Most of the time I am fairly much in favor of the EU. I’m an internationalist, and anything that gets up the noises of the jingoists at places like the Daily Mail and Daily Express has to be doing something good. Like most governments, however, it is often woefully ignorant when it comes to IT issues, and that means that it is prone to doing things that are monumentally stupid. Here is a case in point.
Last year the EU decided that cookies on websites were an unacceptable intrusion into citizen’s lives, and that all websites would have to gain consent from users before creating any cookies. The IT industry complained that doing this would require time, so they were given until May 26th this year to get their act together. Nevertheless, a KPMG survey published in April estimated that only 5% of major UK companies were compliant. The level of compliance is likely to be much lower amongst small businesses. Indeed, I suspect that vast numbers of small businesses, and private individuals who own websites, don’t even know that the law exists, and wouldn’t have a clue how to comply if they did.
What’s a cookie? Well, it is a piece of software that allows a website to store information in your browser and pass that information on, either from page to page on that site, to another website you visit, or simply back to itself next time you visit. It is a very useful tool. Yes, it can be used to install malware, or to harvest personal data, but sharp knives can be used to kill people and that doesn’t stop cooks using them on a daily basis.
To give you some idea of the problem, here are the different ways in which cookies are used on this website.
1. Google Analytics — this is a very useful piece of software that very many websites install to get an idea of the where their visitors are coming from. Google is apparently negotiating with the EU, but as yet no statement has been issued.
2. Spam prevention — one of my main tools for preventing comment spam uses a cookie.
3. Social media — those nice little buttons that allow you to easily share posts with your friends on Twitter, Facebook and Google + use cookies.
4. Comments — WordPress (the software on which this blog runs) uses cookies to remember your name, email and URL so that once you have made one comment here you don’t have to type those things in each time.
5. Links to other sites — those nice little widgets that allow you to click through and buy books from my bookstore? Yeah, they use cookies too.
So now I have to give you the option as to whether any of these cookies will be created so that you can opt out if you wish. Ideally I should do that individually for each type of cookie, because you might approve of some and not of others. And I have to do that before you interact with the site, so that no cookies can possibly be generated without your consent. And I may have to do it each time you visit the site because the only way to remember from one visit to another whether you consent to cookie use or not is to create a cookie, and you might not want me to do that.
See the problem?
It gets worse. All of those systems I mentioned above are supplied by third parties. I didn’t code any of it myself. I know that the cookies are there because I’m smart enough to know how to find them. Other people may not be. Ignorance, sadly, is no excuse under the law. I can’t change the code myself. All I can do is either disable the particular piece of software that uses the cookie, or turn the cookie off if such an option is provided. The spam blocker has provided an alternate mechanism that doesn’t use cookies but will be less effective at spam blocking. With the comments I can add text to every post noting that by commenting you are consenting to cookie use. But Google Analytics, the social media buttons and the bookstore links will have to go.
As is depressingly typical these days, the law is also very vague. It says that cookies are allowed if they are “essential†to the operation of the website, but what exactly does that mean? How essential does the cookie have to be? I can do without all of the above, it is just a total pain to have to do so.
Then there’s the scope. All of my websites are hosted in the US. The domains are registered in the US. But I’m a UK citizen living in the UK. Am I covered by the law? Probably, but I may not be. What about the bookstore? I don’t host that myself. It is part of the Shopify site. If it is covered by the law, then in all likelihood my LiveJournal account is too, and that has cookies all over it. What about my Twitter account? Or Facebook? The dividing line between a website that you own, and are responsible for, and one where you are simply a customer, is very blurred.
All of these things will doubtless be sorted out by test cases eventually, and hopefully common sense will prevail. However, I have no particular desire to be a test case (if you want to know why, see yesterday’s post on equality under the law). So I’m going to do my best to comply. This may result in various websites becoming rather annoying, for which I apologize in advance.
Oh, and before anyone mansplains me, yes, I do know that various people are offering tools to help you get around this. If you can find one that doesn’t use cookies to store visitors’ cookie preferences, and which allows visitors to choose which cookies to allow, please let me know.
I believe there is a ‘not’ missing in this sentence “The number is likely to be much higher amongst small businesses.”
Personally I tend to accept cookies manually in my browser, but even though that ought to be an indication that I know what I am doing that is not the case. I think I am stuck in a ritual that originated in good intentions, just like this regulation.
Good catch, thanks. I have hopefully made the point clearer as well as correct.
Alas, I honestly don’t understand your use here of “mansplain” . It seems a new, socially acceptable way to make me feel bad about my gender and degrade me for “typical male behaviour” (that I have seen folks of different genders engage in) even if I wasn’t going to reply at all.
I know what it means and how it is used and why it is used. It just feels like wilful gender maligning and it hurts me as a person an personally.
And don’t tell me to “man up”, please.
Sorry, but I get very tired of people assuming that I know absolutely nothing about computers, software, web design and so on. It happens all the time, and it is almost always men who do it. Talking down to people is indeed common to all genders (I know this because people talk down to me in all sorts of ways because they think I’m mentally ill and therefore can’t know anything about anything), but talking down to women on the assumption that they can’t know anything about technology is, in my experience, overwhelmingly a male habit.
Wow, I am feeling like a conspicuous target.
Is there any allowance for providing instructions to your visitors about blocking cookies, or must it be strictly opt-in from the moment they arrive?
As with everything else, it isn’t clear. But the general tone of the legislation is opt-in, and in the absence of guidance you have to assume that you can’t create any cookies without permission.
Unfortunately it isn’t enough, they have said that letting browsers block cookies isn’t enough. Nor can you use any cookie replacements (like localstorage)
Enough to drive one to drink ….
We have created a complete suite of solutions in order to allow people and businesses to gain compliance if they really want to do so.
http://demos.dev.wolf-software.com
And exactly as I expected, your solution relies on cookies.