May 2011 - Posts

Cookies Law: Ah the Irony!
Mon, May 23 2011 2:30

On Thursday 26th May 2011, the Privacy and Electronic Communications Regulations are changing in the UK as a result of the revisions made to the European Directive.  The changes cover of a number of issues but the issue I’ve been focussing on recently is that of the changes in regulations to how cookies are used on websites.  However these changes from what I can see are going to cause not only companies and developers issues, but more importantly will cause more inconvenience for users!

funny-pictures-cat-wishes-to-access-your-cookiesSo what’s changing I hear you ask, well up until now the regulations required that websites which used cookies for storing information, informed users how the website used cookies and advised how they could opt out if they wished and gave instructions on how to do so using browser settings.

In their infinite wisdom the European Union, and consequently the UK, have decided to change this and require that websites provide full information about how cookies (including Flash Cookies and Isolated Storage) are being used and ask users to opt in to the use of cookies.  The only exceptions to this rule would be where a cookie is “strictly necessary” for the function of a site, e.g. maintaining a shopping basket.  An example of a cookie which needs to be declared and in common use on many websites around the globe, are those created through the use of the Google Analytics service.

How Can a Website Comply?

In the UK the information Commissioner’s Office, in their guidance document have advised website owners that they should look at this in three stages:

  1. Review and make a list of all cookies and similar technologies (Flash Cookies; Settings in isolated storage) being used on your website and how they’re used;
  2. For each one identified determine how intrusive it is;
  3. Determine a method of obtaining consent for each one, which will provide the best experience for users of your website and which will fulfil your requirements. Then put together a plan to implement this.

It is no longer sufficient to users browser settings to indicate whether or not they wish to allow the use of cookies, due to the lack of sophisticated control of cookies, levels of variation between browsers versions and the fact that browsers are not the only way in which users access websites.

Solutions and Irony

I’ve been looking at possible technical solutions to this issue and still can’t find one which I like and believe will serve all interested parties well.  All of the possible technical solutions have advantages and disadvantages.  Some examples of the options I’ve been considering are Popup windows or splash screens, but these are often blocked by browser settings, can cause immense confusion and often inaccessible to users'; Requiring the acceptance of terms and conditions which detail required use of cookies is again unworkable as users would have to have accounts with which to access your website, how can you handle anonymous users?

The irony of all of these changes is that the likely technical solution is to ask for permission to write a cookie to indicate whether or not the user is happy with cookies being used.  However if a user does not allow cookies, the cookie can’t be written so what do you do then?  Deny users access to your website? Prompt them on each request from your website?  If you chose to disable the cookie(s), for example the Google Analytics tracking cookies, do you turn them off on an individual page basis, or do you disable them on a session basis?

Comments

Apparently there were consultations with members of our industry on these changes and discussions on how they will work.  I can’t believe that these regulations have been passed in their current state, they are extremely unworkable and pose so many issues for maintaining a workable, compliant and usable web. 

The intention behind these changes is good, in that the EU is aiming to protect user’s privacy and enable users to make informed decisions about what data is released and able to be used by third parties.  However by asking users for consent for permission to use cookies each time they try and access something on a website, after they have said they don’t want to allow the use of cookies, users will start accepting the use of cookies just so they can use the web.  Also as user’s won’t always access websites through the homepage, site owners will need to implement solutions which cater for every possible entrance to the site.

The most common instance of where websites write cookies are for the use of analytics services, i.e. Google Analytics.  So far Google haven’t commented on whether they are changing their service to not need cookies, nor have they provided any guidance for website owners on how the service can be used if user’s deny cookies.  So are site owners going to stop using the very, very popular service in order to improve the usability of their site but also lose the benefit of analytics – which ultimately are used to improve user experience?  I wait with baited breath to see how major websites – Amazon, Play, Google; tackle this issue from Thursday in a way which won’t lose them users.

I think the major losers in all of this, are going to be the users, which these changes are attempting to protect – ah there’s the irony again!  By creating differences in how websites comply, users will be left confused, harassed and frustrated when all they want to do is use a website to do something which they’ve been able to do for years be that buy a book, find information or post an update to their timeline.

What’s Your Opinion?

I’d be really interested to hear other people’s take on this.  How do you interpret the changes?  How would you implement the technical requirements?  Do you think it’s workable?  I look forward to an interesting discussion on this issue and seeing the many responses to this on a website near you!

by Andrew's Blog
Filed under: