
Cookie-tracking deadline: Sites pressed to meet deadline - iProject
http://www.bbc.com/news/technology-17745938
======
bdfh42
The trouble is that it is not entirely clear which cookies are exempt and
which are affected in many cases. We have a site with a cookie set for logged
in users - perfectly normal. This cookie is essential for the operation of
certain aspects of the site. Is this cookie in the same category as those used
to maintain a shopping cart (and thus exempt)?

To be on the safe side we are putting up a notice on the log-in page - and
accepting the user's decision to continue to log-in as explicit permission to
set the cookie.

On the plus side I am looking forward to not seeing ads for anything I have
viewed on certain retail sites popping up wherever else I go on the Internet.

~~~
justincormack
Log-in cookies are fine, because you can ask for permission as part of sign-
up. It seems you should add an extra check box though so the user has said
they accept this.

The guidance document is here and is fairly helpful
[http://www.ico.gov.uk/for_organisations/privacy_and_electron...](http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx)

------
5h
I was waiting for this retarded piece of legislation to rear its head again.

Those who wish to circumvent it will do, easily & by far more insidious means,
meanwhile the rest of us who just want google analytics have tough choices to
make.

Hopefully x-do-not-track will gain momentum instead, that will at least save
the honest website owners some work & leave the nefarious ones to do whatever
they wish like present.

~~~
5h
replying to myself as I seem to be at the top, just found this
<http://civicuk.com/cookie-law/configuration> and thought it looked quite
nice, via the reddit thread at
[http://www.reddit.com/r/web_design/comments/sfxvo/anyone_got...](http://www.reddit.com/r/web_design/comments/sfxvo/anyone_got_their_sites_ready_to_meet_the_new_uk/)

------
tomp
Paradoxically, if you deny to accept any cookies from a website, the website
won't recognize you as a repeat visitor, meaning that you will get a pop-up
asking you to accept their cookies every time!

~~~
extension
Sites are allowed to use cookies for certain internal purposes without
consent, and that is probably one of them.

------
taf2
I guess it's time to start using localstorage and etags

~~~
spjwebster
Actually the law was written very carefully so as not to be tied just to
cookies. Regulation 6 of the Privacy and Electronic Communications Regulations
2003 (PECR) [1], after applying the 2011 amendment [2] reads:

    
    
        (1) Subject to paragraph (4), a person shall not store or gain access to 
            information stored, in the terminal equipment of a subscriber or user
            unless the requirements of paragraph (2) are met.
        
        (2) The requirements are that the subscriber or user of that terminal 
            equipment-
    
            (a) is provided with clear and comprehensive information about the 
                purposes of the storage of, or access to, that information; and
                
            (b) has given his or her consent.
    
        (3) Where an electronic communications network is used by the same person to 
            store or access information in the terminal equipment of a subscriber or
            user on more than one occasion, it is sufficient for the purposes of
            this regulation that the requirements of paragraph (2) are met in
            respect of the initial use.
    
        (3A) For the purposes of paragraph (2), consent may be signified by a 
             subscriber who amends or sets controls on the internet browser which 
             the subscriber uses or by using another application or programme to 
             signify consent.
    
        (4) Paragraph (1) shall not apply to the technical storage of, or access to, 
            information—
    
            (a) for the sole purpose of carrying out the transmission of a
                communication over an electronic communications network; or
    
            (b) where such storage or access is strictly necessary for the provision 
                of an information society service requested by the subscriber or user.
    

No mention of cookies, and "information stored, in the terminal equipment of a
subscriber or user" would seem to apply to solutions that use HTML5 local
storage, ETag headers, Flash LocalSharedObjects or any other similar
technologies.

[1]: <http://www.legislation.gov.uk/uksi/2003/2426/contents/made>

[2]: <http://www.legislation.gov.uk/uksi/2011/1208/contents/made>

~~~
taf2
Okay, so it looks like they're very focused on storage in the client's browser
- I assume that's what they mean by terminal equipment. They don't explicitly
mention etag and I would bet that they can't enforce use of etags or last
modified time stamps as they're really just a resource identifier. So, if
local storage is out of the question, you could store the information server
side.

------
tagawa
Boagworld has a good, concise overview of the changes and what you should do:
<http://boagworld.com/news/the-current-cookie-crisis/>

------
antinitro
I honestly think this is a stupid idea. Feels as if it's another case where
someone at the top with no understanding of how the web works has decided to
lay down their 'authoritah' with no regard for it's outcome. The whole
political system is a shambles when it comes to anything web related. We need
people with real, cast iron experience of the web to help make decisions which
don't have such negative impacts.

First SOPA, now this.

