Updates from QA Training

The UK Cookie Law debate – a storm in a teacup?

Let me start by saying that I will refrain from any further cookie-related puns such as “I prefer chocolate-chip ones” – They are old and tired and more than a little bit cringe-worthy. Besides, Chocolate digestives are much nicer in my view… So, what’s the deal with the new cookie law? Why is it causing such a reaction? Well, it depends on which side of the browser you sit really.

Mark Amory | 31 May 2012

Let me start by saying that I will refrain from any further cookie-related puns such as “I prefer chocolate-chip ones” – They are old and tired and more than a little bit cringe-worthy. Besides, Chocolate digestives are much nicer in my view… So, what’s the deal with the new cookie law? Why is it causing such a reaction? Well, it depends on which side of the browser you sit really.

Before we begin to dissect the issue, let's explain what cookies actually are for those who are a little unsure.

A cookie is a small text file that is passed from server to browser when you visit a web site. The file is then stored on your device (PC, smartphone, etc.) and is passed back from browser to server when you re-visit the site or navigate throughout its pages to create a link between your different actions.

Without the use of cookies, it would be near impossible to perform e-commerce like shopping or banking - so cookies are VERY useful - the web would be a much different place without them.

Cookies can also be used to track an individual's browsing habits and thus, over time, create an accurate view as to the sorts of things they might like to buy and ultimately have targeted adverts placed into the web pages they visit. Some people like this idea of a personalised web experience, whereas others find it sinister that a un-known entities are following their movements through the web.

Cookies can also be stolen, intercepted and/or altered by others to gain access to otherwise secured sites - This is the biggest risk associated with cookies.

What's in a cookie?

The contents of a cookie can vary from seemingly random letters, numbers and symbols to human readable data. In most cases, the contents of the cookie are of no value to anyone/anything other than the cookie creator - the web server.

When a cookie is presented back to a server, it cross references the data within with information held in a database; web page content is then generated on-the-fly based on this information.

So why the law?

The reason for law being passed is that most people, until now - didn't even know that cookies existed never mind why they exist at all. The law is designed to raise awareness of cookies to help protect people and their data better.

Up until now, web site owners could place as many cookies into their sites as they wanted which were automatically passed to all visitors without their "informed consent". It's this phrase that has seen the new legislation come into force. If people don't know that these files exist, how can they be aware of the risks associated with them and take appropriate action?

An excerpt from the "Cookie Guidance" document from the ICO explains the new law quite plainly:-

A person shallnot store or gain access to information stored, in the terminal equipment of a subscriber or userunless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)

So, basically, you can't use cookies unless your visitors say you can.

From a website owners point of view, a major coding exercise now has to be performed that recognises when a visitor arrives at the site, it displays a message informing the user of the fact that they wish to place one of more cookies on their machine and for what purpose(s) it/they will be used.

The fact that people may arrive at the site from all manner of directions means that this code must be placed on EVERY page - not just the home page, a process that, whilst not especially difficult to achieve, will be time consuming and costly.

But what if no consent is given by the user, then what? - Is the site is rendered unusable? Do only bits of it work? Will the user gets re-directed to some non-cookie using version of the site? Or will they simply see a blank webpage with a "sorry" message.

You can see from the above, a LOT of work has to be done by website owners to become compliant - I must point out the irony here in that many government run websites are still NOT compliant!

Exceptions to the rule…

As with all rules however, there are exceptions. Another excerpt from the "cookie guidance" document states:-

There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The guide goes on to give some examples of what events might be exempt from the new regulations:-

Activities likely to fall within the exception

Activities unlikely to fall within the exception

A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket

Cookies used for analytical purposes to count the number of unique visits to a website for example

Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested - for example in connection with online banking services

First and third party advertising cookies

Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.

Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

Confused yet?

So a cookie can be used to remember that you have some virtual goods in your virtual shopping cart, but it can't be used to give you a friendly "hello" when you visit, unless you've given consent for it to do so!

Or do they?

This is where things start to crumble and dissolve (I know I said I wouldn't but I couldn't resist) For the past year, this law has been in place throughout Europe (our government granted a sunrise period of one year for sites to become compliant) and it stated that sites had to request "explicit consent", meaning that for each cookie to be used, an agreement had to be given by the visitor.

In light of the issues outlined above posed to website owners, the Information Commissioners Office has now stated that sites need only require "implied consent" meaning that some sites don't have to give you explicit notification of cookie use so long as the site in question can guarantee that its visitors would already be aware that such a site would use cookies and that they knew what purposes they would be used for.

This places the responsibility of cookie use squarely in the hands of the web user as basically all a website has to do now is have a message that says something on the lines of "We use cookies - use our site and we will put them on your computer - If you want to find out what we do with them, read our cookie policy".

From a web user's point of view then, EVERY (compliant) website they visit will now interrupt their browsing bliss with some form of pop-up message, or other obtrusive notification that will require some action to be performed that effectively grants consent to cookies being used.

So what will happen really?

In my opinion, not a lot - people will get tired of seeing the "cookie message" and simply give implied consent by just using the site. They might spend some time initially looking at what the cookies are going to do, but eventually will get bored of that and just continue browsing as normal.

So really - what was the point of bringing about a law that can't effectively be policed; is not understood by those it's intended to protect and is simply ignored by most? Add to all this the fact that "implied consent" goes against the ruling of the EU - it means that there will be no rule for the rest of the world, one rule for Europe, and a slightly different one for the UK.

A simple public awareness video would have probably done the job better; I'm sure Charlie the cat would have done a better job of explaining what the brouhaha is all about, and he preferred fish bones to cookies.


Mark Amory

Cyber Training Delivery Manager

After leaving a career as a Mechanical and Electrical Engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In-line with his background as an Engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies and since 2005 has specialised in the Cyber Security domain. Mark has been the author of a number of QA Cyber Security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.