Mark Amory | 31 May 2012
Let me start by saying that I will refrain from any further cookie-related puns such as “I prefer chocolate-chip ones” – They are old and tired and more than a little bit cringe-worthy. Besides, Chocolate digestives are much nicer in my view… So, what’s the deal with the new cookie law? Why is it causing such a reaction? Well, it depends on which side of the browser you sit really.
Before we begin to dissect the issue, let's explain what cookies actually are for those who are a little unsure.
A cookie is a small text file that is passed from server to browser when you visit a web site. The file is then stored on your device (PC, smartphone, etc.) and is passed back from browser to server when you re-visit the site or navigate throughout its pages to create a link between your different actions.
Cookies can also be used to track an individual's browsing habits and thus, over time, create an accurate view as to the sorts of things they might like to buy and ultimately have targeted adverts placed into the web pages they visit. Some people like this idea of a personalised web experience, whereas others find it sinister that a un-known entities are following their movements through the web.
Cookies can also be stolen, intercepted and/or altered by others to gain access to otherwise secured sites - This is the biggest risk associated with cookies.
What's in a cookie?
The contents of a cookie can vary from seemingly random letters, numbers and symbols to human readable data. In most cases, the contents of the cookie are of no value to anyone/anything other than the cookie creator - the web server.
When a cookie is presented back to a server, it cross references the data within with information held in a database; web page content is then generated on-the-fly based on this information.
So why the law?
The reason for law being passed is that most people, until now - didn't even know that cookies existed never mind why they exist at all. The law is designed to raise awareness of cookies to help protect people and their data better.
Up until now, web site owners could place as many cookies into their sites as they wanted which were automatically passed to all visitors without their "informed consent". It's this phrase that has seen the new legislation come into force. If people don't know that these files exist, how can they be aware of the risks associated with them and take appropriate action?
An excerpt from the "Cookie Guidance" document from the ICO explains the new law quite plainly:-
A person shallnot store or gain access to information stored, in the terminal equipment of a subscriber or userunless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
From a website owners point of view, a major coding exercise now has to be performed that recognises when a visitor arrives at the site, it displays a message informing the user of the fact that they wish to place one of more cookies on their machine and for what purpose(s) it/they will be used.
The fact that people may arrive at the site from all manner of directions means that this code must be placed on EVERY page - not just the home page, a process that, whilst not especially difficult to achieve, will be time consuming and costly.
But what if no consent is given by the user, then what? - Is the site is rendered unusable? Do only bits of it work? Will the user gets re-directed to some non-cookie using version of the site? Or will they simply see a blank webpage with a "sorry" message.
You can see from the above, a LOT of work has to be done by website owners to become compliant - I must point out the irony here in that many government run websites are still NOT compliant!
Exceptions to the rule…
As with all rules however, there are exceptions. Another excerpt from the "cookie guidance" document states:-
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
The guide goes on to give some examples of what events might be exempt from the new regulations:-
Activities likely to fall within the exception
Activities unlikely to fall within the exception
A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
Cookies used for analytical purposes to count the number of unique visits to a website for example
Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested - for example in connection with online banking services
First and third party advertising cookies
Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.
Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored
So a cookie can be used to remember that you have some virtual goods in your virtual shopping cart, but it can't be used to give you a friendly "hello" when you visit, unless you've given consent for it to do so!
Or do they?
This is where things start to crumble and dissolve (I know I said I wouldn't but I couldn't resist) For the past year, this law has been in place throughout Europe (our government granted a sunrise period of one year for sites to become compliant) and it stated that sites had to request "explicit consent", meaning that for each cookie to be used, an agreement had to be given by the visitor.
From a web user's point of view then, EVERY (compliant) website they visit will now interrupt their browsing bliss with some form of pop-up message, or other obtrusive notification that will require some action to be performed that effectively grants consent to cookies being used.
So what will happen really?
In my opinion, not a lot - people will get tired of seeing the "cookie message" and simply give implied consent by just using the site. They might spend some time initially looking at what the cookies are going to do, but eventually will get bored of that and just continue browsing as normal.
So really - what was the point of bringing about a law that can't effectively be policed; is not understood by those it's intended to protect and is simply ignored by most? Add to all this the fact that "implied consent" goes against the ruling of the EU - it means that there will be no rule for the rest of the world, one rule for Europe, and a slightly different one for the UK.
A simple public awareness video would have probably done the job better; I'm sure Charlie the cat would have done a better job of explaining what the brouhaha is all about, and he preferred fish bones to cookies.