On the 26th May the rules on the use of cookies changed for UK businesses. You now have to explicitly ask every visitor to your website if they want to opt-in to ‘non-essential’ cookies. This includes tracking and analytics cookies. The penalty for not doing so is a fine of up to £500,000.
No, I’m not joking (unfortunately). You can read some rather vague official guidance about it from the Information Commissioner’s Office here:
Changes to the rules on using cookies and similar technologies for storing information
You can also see the ICO’s implementation of this policy on their own website with the ghastly pop-up shown below (click to enlarge):
So it seems that we are going to have to show a hideous and scary pop-up to every visitor that comes to our site. Nearly all of these visitors will inevitably choose the less scary sounding default and opt-out (why would they opt-in?) which means that our precious tracking and analytic data will suddenly become a lot less useful. So a less pleasant user experience for customers and a huge reduction in useful data for vendors. And to what benefit? I really don’t mind if vendors collect aggregated data about how I arrived at their site or what pages I visit while I am there. The more I read about the new rules the less workable and useful they sound. It looks like the sort of monumental, fur-lined, ocean-going, balls-up that only governments are capable of.
The situation remains fluid at present. The introduction of this new law has been so shambolic that the UK government is giving businesses 12 months grace before they start enforcing it. I don’t even know if the ruling applies to businesses based in the UK, web servers based in the UK or any website with UK visitors (if you do know, please comment below). Perhaps Google et al will dream up a technical solution that keeps the EU happy without me having to make any changes to my website. Maybe pressure from businesses will force the government to back down. Perhaps someone will find a loophole (e.g. setting up a company outside the EU to host your website). Or maybe so many businesses will ignore this ridiculous law that it will be unenforceable. I am going to wait a few months to see how things play out.
This change in the law comes from an EU directive, so any of you reading this in EU countries other than the UK can stop smirking – it is coming your way as well.
For more information see:
(Photo by Delfi Jingles, some rights reserved)
Successful Software 
If visitors don’t want cookies, they can disable them by not accepting them. Problem solved.
If cookies were such a huge problem, authorities should enforce more stringent work on the browsers’ part – just like IE9 refusing to download unsigned executables.
Hristo.
That doesn’t work.
Simply disabling cookies prevents some sites from working unless you are expert enough to know which you an disable.
This law specifically refers to cookies which are not essential for the functioning of the site, like tracking oookies
And why should the onus be on the site visitor anyway?
If a site wants to put something on MY computer to track me they should have to ask MY permission, just as the law says. Most of the advertisers forget who BOUGHT and PAID FOR my computer and it wasn’t GOOGLE (the biggest criminals of the lot)
I wonder if the US and Canadian governments will have the courage and honesty to follow suit? Given their non actions against Microsoft’s crimes, I doubt it. I guess their governments are bought and paid for by big business
Brian,
you don’t need cookies to track visitor behavior. Outlaw cookies and different solutions will be developed. You can track visitors through session_ids, ips, browsers, screen resolutions and what not.
If you cannot optimize your site for sales, then you’ll profit less and may need to raise prices, go out of business etc. In effect, these tracking cookies are quite essential for businesses.
The whole thing won’t solve privacy matters, just make the same task more complicated, but still doable. Typical bureaucracy thinking.
All you are telling me is that the law needs widening to make illegal a site keeping ANY identifiable details of visitors without their explicit permission.
As far as I’m concerned no reputable site needs tracking cookies. When I shop in a supermarket, they don’t hide things in my basket to report back to them next time I visit them to tell them where else I’ve shopped, yet some tracking cookies do that.
I’ve run sites, both commercial and charity for many years and have always avoided these unethical spies.
FINALLY (and it’s not unfortunately) a government has chosen to put our rights ahead of the demands of unethical commercial sites and their advertising industry buddies.
Unfortunate for the unethical. Great news for decent people.
It appears the author of this article is one of the former
Without cookies, there is no way of knowing which adwords campaign convert to buyers (hence no conversion optimization). This is going to make online marketing less targeted, and more expensive.
Like the previous poster mentioned, if you dont like cookies, you can already disable them. If people dont know this, let the government educate them (nevermind its track record with education). You dont need over reaching government to protect people from everything.
Businesses are out to make money. A measure like this will only hurt honest businesses using the data to streamline. Unethical people will continue to be unethical.
> Without cookies, there is no way of knowing which adwords campaign convert to buyers
Actually, this is not true. You can define a slightly different landing page URL for each campaign (like website.com/?camp1, website.com/?camp2, …) and use a decent log file analyzer instead, with similar accuracy. In fact, in my experience, this is even more accurate than cookie/JavaScript tracking.
What if a user lands on a special page via a text ad, for the first discovering of your product, then uses the direct url to the main product site a few days later and makes a purchase? Without cookies you wouldnt know how the customer first found your site.
unless your using ip tracking and cross referencing ip addresses, whichnis probably more invasive than mere cookies.
Yes, by using IP address. Not perfect, I know, but neither is relying on permanent cookies, especially third-party (what are default browser settings these days?).
I don’t think that IP tracking is more invasive. Webmasters don’t have means to link IP with a specific person’s age, gender, occupation, friends, address, name, email…
BTW, I’m not defending the law. IMHO, it’s perfectly legitimate for companies to use cookies to store any information that visitors left on their website. However, it’s absolutely not acceptable to allow third-party analytics servers to collect such information and do their own analysis.
Christopher. I can’t place a bug in your shopping basket if you enter a store, to spy on you until you return to the store.
Why should your site be allowed to invade my privacy in that way which would be a severe criminal offence if you did the same OFFline?
Worse still, those cookies are on MY computer, which is MY property, not yours. Give us all free rein to enter and use your house as I wish and I might be convinced that you should have the right to use my computer.
The government has law against trespass, theft, and many other laws to protect our property. It is government’s job to stop businesses using MY property without my permission. That’s not overreaching, that’s simply doing their job.
I dont have the right to put a cookie on you machine as I cant force you to enable cookies.
Most users cannot manage complicated settings which will allow SOME cookies, for logging into email or making a purchase from a chopping cart, and most browsers are very limited in their available settings.
Browser settings were looked at in respect to the law and it was found that they simply weren’t specific enough.
Because of the way businesses have designed sites, we HAVE to allow some cookies or they won’t work.
But we should have the right to say YES to tracking before anyone is allowed to track us.
Brian,
Unfortunately, technology has not settled on a secure, effective way to manage session-related concepts, like shopping carts, without the use of browser cookies. Yes, browser cookies pave the way for many technologies, such as visitor tracking, but they also support other useful features, such as remembering who a visitor is when they return.
From your response (“Great news for decent people”), I assume you have cookies disabled in your browser. It must be fun repeatedly logging in to every site you visit. And I assume you don’t shop online at places like Amazon.com, which require cookies.
Bottom line: The concept of banning browser cookies because of visitor tracking is analogous to banning cars because they can be used to stalk people. In other words… stupid.
Bottom line
A car CAN be used to stalk people and stalking is illegal.
A cookies is DESIGNED to stalk people, and worse, it does it by STEALING space on my computer without my permission
When will businesses and advertisers get it into their heads. My computer is as much my property and my house (more so, I’m renting my present house!). You don’t have a god-given right to use my computer for your purposes unless I give you permission.
If you believe otherwise, please leave your names and addressed below and I’ll publish them online. I sure their are plenty of burglars who would be glad to know you don’t believe that anyone should have the rights to property they own.
>it does it by STEALING space on my computer without my permission
A 4K cookie uses about £0.0003 of storage. I suggest you send them a bill.
so I can steal a part of your house, so long as it’s only a tiny part and you’ll just bill me for the rent?
Of course not. You’d have me prosecuted for trespass or burgary
Using your strained analogy, it would be analogous to you taking a piece of gravel off my driveway and bringing it back 30 days later. I don’t think I would prosecute.
Brian, I’ll like to have a reasonable discussion with you about this… Let’s see if it happens.
First, someone who actually thought about the way our world works decided that outlawing *stalking* was a better solution than outlawing *cars*. Maybe we should try the same thing with cookies. Instead of outlawing cookies (which have perfectly ethical uses), why don’t we create legislation that addresses the privacy concerns (the actual problem you are so upset about).
Second, by setting up your computer to accept cookies, you *are* giving websites the permission to use the space. You have every right to turn that feature off. Furthermore, if you don’t like the privacy policies of a business, you do not have to visit their website. So, in short, a cookie is not “stealing.”
Lastly, a cookie is not “designed to stalk people.” If you’d like to engage in a factual discussion, first do a little research. Since you probably don’t have the time or the interest to do so, I’ll help:
“The term “cookie” was derived from “magic cookie”, which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994. At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.”
From http://en.wikipedia.org/wiki/HTTP_cookie (and verified at the ACM.org website for accuracy).
The new law makes a distinction between tracking cookies and cookies required for the functionality of the site (like logins or shopping carts)
All of you mentioning shopping carts are therefore arguing under a false premise. The new law ONLY affects cookies which are not for the functionality of the site, but for tracking its users.
At the moment, browsers do not allow us the possibility of allowing some types of cookies and not others.
Increasing use of flash cookies, which can store MUCH more than normal cookies and cannot be disabled (or even looked at) in most browsers is actually what brought about wider calls for this legislation
Normal tracking cookies ON THEIR OWN are not a great threat to privacy. But when their data is gathered together by companies like Google (and others, I only mention Google as they are the biggest), it allows THOSE companies to build a detailed database entry on any one of us.
If a company asked me on their site whether their site could keep a record of the pages I used on their site and explained that it was to study the flow of use on the site etc etc, I’d say yes, no problem. But I should have the right to say yes or no. And I would say no to multinational analytical companies (who, incidentally, share very little info with the individual site owners anyway.)
It is worth noting that the upsurge in the use of TRACKING cookies came about when more people began using programs to prevent spyware, which previously did the same job.
On privacy legislation, there is already legislation requiring sites to divulge their use of cookies to users. the problem is, most sites hide that simple info in long-winded privacy statements, usually coated in legaleze which even I as a law graduate find hard to unravel.
Supermarkets don’t put things in your basket to track you – they put it in your wallet. It’s called a loyalty card, and people like Tesco know huge amounts about you and your shopping habits.
As far as I know, no supermarket forces us to use their loyalty card in order to enter their store. They have to persuade us to sign up.
That’s the situation the new law requires, that sites has to persuade us to allow them to track us.
Sounds fair to me, to treat sites the same as offline businesses instead of allowing them to remove all rights from their users
Supermarkets may not slip things in your basket, but they do use loyalty cards in much the same way sites use tracking cookies.
I’ve already replied to this as Steve said the same thing
My reply was
As far as I know, no supermarket forces us to use their loyalty card in order to enter their store. They have to persuade us to sign up.
That’s the situation the new law requires, that sites have to persuade us to allow them to track us.
Sounds fair to me, to treat sites the same as offline businesses instead of allowing them to remove all rights from their users
Here’s my solution, each page checks for the existence of a cookie (a new one) if it doesn’t exist the user is directed to a page telling them they have to agree to cookies or the site won’t work and that you have to add a new cookie to get them past this point, explain it’s stupid, and give them a link to email the EU and the IOC to complain if they think it’s a pointless, beaucratic waste of time.
Actually sites were already supposed to (by previous laws) tell us HOW they use cookies and why they need them.
I trust you’ll also include a link so we can contact them directly to complain about their misuse of OUR opmputers and our privacy
You’re absolutely right, only government can come up with something like this. Cookies have been an integral part of the Internet experience for a long time now, and 12 months is too short to find an alternative.
Everytime you login to Gmail there is a cookie. FaceBook uses cookies too.
Google is the worst offender for tracking so of course gmail uses them.
The law is NOT talking about cookies necessary for funcionality, like in a shopping cart.
And nobody is going to say no to keeping a cookie to enable them to go straight to their email.
It is NOT government’s job to educate us on how to avoid businesses trying to exploit us. It’s is government’s job to make laws protecting us from unfair exploitation. As they have always done or centuries in most of the consumer rights acts. Or are those of you up in arms about this wanting to strip consumers of all other rights too?
Define unfair exploitation. A cookie is one way to let a website know about how you found/use the site so for a better user experience. They can be turned off. Now the IRS gets to know everything about me financially and this cannot be turned off. You are up in arms about the wrong things. A website owner hardly has much power to exploit.
To be honest, it’s not the guy running the website I’m worried about, it’s huge companies like Google, who already have massive databases on us, and even build their browser with built in code which tracks us. (This is why privacy campaigners made IRON, a browser built on the same open source code as Chrome, but without the spying capabilities which you CANNOT disable on Chrome. n Chrome you can stop other people spying on you, but not Google.)
As for the IRS – to fulfill their legal duty in taxing your income correctly, they need to know about your finances because most people won0t tell them everything voluntarily.
Companies like facebook and google develop new tricks all the time to get info in us and sell it
Governments have not been protecting consumer rights for centuries.
Analyzing client usage is an important component of a successful online business. The problem with this law is that violations will be argued in court for quite some time. Only the largest companies have the funds to do this, so, like most laws like this, only the small businesses will suffer.
Your arguments are irrational and uneducated. Please try harder.
I’m so sorry. I’m merely a law graduate who, as well successfully arguing a case of my own up to the High Court while still a student, also ran offline and online businesses for around 20 years (until I gave up to run my wife’s animal refuge after she died), so I guess I’m uneducated and know nothing.
If you are referring to governments narrowly as in parliaments not having protected consumers for centuries, you are correct, but government in the UK includes the judiciary, whose earliest rulings on what would NOW be considered consumer rights go back several centuries. Of course, the term itslef was not known at that time.
I don’t object to a company analysing my usage of their site if they ask me for permission and I grant it. Forcing me to allow analytical companies OR not use the site at all is unacceptable, as the new law states
@Brian – I was going to draft an eloquent rebuttal but thought better of wasting my time. As avoiding anyone ‘spying’ on you is so important then I doubt you will see it – you must be living off grid? Perhaps in a cave somewhere remote, cooking the spoils of your hunt over a fire?
When you have something sensible for me to reply to, I’ll gladly respond.
As my original comment made clear I’ve been running online businesses for years and managing sites for others doing the same.
Funny how I always managed to do it without stealing space on my potential customers’ computers isn’t it?
Brian,
I just went to your website and it downloaded several images into MY local cache without MY consent. Please make these images opt-in only.
Also I believe my IP address may have been stored in your Apache logs. Please delete it.
If you go to a site, and you use a browser which caches everything, ANY site will leave images in your cache.
There are browsers that allow you to surf without caching everything.
There are NO browsers which allow an ordinary non expert user to pick and choose cookies and opt out only of tracking ones as the tracking companies quite often change their server URLS much like other malware companies.
As for things like Apache logs. A couple of big differences – ONE, unlike Google analytics, I don’t ever even look at them or use them, TWO, they are built into all servers unfortunately and there is no way for a site owner to avoid them without designing their own servers.
Site owners OPT IN to tracking companies. If there was a law forcing hosting companies to make it possible for site owners to disable apache logs, I’d be glad to have the chance to do so.
Out of interest, after reading your comment, I DID go to have a look at the apache logs. They do not contain individually identifiable data. Cookies, especially flash cookies which can only be disabled by the user by disabling flash completely (impossible for many sites) usually DO contain individually identifiable data
They do not contain individually identifiable data.
Brian,
No cookie on your machine identifies the visitor as Brian Grove. Same thing as you are arguing so that you don’t need to do anything with Apache. Your argument is so broken. You sound like a clone of Richard Stallman complaining about “damage” that is so minimal it doesn’t exist.
My use of Analytics simply allows me a slightly easier way of working out which pages on my site are important than me parsing the log files from Apache with a program I wrote to do the same task. And the results displayed do not and cannot identify any individual. The results are displayed and interpreted in aggregate.
A cookie can identify the machine used and when cookie data is gathered together by companie specialising in doing so, that data can be used to identify individuals.
But if YOUR usage is harmless, then simply tell visitos what you are doing and give THEM the choice, just as supermarkets give US the choice to take or not take their loyalty cards.
This idn’t about government versus business. It’s about the user having the right to CHOOSE. It’s worrying that so many businesses are up in arms about giving rights to their customers. But then businesses were up in arms about the data protection act when that was passed to prevent abuse of data OFFLINE
Except if they cached your pages, you did “steal” space from them, and more space than a sigle 4k cookie, too.
Your argument that companies are stealing space on their visitors computers is ignorant, ill-founded and demonstrates a fundamental misunderstanding of the way browser software works.
Furthermore, if you are mainly concerned about big companies tracking your activities, then you’ve also failed to realise that due to their large market share, they can use browser fingerprinting to identify and track users.
In short, the new law hurts the little guy, is unenforceable and a massive waste of resources.
I think Matt has the nub of it right there in the last paragraph.
If we take the new law at face value, I, as an infrequent blogger, must suddenly implement a whole new equivalent of google analytics to get some understanding of which parts of my blog people are interested in. Have I the time? Have I the computing resources? Have I the skills? Does my provider (which happens to be blogspot) have the capability for hosting the extra logic/applications/services for me?
No to all those (with perhaps the skills question), therefore, as the solo ‘little guy’, I lose out, but the big commercial organisations just spend a few dozen man-weeks adding the pages and logic.
As I said in another reply, your argument that they can do the same thing with other methods like browser fingerprinting only means that we need a wider stronger law against ALL types of tracking and spying on us.
Actually the law doesn’t hurt the small guy. If properly enforced, it WILL hurt huge multinational tracking companies.
You’re never going to convince Brian – he’s got a very entrenched, almost religious, view on the subject.
And no offence to you Brian – you’re entitled to your view. Out of interest how does the shopping cart for rescue dogs work ;)
As soon as my govt can actually tell me how I can comply with their law I’ll be sure to do so.
Thats the ridiculousness of it – they admit they don’t know how to comply. Its like a speed limit sign that says “??? Guess!”
Shopping carts (and certain other cookies) are specifically EXCLUDED from the law as cookies are necessary for the function of that part of the site.
Tracking cookies are not necessary for the site to function but ONLY to track users.
How to comply with their law? That’s easy. Removes google analytics and any other spyware from your site until Google complies with the law. If it affects their business, they’ll soon produce something for site owners to implement.
Why does this only apply in the online world?
If I go to the pub, the publican says hello, remembers my name and could even pour my favourite tipple without me saying a word.
Surely this kind out outlandish invasion of privacy also needs to be curtailed?
It DOESN’T. If the publican keeps records of your visits or data, other than his own memory, he is required to register as a data user and justify that user. There are then laws and rules protecting you, the customer, in regards to how he may use those records. You also have rights to see what is being kept about you.
Google and the other spy companies don’t follow any rules to protect us and we don’t have any rights with regards to the records they keep, until now.
Is the definition between functional and tracking cookies that distinct? Precisely what is defined as ‘tracking’. A good example is Amazon, they remember who I am using a cookie (regardless of whether I have signed in or not, assuming I am using the same computer). And once I have signed in they don’t add another cookie, just load all the statistical data that they have on me and display custom adds and recommendations. If I remove the cookie the tailored ads will go away, but so will my session, and I’ll need to log in again, but then all the recommendations and tailored ads will be back.
What’s the government’s stance on this? Is it a tracking cookie or an essential cookie? Surely it’s both?
Tom
You’d have to read the guide which is freely available from the link in the original article. It makes it clear that essential cookies will be looked at strictly. From what you say, the Amazon cookie is probably a tracking cookies but they’ve deliberately designed their site to work with it. That doesn’t make it essential as their site would work on a first visit when there is no previous data.
Intentionally making a site not work without tracking cookies to try to convince a court that they are essential won’t wash.
Actually, it won’t work. There is no meaningful distinction between a tracking cookie and a session cookie in this case. Session cookies are technically required to enable any login functionality, but a site can use that data to track users just as effectively.
Brian, I agree that user tracking is an issue and should be opt-in. The problem I have with this law is much more fundamental.
The ICO guidelines state that information (cookies) can only be stored on users computers if “strictly necessary”. What does this mean? I could argue that nothing is strictly necessary until a user logs in (and potentially not even then – you could require a user to login on every page to avoid cookies).
To go back to the shopping cart example… is it strictly necessary to store cookie data about a shopping cart for users? I would say no. I could design a very hard to use system which forced users to fill out all payment, shipping, and product data on a single page, and thus not require a cookie. However, none of this data would carry across to other pages in the site, and users would have to fill this out for each product they wished to buy. Thus, it seems the cookie is not strictly necessary for the site to function or a customer to purchase a product… but it is also not a very good site design.
Secondly, as you mention, this law does not address the fundamental problem of user privacy, but does impact site usability even for non-tracking sites. Thus, sites which are currently not tracking users are penalized for using cookies for other, user-friendly, purposes, but those who wish to track users can continue to do so unimpeded using methods other than cookies.
Wouldn’t it be a better law if it did not specify technical solutions, but only addressed the underlying privacy issues, no matter the form?
For instance, would it not be better to require sites to make users opt in if they were being tracked in any way?
Finally, the law does not seem to specify cookies, but rather “information in the terminal equipment of a subscriber or user”. I think this also applies to the images you mentioned before, as they are cached, and thus stored information on a users computer. As a site owner, you do have control over whether these images are stored on the end users PC. You might want to consider setting all your site content to no cache, to prevent all browsers from caching, or ask users to opt-in to caching.
Of course, I have no legal training, so I might be muddling the issue. But a layman’s reading of the linked document gave me these impressions.
I’m in agreement with pretty much everything you say, though from what I can gather from their advisory document, cookies which serve a genuine purpose like logging in and in a shopping cart will not be targeted by this law which is aimed at items on a site (not only cookies) which are primarily designed for tracking.
As I see it, it’s a step forward, albeit a far from perfect one.
ICO website traffic impact – traffic measured in web analytics tool fallen by 90% since their explicit opt-in cookie request. Information provided by the Information Commissioner’s Office under a FOI request. http://www.flickr.com/photos/vickyb/5859873960/in/photostream/