
Cookie law makes most UK websites illegal: what you need to know - Garbage
http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/
======
sp332
I hope UK websites don't start working like this:
[http://www.davidnaylor.co.uk/eu-cookies-directive-
interactiv...](http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-
guide-to-25th-may-and-what-it-means-for-you.html) (Don't click the checkbox,
read the texts and keep clicking OK)

------
eiji
What am I missing?

Example 1: Amazon uses a cookie to keep track of login and a shopping cart. ->
No popup since they are essential.

Example 2: foobar.blog.com uses cookies to track me (ad-banners and
analytics). -> Popup to ask for my consent for those "useless" cookies.

Now I understand that the "useless" is somewhat debatable, but I very much
welcome the discussion. This is not about breaking the web, and postpone this
law is a good idea, but I look forward to start cleaning up the cookie mess.
"Do not track" and "don't accept third-party cookies" get's us half the way,
but since the web-industrie does not react to the european pursuit for high
privacy standards, it might be a good time to suggest some laws to create
pressure.

What law would I suggest? Primary cookies (example 1) are okay without a
popup, secondary cookies (example 2) either expire on the same day, or need a
popup to ask for permission to stay on my computer for longer than a day.

~~~
dangrossman
How many sites have Google Analytics or something similar? I would argue that
analytics are as essential to the operation of an online business as shopping
carts. Allowing a large portion of your website users to opt out of analytics
effectively cripples you compared to competitors based out of countries
without these restrictions.

~~~
eiji
Fair enough! But let's separate between session-specific analytics, and
lifetime analytics. As a person concerned about privacy, I don't care much
about "your" analytics about click-through and how long I stay on your site
and what I click and what not, this is session specific, and helps you with
your business. However, this should be possible with "one-day" cookies. You
don't need to know that I was on your site a week ago, and that I happen to
leave your site with a full cart for some reason, or that the last banner with
food did not work on me, so this time you'll try the car-banners.

~~~
dangrossman
So you think that MixPanel, KissMetrics, Google Analytics and all the other
advanced analytic services provide no essential value to both the site owner
and the public?

A/B tests last more than a session (if you return to the site 30 minutes later
after doing some research, you want to see the same site, right?). Cohort
analysis requires tracking how people use your website for months or years to
see the effect of changes on long-term activity and customer retention. Simply
tracking the effectiveness of your own advertising efforts (how many and which
campaigns contributed to this sale? what's the lifetime value of a customer
from this source?) requires multi-session tracking. Many purchases happen days
or weeks after someone initially clicked an ad leading to your site.

Now it's possible to do some of that kind of analysis without cookies, but it
requires you building and running all the tracking and reporting on your own
server. To expect even a tiny fraction of the site owners that can currently
plug into KissMetrics/MixPanel/Google Analytics/Optimizely/etc. to build out
the same capabilities in house is absurd.

None of this has to do with serving customized ads to you, yet you are arguing
that companies in the UK should not be able to do any of that, and they won't
be at a disadvantage compared to the rest of the world?

~~~
eiji
Sure, this would be a huge disadvantage. But that is no reason not to have a
discussion about it. The HN community relys heavily on analytical services,
and there is a bias against privacy advocates or anything that would bring
change to how the web functions right now. The www does evolve, and some
decisions from the past may have to be reverted.

Would such a change be difficult? Would it shift the burdon of analytics?
Sure!

But be open minded: The real world is full of analytics, but for most of them
you have to opt-in. When I go into a bank, I don't want the bank to know that
I was rejected 10 times that same day somewhere else. I want a fair chance on
my loan. I don't want my girlfriend to know that I browsed a webstore for some
medication a week ago. Analytics provider could know all that. And they can
reassure that they will not use that information, but the point here is to
prevent the accumulation of it in the first place.

What would happen if someone would hack an analytics provider, and put all
this stuff online? Type in an IP address, and I give you all I know about that
IP adress. Nobody is doing it, because the data is anonymous, so it's hard to
cash it in. But it certainly would destroy some lifes or marriages.

I believe the problem the legislator is trying to solve here it to prevent the
crossreference that analytics- and ad-provider facilitate across different
web-pages. And I believe this is a honorable goal.

~~~
ehutch79
> When I go into a bank, I don't want the bank to know that I was rejected 10
> times that same day somewhere else.

the bank does know this, it'd be in your credit report

also, ad networks are worse than the analytics companies.

~~~
dave1010uk
Off topic: It used to be that your credit report was only updated every 24
hours so if you were denied credit at a bank your best bet would be to go to
other banks that same day. I guess it's faster now though.

------
chalst
Enforcement has been delayed by a year. See, e.g.,
[http://media.cbronline.com/news/ico-tins-cookie-law-till-
nex...](http://media.cbronline.com/news/ico-tins-cookie-law-till-next-
year-260511)

Previously on HN:

1\. Stupid EU cookie law will hand the advantage to the US -
<http://news.ycombinator.com/item?id=2304341> 2\. Europe's war on cookies
<http://news.ycombinator.com/item?id=2535837>

The discussions here on HN were more useful, I think, that the linked stories.

~~~
benjash
ICO is literally a mile from house. Might pop round with some cookies.... a
present for crippling UK industry.

Its not like where running behind already. Lets just nail that coffin fully
shut.

~~~
yahelc
Be sure that they're made aware of what's in your cookies, and have given full
consent to receiving them.

~~~
nkassis
yeah, they might arrest you for 90 days and figure out if they are spiked with
poison or something. I'd suggest not doing it ;p

------
modernerd
In response to step 3, "decide what solution to obtain consent will be best in
your circumstances", there's a discussion on ux.stackexchange related to
potential methods for obtaining consent:
[http://ux.stackexchange.com/questions/7318/what-ux-
solutions...](http://ux.stackexchange.com/questions/7318/what-ux-solutions-
are-there-for-the-eu-cookie-legislation)

~~~
chalst
Oh, good link.

I've been toying with not explicitly asking for consent, but prominently
displaying the fact that data gathering is taking place with an icon, along
the lines of the cookie monster eating tracking data. Clicking on the icon
pops up a control that explains what tracking I'm doing, the usability
consequences of switching off tracking, and gives an off switch for tracking.
The off switch is implemented by another cookie, but since this cookie isn't
tracked (i.e., I don't store any data about the cookie on my machine), it
isn't covered by the privacy law.

This seems in keeping with the spirit of the guidance on p8 of the FCO report:
[http://www.ico.gov.uk/for_organisations/privacy_and_electron...](http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf)

------
benjash
Currently I have the freedom as a user to opt out of all cookies. But when &
if this law even comes into play I wont be able to opt out of the endless pop-
ups asking me to enable cookies.

I'm all for protecting user privacy, yet its not a problem. Most users
understand how to use 'private browsing'. Yet a lot will be puzzled why a
website wants cookies?

This will massively cripple the EU online industries. I'm shocked at the
lackluster response from the industry it self.

Additionally the law is both overly specific and vague. It seems to pick out
certain technical functions yet state a vague and broad solution.

Plus the laws fails to stop any really bad forms of tracking.

~~~
Isofarro
Your choice to opt-out of cookies has the side-effect of sites breaking
because they assume cookies are accepted. So you're pretty used to broken /
non-working sites.

In that case, I don't see in your case why having a constant pop-up message on
every page of a working site is worse than a mostly broken website.

Do broken websites still work well enough for you?

This won't massively cripply EU online industries. Cookies used by the core
service are unaffected, so EU companies can offer the same service as normal.

The restrictions really affect cookie based traffic reports (so use weblogs or
image beacons instead), A/B testing preferences, accepting money from
advertisers to track visitors through your site.

This hardly cripples EU online industries, it might have a positive side-
effect of site visitors being more amenable to paying for online services
which are currently ad-supported, so as to opt-out of cross-site analytics and
advertiser profiling cookies.

The consumer having the choice about their privacy is an issue that's only
going to get more important over the next couple of years. If your business
depends on building profiles of users without their consent, yes, those
businesses need to adopt non-cookie methods of doing this, and/or consider
being more upfront to the visitors, and explain clearly why these features are
of benefit to the visitor.

~~~
jamiequint
The definition of "cookies used by the core service" here is so far off its
insane. Analytics packages like Google Analytics are not part of my "core
service"?

It increases the burden on site owners collecting data about thing that are
happening _on their own site_. Less data leads to less ability to make
optimization decisions leads to a worse online experience for everyone who
uses that site. If I can't A/B test my site how the hell am I supposed to
improve it?

Additionally, for ad supported sites, don't be shocked to see revenue drop
like a rock when sites can't fill any inventory with retargeted ads or other
forms of more targeted advertising that pay a higher CPM. Less money = less
resources = worse experiences.

~~~
Isofarro
> The definition of "cookies used by the core service" here is so far off its
> insane. Analytics packages like Google Analytics are not part of my "core
> service"?

If Google Analytics is a core service your site offers to visitors, then I
suggest you have bigger problems that just this tiny change to UK Law.

On the other hand, if what you say is indeed true, surely you can come up with
a compelling explanation to your visitors over why it is in the visitor's best
interests to opt into to having a Google Analytics cookie added.

>It increases the burden on site owners collecting data about thing that are
happening on their own site

That's only if you decide not to give the user a choice of whether to opt in
to tracking or profile-building cookies. I don't think you should write that
option off so quickly

Sites should always take the privacy issues of their visitors seriously. Now
is a good time to sit down and consider it. No longer can you turn a blind eye
and let third parties use your site to build profiles about visitors. Now you
have to get their informed consent first.

> If I can't A/B test my site how the hell am I supposed to improve it?

You can A/B test your site. If you want to use a method that requires cookies,
then get the visitor's consent first.

> Additionally, for ad supported sites, don't be shocked to see revenue drop
> like a rock when sites can't fill any inventory with retargeted ads or other
> forms of more targeted advertising that pay a higher CPM. Less money = less
> resources = worse experiences.

This is not surprising. The value of ads is based on the profiles they build
up about each visitor to your site. You've been making money by quietly
leaking their browsing history to these third party ad-networks. Now you are
being asked to be more responsible.

~~~
jamiequint
> If Google Analytics is a core service your site offers to visitors, then I
> suggest you have bigger problems that just this tiny change to UK Law.

Why does caring about storing accurate data about what users are doing on my
site so I can improve it mean I have "bigger problems"?

> You can A/B test your site. If you want to use a method that requires
> cookies, then get the visitor's consent first.

I could also ride a horse instead of driving a car...

~~~
Isofarro
You do have quite a unique definition of "the core service of the site".

All I can suggest at this point is that you need legal counsel to confirm your
definition is compatible with the definition within this particular
legislation. If that is indeed compatible, then I guess you probably have a
good argument indeed for the need of the Google Analytic cookie, and that it
is required for the service you offer visitors.

> I could also ride a horse instead of driving a car...

I'm sorry you feel this way about the right of your site visitors' privacy.
It's a great shame you don't seem willing to respect that.

~~~
jamiequint
> you need legal counsel to confirm your definition is compatible with the
> definition within this particular legislation

Why bother, I would rather sacrifice operating in the entire UK than degrade
the experience across the entire userbase. I would not be surprised if many
other people made the same decision.

> I'm sorry you feel this way about the right of your site visitors' privacy.
> It's a great shame you don't seem willing to respect that.

Your condescending tone is noted and unappreciated. I would like to clarify
that I am specifically speaking about tracking usage of the site for purposes
of conversion optimization and usability improvements. I strongly disagree
with your assumption of a reasonable right to privacy when you are using my
website. If you choose to use my site what gives you the right to preclude me
from tracking what you are doing _on my website_.

~~~
Isofarro
> I strongly disagree with your assumption of a reasonable right to privacy
> when you are using my website.

You're pretty much at an irreconcilable position with UK/EU legislation with
this firm stance. Based on that, your preferred approach of sacrificing
operations in the entire UK is a logical avenue for you.

Keep in mind the longer-term implications of that if other countries decide to
adopt a visitor privacy-centric approach. The growing concerns about online
privacy isn't showing much sign of dampening, so it's a risk you need to
evaluate appropriately, and take the path that's best for your operation

------
woodall
In other articles I have read mention of allowing the user to opt in via the
browser:

For example the directive suggests users can express consent through the use
of browser settings, whereas the ICO guidance states, "At present, most
browser settings are not sophisticated enough to allow you to assume that the
user has given their consent to allow your website to set a cookie… We are
advising organizations which use cookies or other means of storing information
on a user’s equipment that they have to gain consent some other way."

[http://www.clickz.com/clickz/news/2073597/cookie-law-
creates...](http://www.clickz.com/clickz/news/2073597/cookie-law-creates-
confusion-eu)

This would be pretty easy to do with an extension and something like OnePass
or OpenAuth. My issue with that solution is the centralization. I like having
multiple passwords, however, I also like having everything blacklisted and
making the user whitelist websites.

We are still waiting on over half the EU to say that they will implement this.
Can't wait to see what interesting ideas spring up.

------
Facens
At iubenda we are working to solve this problem once and for all, by embedding
a simple widget which provides a small popup for allowing the _unnecessary_
cookies. We are working with our lawyers for designing an opt-in which is
service-based, so that you need to "allow" Google Analytics just once for any
website.

Stay tuned, we are working hard for fixing this issue.

------
tomelders
Slightly over egging the pudding with the headline I think. The government has
stated that they wont be enforcing this law until they've figured it out
themselves.

------
mrschwabe
Peter Thiel was on to something....

"We need to figure out a way to escape from it (politics)".

Shit like this is a reminder that we don't have much time.

------
ehutch79
Question, does this affect websites hosted in america (the continents) who
might have UK based visitors?

~~~
benjash
This hasn't been clarified yet. Some people think it may effect all EU
traffic.

Seems like we might having a tracking paradox.

~~~
ehutch79
Right? especially where you can no longer really trust ip based geolocation
now that we've run out of ipv4 address, and they're allowing single address
trading. What you could once reasonable guess was a us address based on the ip
block, may now actually be owned by a uk organization.

------
Andrew_Quentin
Can't we all just ignore it? What are they going to do? Send us all to
prison?!

The law is based on consent. Social Contract. All of that...

~~~
spjwebster
Ignoring this law means ignoring the privacy concerns of your users. If you're
happy with that, you're part of the reason this law was introduced in the
first place.

~~~
Andrew_Quentin
What privacy concerns? That they came to a site and stood around for 4 minutes
and read some article?

Are my users concerned to go out too, and of their dress, and is that privacy
also?

How would they like it if the first greeting in a shop was, Hello, we are
watching you, we are here to serve you, and take as much money as we can from
you.

Why do they not go after the people who actually do the tracking? Why do they
not impose a legal obligation on google and ad agencies to not track, or on
facebook or whatever. Why go after thousands of people. Not everyone is a
programmer. Many website owners have no clue what a cookie is, which one is
essential or otherwise, how to not store cookies, or delete them, etc.

The end effect is then that the web stops being free from all. The
cooperation, with the resources to abide to such laws, once again take
control. The man on the street can not any more simply get a template from
some website and put some ads on it. He needs to pay some programmer which he
probably can not afford.

What user has been hurt? What privacy has been infringed? What have we found
out about anyone which was previously secret?

This is about control. Nothing else. As such, the people will do what they do
best when met with ridiculous and far reaching laws, ignore them. Let them
arrest us all!

~~~
spjwebster
> Why do they not impose a legal obligation on google and ad agencies to not
> track, or on facebook or whatever.

They do. As I understand it, this law applies just as well to the likes of
Google, Yahoo and Facebook as it does to the sites that host their ads. There
is some ambiguity over exactly who is responsible for gaining consent for 3rd
party cookies — ICO have stated that this is a complicated area and more
guidance may be forthcoming — but my approach is that I can't trust these
third parties to cover my arse so I'll do it myself.

------
ehutch79
So this law was passed without any technical solutions in place what so ever?
It seems they completely ignored the tech community on this.

<http://www.bbc.co.uk/news/technology-13541250>

~~~
chalst
I think it was not so much that the community was ignored, but that the law
was passed under unusual circumstances: usually the lobbyists inform the
legislators, who defer to industry on the specifics. Here the lobbyists mostly
hated the legislation, but legislators were more responsive to privacy
activists because of widespread public concern. So the law is a triumph of
democracy over technocracy.

And I think that's reflected in the legislation. The principles are OK, but
the detail does not match up with practice. Hence the law is some way from
being something workable.

It is well worth reading the ICO report:
[http://www.ico.gov.uk/for_organisations/privacy_and_electron...](http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf)

~~~
extension
Ah, judging by that report, the law really seems quite reasonable.

Basically, if the user explicitly requests some functionality, like creating
an account or saving a preference, and you need a cookie to do that, you don't
have to ask permission to set it.

If you want to do anything _else_ with the cookie, you have to get informed
consent and the practical way to do that is by making it part of the request
e.g. adding an explanation and checkbox to the signup or preferences page.
Naturally, the more you want to do with the cookie, the more you have to
explain to the user.

So effectively, you get to track users in _exchange_ for their _engagement_
with your site, and you have to (gasp) tell them exactly how you are tracking
them.

------
5h
as idiotic and frustrating as this is, I find it amusing to note this includes
direct.gov.uk,

edit: the ICO's website now has a horrific warning at the top of it, which it
didn't yesterday.

edit2, ICO's website has google analytics & an asp.net session ID yet their
warning states "One of the cookies we use is essential for parts of the site
to operate and has already been set." this would lead me to think that a
cookie for a session key "essential" therefore admissible? ...

------
benjash
Need troops people. Anyone against this new cookie law please join this page.
Need to spread the word.

[http://www.facebook.com/pages/This-EU-cookie-takes-the-
biscu...](http://www.facebook.com/pages/This-EU-cookie-takes-the-
biscuit/189425797771259)

~~~
charlesmarshall
have you setup a petition? - <http://petitions.number10.gov.uk/>

------
Hisoka
This should be an entrepreneurial opportunity for someone.

------
ChrisArchitect
this has got me a bit confused and the absurdity of trying to put a blanket
policy on something as global as the net and something somewhat not-geo-
specific as domains and sites, confounds me

they should start by banning foreign hosting of uk ccTLDs...

------
plainOldText
Rejoice while you still have time people cause the internet as we know it
today will be no more. With so many attempts to alter the internet's status
quo, is hard to believe none of them will go through. I dont want to sound
pesimistic but I believe is the truth whether we like it or not. Things are
about to change, for worse imo and most people are quite indifferent.

~~~
Luyt
Indeed, it is time to write off the Web. I didn't like the Web anyway; I was
happy back in 1991, with email, usenet, FTP, Archie, Gopher and Veronica. That
was all we needed. The early Web looked interesting at first, but after a few
years it became quickly overwhelmed by commercialism. The past years have even
been worse, with the big-brotheresque webtracking of individuals and the
erosion of online privacy. I wonder what will appear when the Web finally has
become unusable.

