back to article UK cookie law compliance takes effect today

From today the UK's Information Commissioner's Office will begin enforcing the EU's revised ePrivacy Directive that requires website owners to be upfront with their users about the information they collect. The so-called cookie law was implemented on 25 May 2011 by Brussels officials, but getting the legislation transposed …

COMMENTS

This topic is closed for new posts.

Page:

  1. This post has been deleted by its author

  2. Anonymous Coward
    FAIL

    Why should anyone comply? The ICO is a joke frankly!

    I reported one large UK educational organisation for persistently spamming me despite being asked to stop on five separate occasions (including once in writing). ICO's response was that they couldn't help despite the organisations concerned clearly having no understanding of how to operate and maintain their own database.

    So my guess is that we'll hear of a few high profile cases in the papers of the ICO taking action, but for the rest the ICO will sit around going "not my problem mate".

    1. LarsG
      Facepalm

      Bloody annoying

      Whats worse, the fact that cookies existed or the annoying little pop up boxes that now keep keep appearing telling us cookies are about?

      Someone develop something that erases the little annoying pop ups please.

      1. Fibbles

        Re: Bloody annoying

        As far as I can see, if I don't accept a tracking cookie from a site I'll keep getting pop-ups telling me the site needs my permission to install cookies. Government mandated nagware, great...

        1. Bakunin
          Holmes

          Re: Bloody annoying

          Also annoying is the fact that you accepted cookies is stored ... in a cookie.

          So those of us who expire all cookies when the browser is closed (and have been doing so for years) have to agree every time we return to a site in a new browser session.

          So how long before the "accepted cookies" cookie becomes the standard long term tracking method because it's the one cookie people are least likely to remove because of the annoyance factor?

          1. Dan 55 Silver badge
            Facepalm

            Re: Bloody annoying

            Maybe in the days of Netscape 4/IE 6 'something had to be done' but now every browser under the sun now comes with a reasonable set of cookie controls and if that's not enough there's Do Not Track which appears to be gaining traction and add-ons like ABP/NoScript/RequestPolicy et al...

            This is why politicians shouldn't be allowed to legislate in technical matters. Just because they can't find the cookie options in the preferences dialog it doesn't mean that an area with a population of 400 million people + everyone who visits from outside that area should be badgered with fecking annoying pop ups saying 'ooh, we use a feature of HTTP headers that's been in use for about 15 years, are you really okay with that? By the way, if you can find the cookie controls, see you next time!'

            And so the next popular add-on for browsers will be a technical solution which will identify the 'are you okay with that?' cookie and preserve it while disabling the rest or letting them get wiped when the browser closes.

            1. David Hicks
              Thumb Down

              Re: Bloody annoying

              You, someone that understands technology, may well feel that way. The vast majority of people do not, yet many of them would be upset to find out just how much they are tracked and monitored across the internet.

              There is no need for 90+ % of the cookies that collect in the browser, just take a look at the list that accumulates sometime. Cookies should be reserved for logins, basically. You can do most of the rest with session ids as parameters in a URL. These irritating popups (I have yet to see one) shouldn't be there either, until someone tries to use a function for which cookies are essential.

              I mean, taking el reg as an example, why should anyone need a cookie to read the site? Other than those few of us that log in to make a comment, it seems completely unnecessary and serves to do nothing more than track people, which is unacceptable.

              1. Liam Thom
                Thumb Down

                Re: Bloody annoying

                Session parameters in a URL? Why would you use such a clumbsy tool when you could use an (almost) universally accecpted method of dropping a harmless text file on a user's computer?

                1. David Hicks
                  Thumb Down

                  Re: Bloody annoying

                  @Liam - Why bother with session parameters at all most of the time? Just why are sessions even tracked on most sites? Seriously, unless you are an online shop or an account based service, there's no need, and the negatives of cookies outweigh the positives.

                  I'll say it again - why the hell does a site like el reg need to use cookies unless people want to log in and comment? For the other (larger) part of the user base, there's just no need.

                  @Dan - When 'Do Not Track' is actually respected by the shadier side of the advertising business (i.e. Never) then that's a fine solution. Until then, yes a lot can be done with session ids in URL parameters (which I don't believe went out in the 90s), and in a hell of a lot of cases there's just no need for a cookie in the first place.

                  1. Dan 55 Silver badge

                    @David

                    From the user's point of view nothing can be done with session IDs in the URL as if you delete them by hand they keep coming back and if you share the link with someone else or a search bot crawls your site it's a possible security problem.

                    However properly managing the cookie permissions allow you to reject session IDs on a per site basis if you really want to. Otherwise you can wipe them on exit.

                    The shadier side of the net can track you with flash cookies, DOM storage, local DB, history sniffing and more. They are only going to take advantage of the 'are you okay with this' message to install malware as someone mentioned here. Do you think premium SMS scammers and 070 fraudsters and the like respect the TPS and Ofcom?

                    Far better to push for DNT as in the states (and it's not often I say something like that) than annoy everyone with messages that give the impression that 'cookies are bad, m'kay'.

                    A perfectly good solution to a technical problem (storing state using a stateless protocol) has now been made clumsy to use by clumsy legislation, not just in the UK but across the whole of the EU.

                    1. David Hicks
                      Thumb Down

                      Re: @Dan

                      WHY DO YOU NEED STATE?

                      Why is nobody going to answer this question - why in hell's name does a site like the regneed to bother with state for anyone other than logged in users? Why do 90% of the sites out there set multiple cookies when I'm just passing through to read something?

                      Sure, session ID's could be a security risk if used for sensitive things, nobody's suggesting you can't use cookies where you actually need to, for user accounts and purchasing operations. How many of the sites that set cookies do you think actually use them for this?

                      If I leave my browser unprotected it quickly accumulates hundreds to thousands of cookies of cookies. I but from maybe three sites, and have user accounts at another ten at most. The rest of the cookies are for tracking of various forms and these are what the legislation aims to reduce, an operation which I'm 100% behind.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: @Dan

                        Trouble is, the legislation is toothless. Look at the BBC site: the important cookies, that is the ones which track you as an individual, are described as "essential" and no opt-out is permitted.

                        Mind you, El Reg isn't any better: "Click the button to accept our cookies. And by not clicking the button, you still accept our cookies". So much for informed "consent".

                        I predict there is now going to be a huge market in new browser add-ons which block all cookies except specific static ones which say you've accepted cookie policies - thus making the whole business of browsing far more tedious than it ever was before.

                    2. David Hicks

                      Re: @David

                      Further to that - one hopes this becomes just another weapon in the arsenal to take down scammers, at least if based in europe.

                      1. Dan 55 Silver badge

                        Re: @David

                        I think El Reg and every other site are perfectly entitled to find out which areas on the page/headlines/stories generate most clicks on their own site. If you don't agree with that then you can disable cookies for that site's domain. In addition many 'top stories now' boxes/tickers/false windows on the page/pretty effects to increase the site's appeal need to store temporary data somehow.

                        There really doesn't need to be a giant warning on every website, it doesn't help the end user in any way.

                        1. David Hicks
                          Stop

                          Re: @David

                          Right, so now we get to the bottom of it, you don't need those cookies. It's not going to break the internet to ditch 99% of them, and you consider yourself entitled to track users activities.

                          Those are (at best) 'nice-to-have' features that allow you to track what goes on with your site, and at worst are precisely the sorts of behvaiours this legislation seeks to make more difficult.

                          I'm glad we've got to the bottom of this - there is no technical reason that most cookies can't be ditched.

                          1. Dan 55 Silver badge
                            Facepalm

                            Re: @David

                            Giving the client a reasonable set of privacy controls allows the user to make decisions, works for both legitimate and dodgy sites, and doesn't make browsing clumsy.

                            Mandating messages on the server side doesn't really allow the user to make decisions (it's just 'we need cookies to work, click here to agree' or some sites like BT will give you server-side cookie controls that really are more transparently covered to the user with client-side controls, and remember if the user is interested enough to find server-side controls then they will certainly have already found the client-side controls which have the advantage of working for every site and being standard for that browser not dependent on the server), only works for legitimate sites, and makes browsing clumsy.

                            Some people like the features I've mentioned. Try and use an AJAX web mail service without them. Just because you miss the days of Mosaic doesn't mean it should be inflicted on everyone by law. If politicians ever hear about the other features I've listed above that dodgy sites could use then we might as well turn off the Internet because browsing is going to turn into a form of masochism.

                            Just because you maintain that the lack of a message might trip up a dodgy site or two doesn't mean that it's necessary to inconvenience the users who use the vast majority of legitimate sites. Do you really think they're going to bring down e.g. The Pirate Bay over this when they've been going for years? What does the directive allow EU governments to do as a sanction for not complying? Fine them (if they can be found). Not take down the site. Not put the owners in prison.

              2. Dan 55 Silver badge
                Thumb Down

                Re: Bloody annoying

                If someone objects to being tracked, there's the Do Not Track option. It could be one of the basic configuration options shown on first run.

                Session IDs in the URL are madness and got dropped by the end of the 90s.

        2. MrXavia
          Thumb Down

          Re: Bloody annoying

          Totally agree with you here, I would rather NOT have a nagware box, but expect sites to track me(making it my responsibility to clear cookies etc), than have the nag box..

          Most sites NEED a cookie to function, and basically that means they have a pretty good get-out clause for that cookie...

          I.E. go to Amazon, no cookie warning, BUT they put a session cookie in, wow, shocking....

          This whole thing about cookie permission is a farce..

        3. Anonymous Coward
          Anonymous Coward

          Re: Bloody annoying

          Like the Reg "The Register uses cookies. Some may have been set already...blah blah blah...If you continue to use the site, we'll assume you're happy to accept the cookies anyway" I delete all cookies when I exit the browser, I set my browser to ask before accepting cookies. So yes, by the time this box pops up I have said ok, so could you please remove that grey bar at the botton of the page without me having to click on it. I mean, its not as though these modern wide screens have an excess of vertical pixels is it.

          Still not as bad as the BBC site which wastes 5+ lines at the top of the page so I have to scroll down to read the content.

      2. Adam T
        FAIL

        Re: Bloody annoying

        Bloody annoying all right; El Reg's cookie pop-up keeps popping up on iPhone despite having already clicked I'm Fine With This every time, and I'm sure it won't be long till this is happening everywhere, and with confusion and uncertainty comes opportunity for mischief.

  3. David 45

    ICO just a figurehead

    I get the impression that the ICO just seems to be only interested in pursuing large companies and organisations in order to create a nice headline splash. I once reported someone that I used to work for as a driver, as he was in the habit of persistently passing on other drivers' personal details to other drivers and third parties without permission. Got pretty well nil response there from the ICO. He also passed on MY details (address, etc.) to one of the notorious, so-called private parking enforcement companies that got on the gravy train, instead of passing the paperwork directly to me to deal with. I reported this also and the ICO said is was OK to do this if the person concerned suspected that there may be follow-up legal action, which sounds distinctly vague and like some sort of get-out to me. Preposterous. Incidentally, I ignored the parking company's threats and allegations and never got any more correspondence from them. Just a try-on.

  4. The Axe
    Mushroom

    Annoying

    I'm already mighty pissed of with the directive causing lots of pop ups on just about every she I visit. Effing irritating. Another nail in the coffin for the eu as people find out how much its laws actually affect them - for no real benefit.

    1. OldBiddie

      Re: Annoying

      Really? Not a single site I regularly visit has had any visibility of asking for cookie permission.

      I get the premise, but stupid EU directives are stupid.

      1. Anonymous John

        Re: Annoying

        Not even El Reg? It's the only compliant site I've seen.

        1. Peter Johnstone

          Re: Annoying

          Yep, el reg and the BBC.

          1. Ilgaz

            Re: Annoying

            The Guardian too.

            1. Anonymous Coward
              Anonymous Coward

              Re: Annoying

              And screwfix as well. (not a dating site)

        2. Anonymous Coward
          Meh

          Re: El Reg is compliant?

          No visible cookie warning on El Reg at all for me.

          The only UK sites I've seen with any cookie info banners are the Graun and the BBC.

          I just checked on another machine (similar OS/browser to this one) and there was nothing on the Graun or the BBC. Not sure why it's showing on some sites and not others.

          1. Anonymous Coward
            Anonymous Coward

            Re: El Reg is compliant?

            it appears at the bottom of the screen on El Reg sites, but I suspect if you've noscripted the site it may not work.

  5. Chris 3

    Does El Reg really think its compliant?

    Interesting attempt by the Reg, but does it actually think that the bottom 'we're using cookies, we presume you're OK with that' banner makes it compliant?

    1. Anonymous Coward
      Anonymous Coward

      Re: Does El Reg really think its compliant?

      The sad thing is I'm guessing that is enough for compliance.

      Although click here to accept cookie, or navigate website and auto-accept cookie is shit. why no don't place cookie? Accept cookie or don't view website, smells like shrink-wrap-eula to me.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does El Reg really think its compliant?

        "Accept cookie or don't view website, smells like shrink-wrap-eula to me."

        Sounds like, for many sites, we'll have a choice: accept tracking, or effectively censor what we see simply on the basis of not wanting to be tracked. Sounds much more appropriate for the Soviet Union.

        Imagine if public libraries were like this. "Yes, you can browse, but some of the books you can only open if you agree to the authors/publishers/distributors/advertisers tracking you." Or bookshops, or newsagents. You get to the till. "Before we sell you this book, you'll need to agree to being tracked. You don't have to agree, but if you do still buy this book, we'll assume that you do agree anyway."

        What next? Compulsory supermarket loyalty cards? Except they won't be compulsory. You just won't be able to buy anything without them.

    2. OldBiddie

      Re: Does El Reg really think its compliant?

      Isn't this the problem? The ICO guidelines are so vague it could be interpreted any number of ways. What is an essential cookie exactly?

      1. Jess--

        Re: Does El Reg really think its compliant?

        an "essential cookie" is one that is required for the functionality of the site, the main generally accepted one is sessionid

    3. David Pollard

      Re: Does El Reg really think its compliant?

      Rather than being motivated by compliance it looks to me as though the new regulations have provided an excuse for a nag banner with the aim of getting more readers to turn off cookie blocking, thus increasing advertising revenue.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Holmes

        Re: Does El Reg really think its compliant?

        The only way to turn the banners off on most sites is to allow a cookie, looking at the scripts some sites run (which I allow), they will put this banner up until you allow them to set cookies. Others like elreg have put it into the html so greasemonkey or something to strip it out. Should be easy enough although some like the bbc are not displaying the banner if I block all their cookies.

    4. heyrick Silver badge
      FAIL

      Re: Does El Reg really think its compliant?

      It is more than that. There is a request from El Reg asking about cookies (with, I note (as do others) no NO option). So, okay, we are nice, we like El Reg, we write comments, so we grant permission to them (and, note, THEM alone) to store cookies.

      El Reg carries advertising. The website is still in breach because the advertisers never asked, never provided an opt-out, and god knows would likely never be granted permission by the masses.

      This legislation is a farce if it thinks El Reg asking counts also for the unknown quantity of unknown advertisers in unknown countries collecting unknown data who neither care about nor are obliged to respect El Reg's privacy policy. Put simply, El Reg (and others) just don't have the moral right to ask this question on behalf of (undisclosed) third parties.

    5. daveeff
      WTF?

      Re: Does El Reg really think its compliant?

      >>provide visitors with sufficient information to make a decision on whether they are happy for a cookie to be placed on their device<<

      Saying we're using cookies covers that? Should say what data and why?

      >> and obtain consent before placing a cookie <<

      der, my browser is set to accept cookies, I could set it not to - I have given consent.

  6. Trev 2

    In essence all you seem to need to do currently is put up a privacy policy and state what cookies are used (including 3rd party ones) and tell people how to block cookies if they want. Or if you're more paranoid, then you could do like www.bt.com at the very bottom of their pages.

    Beyond that it's pretty much a useless piece of legislation and £500,000 fines...yeah right!

  7. Andrew_b65
    Facepalm

    Accept malware

    This site uses cookies. Some may have been set already. Read About Managing our cookies. Please click here to unwittingly accept the installation of malware on your machine under the guise of accepting cookies.

    This is going to be a dream for botnets!

    It will be safer to install a browser extension to automatically accept genuine cookie requests to prevent my 9 & 11 year old users from filing their machine with dross. Are these cookie requests going to be certified?

    Double facepalm.

    1. LarsG
      Mushroom

      Re: Accept malware

      Yes, ' if you are happy with our cookie policy tick here, and if you do not want to accept our cookie policy tick here'......

      Ah Dimitri, we have another mugs details to pick over!

      Once we start to see the headline EXPLOSION IN MALWARE DUE TO NEW COOKIE LEGISLATION we can be sure the law will change again.

  8. Mr Young
    Thumb Up

    I'm scared!

    Is this cookie stuff more frightening than an alligator or tiger or dodgy wee spider? Stuff like that?

  9. Sean Houlihane
    WTF?

    Pop up blocker

    Anyone got an opt-out popup blocker? Why should i need to click some random link?

    1. Mr Young
      Alien

      Re: Pop up blocker

      Try this:-

      http://www.disobey.com/ghostsites/2005/11/fabulous-and-somewhat-sleazy-x10-pop-up.html

  10. David Gosnell

    How this should have been done

    Mandate that all new browsers should have an easy button to click to list all cookies in use on a given site, their contents, expiry terms, and (if technically feasible) a description of what they are. Whilst I'm as much against evil ad networks as the next guy, ultimately this is locally stored information, over which the user must take some personal responsibility and accountability - but mandating some simple tools that would work for all websites would sound better to me.

    Typically with these things, it's going to take some (expensive) test cases before anyone really knows for sure what the ICO wants or is trying to get out of this.

    1. Destroy All Monsters Silver badge
      FAIL

      Re: How this should *really* have been done

      Kick out the people and Euro Parliamentarian Fogies and hand the the saved tax feeder sustenance back to the civvies.

    2. Gaz Davidson

      Re: How this should have been done

      Better than this, just mandate a cookie policy being listed on a privacy page and force people to support the x-do-not-track header. Anything else is already covered by the Data Protection Act.

      Now every site in the UK is going to have these annoying popup bars and companies will just move their e-commerce elsewhere.

      1. streaky
        Facepalm

        @Gaz Davidson

        *Better than that*

        Every browser should have a tool for managing cookies...

        Oh no wait.

        Not just me or has the EU actually broken the internet with it's obtrusive popups - and likely broken accessibility too (which would put any site that fancies complying with this law in breech of other law)? Hey lets take a div and ram some content into it with what is in effect a legal notice. Yeah great plan that'll work.

        Maybe if they EU had bothered to model the solution they might have noticed the fact that they were fecking everything up. Thumbs up if like me you have sites and no intention of complying even if it ends up in court.

    3. Kynth
      Pint

      Re: How this should have been done

      I use the "Edit This Cookie" extension in Chrome for this very purpose - great when debugging.

Page:

This topic is closed for new posts.

Other stories you might like