Thread

The new cookie regulations dictate that websites must be more explicit about when and where cookies are used and gain permission from the user before placing a cookie on their machine.

I’m interested to know how other devs here are planning to deal with this… what advice you are offering your clients (if any) and whether you plan to pro-actively ensure that your clients are complying with the new law?

http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx

Looking forward to hearing your thoughts! 😊

I mentioned this on Twitter on Friday (it was the first I’d heard of it) and the consensus seemed to be to leave sites as they are for now and see how this plays out. It’s an incredibly poorly thought out bit of legislation and my hope is that they’ll realise that within the one year transition period and scale it back. You’ve only got to spend a few minutes on the ICO site to see what an annoying step backwards this is for UX. They’re placing a great big banner at the top of every single page of their site unless you explicitly opt in to receiving cookies. Imagine that on every UK-based site, it’d be infuriating and arguably makes it harder to be competitive as a UK business online.

To my mind if this should be legislated (and I’m not saying it definitely shouldn’t) then it should be browsers that are targeted, not individual sites. If a user doesn’t want to be tracked on Site A then they probably don’t want to be tracked by Site’s B-Z as well, in which case they can block cookies altogether and enjoy the frustrating experience that follows. If they want to block cookies from a certain site then isn’t that what browsers private browsing modes are for?

Say for example browsers start sending a ‘enforce-privacy’ header when users have a certain browser setting enabled. If that happens I’ll do what I can to ensure my sites respect that. In the mean time, instructing clients to intentionally make their sites worse in order to comply with an unclear, poorly thought out and likely unenforceable law doesn’t seem like a smart idea.

My personal feeling is that we should be advising clients of the legislation and the current situation but in the same sentence should advise caution in doing anything significant until there’s a clearer picture on whether browser manufacturers will be asked enforce the compliance or not.

It’s interesting that there is not much discussion about this considering the implications.

The most common sentiment I’ve picked up from various discussions is “stick your head in the sand and it’ll go away”.

The problem is that there are so many sites out there using cookies that were developed in the past and are not likely to be updated.
Plus how many sites get built by non-experts who copy/paste code from tutorials etc. and don’t even know that a cookie will be generated?

If enforced it would seem to be the end of analytics, who is going to say yes if you ask them if it’s OK to track their page views etc.?

I guess the issue is only really know to (some) web developers, who are largely individuals and not part of a large group who are recognised by the government. So protests about it are unlikely to get on their radar.

The linked page indicates a couple of interesting things.  It seems to suggest this will be a phased approach and that sites which get reported will be the ones with the problems.

This seems logical.  If your cookies usage is largely invisible to the user, then you probably won’t have a problem.  I’m betting this is tied to cases such as ads following you with the same targeted info and sites using your Facebook info without you specifically giving permission.  It’s the creepy stuff that’s the problem.

Otherwise this needs to be something handled by the browser.  Having to get the user to opt into cookies for your site would be a usability nightmare if cookie usage is a relatively minor item.

This is also interesting…

Does this consent rule apply to every type of cookie?
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

There is a lot left to interpretation here.  I would probably just make some sort of note at the bottom of the page that by clicking a link on the site will make use of cookies and by clicking a link you agree that my cookies are okay.  😉

I think you will be okay as long as you aren’t creepy with your cookie usage.  Let’s not make too big of a deal out of this.  Sending out email in newsletters is fine, but spam is bad.  There is a lot open to interpretation there as well but if you aren’t a spammer then you really have little to worry about it.  And spam is something that is truly out of control, these new rules are likely trying to target a trend which hasn’t yet taken off and many of us likely won’t make much use of (because we don’t want to be creepy.)

I’m going to ignore the law and wait for them to revert it.

It must be a lot harder for everyone dealing with clients.
European countries have to make their own laws based on the regulations of the EU. So instead of just implementing something that can’t even be implemented, you also have to be aware of what law your client will fall under.
I’ve already read that The Netherlands is considering a more extreme version. 😡

If you want to be on the safe side just avoid using Analaytics. The cookies ExpressionEngine sets should be allowed based on the EU’s exemption of strictly necessary cookies (I have no idea how individual countries will deal with this though).

I think the best approach right now is to undertake a audit of your clients site so that you can provide them with a clear document outlining the use of Cookies. I think initially that will be enough, first off it’s probably information they should be aware of anyway and secondly it at least means that they will be deemed to be taking steps to understand how the law effects them. Even if ultimately they need do nothing more because of a change in how browsers handle such cookies.

For most clients such an audit would be pretty much identical, our clients sites are all running on ExpressionEngine and using Google Analytics so the report would be written once and distributed to many.

What would be really useful is some insight from the EllisLab folk with regards to the cookies that ExpressionEngine sets, what the purpose of each cookie is and what kind of data it stores etc.

I’ve tried to find the official view from Google (as it’s their analytics that is most likely to suffer) but haven’t found one.
It would be good to know what they are thinking.

What would be really useful is some insight from the EllisLab folk with regards to the cookies that ExpressionEngine sets, what the purpose of each cookie is and what kind of data it stores etc.

Not sure whether I got it right, but this is what I added to my privacy policy page. It’s based on the comments from the file that sets the cookies. I hope you find it helpful until Ellislab can provide better information. 😊

exp_tracker
Don’t let the name fool you - this cookie doesn’t track what you do online. It only keeps track of the last 5 pages you visited on site.com. This information allows site.com to redirect you to the page you were on before submitting a comment or sending us an email through the contact form.

exp_last_activity
This cookie contains the date of your last activity on site.com.
If you haven’t been active on the site before, your last activity will be set to the current time.

exp_last_visit
This cookie is only relevant to registered users. If you’re browsing site.com as a guest, this cookie will be set to a date in the past.

The cookies exp_last_activity and exp_last_visit allow site.com to show you which content has been updated since your last visit.

Paul Frost, I’ve asked someone working with Neelie Kroes about Analytics and he replied that many think Analytics won’t be affected by the cookie law. I’m also waiting for Google to provide more information. 😊

I had not heard anything about this. Which sites does this affect exactly? Is it UK businesses and citizens or any site hosted in the UK?

I just found a post by ElectricPutty (EE Devs) that explains the situation quite well.
It also links to this video, which does what it says:
The whole thing explained perfectly in 2.5mins
The video is made by Silktide, who also have a very detailed guide to the Cookie law.

It doesn’t look like this is going away.