoying, yes I'm over 13 or 18' things on some sites already, so I guess just an extension of that, but still....

    There's some info about first-party cookies*** for website owners (tbh I thought this would already be in effect...) but for regular clients; ie who use Google Analytic software, or third party plugins on their WP blogs that add social media 'like' or +1 buttons, what do we do?

    Do I need to put these kind of messages on WP installs for clients?
    Can implied consent be assumed and covered in an e-commerce's T&Cs?

    Is there anywhere that has concrete examples of how people affected can take steps? Otherwise I bet the majority of smaller businesses / freelancers without extensive legal depts. are going to risk sticking their heads in the sand....

    Finally, are services like this: http://www.cookielaw.org/optanon.aspx, just expensive woowoo covering what could done by oneself, or actually worth considering; right now it's looking pretty attractive...

    Thanks for any info in trying to untangle this...

    *http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx "....help us make this website better...." Why? What for? vague and annoying copywriting imho​

    **example of 90% decrease in Google Analytics traffic after cookie opt-in: http://www.flickr.com/photos/vickyb/5859873960/in/photostream/

  2. editor

    editor Taffus Maximus

    I've got cookies all over the shop too so I'm interested in what it is that web authors are supposed to be doing.
  3. salem

    salem Well-Known Member

    Interesting topic. For now I'm just keeping my head in the sand and I'm hoping that if enough over webmasters do so the problem will go away :D
  4. eme

    eme turn a frown upside down!

  5. salem

    salem Well-Known Member

    Thanks, so after reading that I'm sticking with my 'head in the sand' approach at least until I see what approaches other sites take.

    The bit about the ICO's site setting a cookie to save your preference about not wanting cookies saved :facepalm:
  6. Kid_Eternity

    Kid_Eternity "You might be a lord but here comes the king."

    And you're not alone, I've consulted widely on this and no one (including some of the biggest companies in the UK) are taking this very seriously. The ICO is next to useless when it comes to explaining how they're going to enforce compliance. I've been to a few meetings on this and literally not one meeting made anything clearer, despite being with law firms, technical people, and those in attendance seemed to be doing the wait and see approach...
  7. eme

    eme turn a frown upside down!

    Well it says something that 19 EU member states have yet to even bother with *saying* they'd implement it tbh... I just envisioned panicking clients ringing me up at the end of May...
  8. Kid_Eternity

    Kid_Eternity "You might be a lord but here comes the king."

  9. Bernie Gunther

    Bernie Gunther Fundamentalist Druid

    Nobody really knows how this is meant to work. A lot of big companies are trying to deal with it by making people sign up to terms and conditions on joining their e-commerce site or whatever, but nobody know for sure if that's legally workable as far as I've been able to find out.
  10. free spirit

    free spirit more tea vicar?

    can you not just take the urban approach, but replace hob nob with cookie?

    "hi, welcome to eme's site, have a cookie..."
  11. Kid_Eternity

    Kid_Eternity "You might be a lord but here comes the king."

    The other problem is its not clear just how intrusive an opt in has to be...but it says you can't just update your privacy policy...
  12. magneze

    magneze mnemonic beef

    Seems to apply to tracking cookies, but not login cookies. Google must be shitting themselves. Analytics is fucked, maybe targetted advertising too.
  13. RoyReed

    RoyReed Must fly!

    The ICO (Information Commisioner's Office) have a cookie warning at the top of every page - until you tick the box and click 'continue' but it doesn't stop you using the site. As eme said, their PDF gives some info but doesn't recommend any particular course of action.

    I've set up a test on my website in case any of my clients panic and want a cookie warning put on their sites:
    This effectively stops you using the site unless you click 'accept' and if you click 'decline' it takes you to a page that gives you the option to reconsider. It's based on some JS I found on Google Code, so anyone's welcome to it if they think it's useful.

    The fact that there's nothing on any other government sites (other than the ICO), the BBC or 10 Downing Street must say something.

    If anyone has any definitive info I'd love to see it.
  14. RoyReed

    RoyReed Must fly!

    My understanding is that it applies to ALL cookies. I might be wrong.
  15. editor

    editor Taffus Maximus

    It's totally pointless. People will just blindly click on 'accept' in much the same way as they click 'yes' to the pages of terms and conditions that come with software installation - and I suspect scammers will find a way to exploit that extra click too.
  16. Kid_Eternity

    Kid_Eternity "You might be a lord but here comes the king."

    Well the thing is Google along with Microsoft and Mozilla have brought this on themselves. They were asked to make the opt in at the browser level and basically said they couldn't be arsed and it'd take up resources to develop...this should be a browser level opt in. It's insane to expect 10s of thousands of websites to wrangle with this and the ICO, with it's staff of 300 odd to try and enforce compliance...
  17. RoyReed

    RoyReed Must fly!

    Definitely pointless - as is the law - but if clicking 'yes' to Ts&Cs keeps you legal, then surely this would too. You'd just lose 90% of your traffic.
  18. magneze

    magneze mnemonic beef

    The presentation shared by eme suggests not.
  19. RoyReed

    RoyReed Must fly!

    The ICO cookie info PDF would suggest otherwise:
  20. magneze

    magneze mnemonic beef

    Yeah, it's not exactly clear is it.
  21. laptop

    laptop Freudenschade

    First-and third-party cookies, including login cookies, yes.

    There is an ill-defined exception to the requirement for consent for cookies that are "strictly necessary" for the provision of a service.

    I plan to add links saying that I use no cookies except when users are logged in, and except on pages bearing a "tweet this" button (these third-party cookies currently expire after a week).

    I think I'll say that I've abandoned plans for FaceBook integration because it'd be too much work to keep up with their ever-changing policies.

    From the guidance:

    Activities likely to fall within the exception

    • A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
    • Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
    • Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.
    Activities unlikely to fall within the exception
    • Cookies used for analytical purposes to count the number of unique visits to a website for example
    • First and third party advertising cookies
    • Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored [get consent when they change a setting].
    The whole thing has the flavour of civil-service sarcasm: underlying message "these regulations are terribly written and we have no idea what they mean either".
  22. 2hats

    2hats ☢️

    I don't set/use cookies on the websites I build/manage. If I did I'd get users to agree to their use as part of some sign-up process, I suspect (in my case, I've no interest in tracking casual browsers).

    The JISC legal FAQ on the new regulations and this seminar Are You Ready For The New 'Cookie Law? (I suggest you download the high quality verison) might help clarify things.
  23. joustmaster

    joustmaster offcumdun

    i think the channel4 site has added a thing for this..

    "Like most websites Channel 4 uses cookies. In order to deliver a personalised, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. They are used only by Channel 4 or the trusted partners we work with."

    Then an accept an close button
  24. editor

    editor Taffus Maximus

    I imagine there's going to be untold businesses completely baffled by this law. It's an almighty pain in the arse.
  25. editor

    editor Taffus Maximus

    Here's an example of the kind of thing some websites are going to have to put up. I imagine users will just skim straight past it all, thus defeating the whole point of the exercise.
  26. mwgdrwg

    mwgdrwg THIS IS WHAT WE DO IN THE F.B.I.!

    I've done this, this is what I did:

    1) Check if cookies are enabled.
    2) If so, check whether user has previously "accepted" cookies on our site.
    3) If cookies are enabled but the user hasn't accepted cookies, then show the cookies banner on top of the page (some cookies, like CMS sesion cookie is already set, nothing I can do about it.)
    4) Only when user has accepted cookies can we set other stuff that uses cookies, like analytics, twitter/facebook buttons etc.
    5) Updated out cookies page with more info about each individual cookie.
    6) Change embedded YouTube videos to use "privacy enhanced mode", which won't set a cookie unless the user clicks play. Normal YouTube embed code sets a cookie anyway, so we've undone that.

    A right headfuck and a lot of work for no practical purpose whatsoever to be honest. Because of the different technologies around the site I had to write the same fucking script in asp, perl, and javascript.
  27. eme

    eme turn a frown upside down!

    But I can still use the Channel 4 website without clicking accept & close - much like the ICO website - so it seems pointless no?
    Kid_Eternity likes this.
  28. eme

    eme turn a frown upside down!

    ooof - way beyond my tech capabilities, so I'm back looking at that Optanon thing... for *every single client*

    There's a thread on Wordpress, but again, it's trying to work out exactly what is meant by the law; trying to unwoolyify it before coming up with an answer...

    Edited to add: Just found a free version like Optanon I think... Cookie Control

  29. mwgdrwg

    mwgdrwg THIS IS WHAT WE DO IN THE F.B.I.!

    I don't think anyone really knows exactly what is meant by the law. Not even those that wrote it! :facepalm:

    It's not as if cookies are the only way to uniquely track a user.
    eme likes this.
  30. Kid_Eternity

    Kid_Eternity "You might be a lord but here comes the king."

    The ICO recently said they don't have an enforcement team to go after orgs not in compliance. They also said they're not going to go after anyone based on number of complaints but they would look at different sectors and highlight good practice.

    This whole thing is bullshit.
    mwgdrwg and eme like this.

Share This Page