This Saturday, on the 26th of May the 12-month grace period ends for all European website owners to be compliant with the “EU cookie law” – as it’s known. For those in the dark, this is a directive handed down by bureaucrats in Europe who decided that website cookies were dangerous and users should be asked to opt into them before they can be served.
The law was sparked by the distaste for tracking cookies, or super cookies, that follow users from site to site, building profiles on them for advertisers. Understandably, the idea of big companies being able to build lots of profiling data without users’ knowledge sets privacy campaigners’ teeth on edge.
The problem is, we now have a law whereby every website must now invite users to opt in to cookies being used before they can be used. In principle, not a bad thing, but in practice it’s proving to be unworkable, as the blind leads the blind in trying to explain what exactly it is, how to technically code for it and how to implement compliant warnings.
The poster child for how to do this ought to be the Information Commissioner’s website because they are the ones to enforce the law. Their site at www.ico.gov.uk serves a box at the top of every page with a warning and a tick box – if you leave it unticked, the site won’t serve any cookies.
Take note that those three links do not come with a cookie warning when you click on them, also, what’s the point of detailing individual cookies so diligently if you cannot opt into them individually? On the ICO website, you can either accept all cookies or none. So, if cookies are needed to make the site work, you have to live without them if you want to block, say, a Google Analytics cookie.
This week people have been promoting the FT.com’s implementation as a fine example of how it should be implemented. You can see an image below of how the warning appears when you access the FT.com home page.
The problem with this method is that it only seems to work on the main domain. At the time of writing this, if you access the site through a sub-domain, the warning doesn’t pop up. See, for example, here.
The law offers a variety of interpretations. As a website owner you can do what the ICO has done and block cookies completely until the user ticks the box; you can explain how to block cookies in the browser, as the FT has done; you can also get more technical if you wish and let users make individual cookie choices. The main thing is that you must be seen to be doing something from 26th May or it will be like driving while using your mobile – illegal even if you don’t get a penalty.
The FT route (tell them cookies exist and let them use the browser) is the best route because the ICO’s method is unworkable for most sites. The Government websites (most of which will not be compliant in time) don’t carry lots of third party social widgets and network ads, so they have more control of the cookies they serve, but most commercial websites can’t block all cookies or their business models would die.
Also, what about the widgets served into your website from US social networks, which do not come under EU jurisdiction? What about website owners whose sites are hosted on services such as Blogger, WordPress, Amazon Webstore or Ebay? How are they supposed to comply with the new laws?
It’s all bunkum. If the EU bureaucrats that devised this law understood the internet, they would have simply created a method for users to administer a privacy layer in their browser. That, after all, is the easiest solution. You can visit one website that blocks cookies but the next one you visit might be serving them. Far better to equip users with knowledge and tools to do it on the PC. The laughable truth, of course, is that that control already exists in browsers.
Good luck everyone in whichever compliance path you choose. The International Chamber of Commerce has produced a fairly digestible document to help. You can download the PDF here.