The stupid EU cookie law

In May 2011 a new law came into effect across the European Union that affects probably around 90% of all websites. The UK government has given UK website owners a year (so, until May 2012) to get up to speed with the legislation and do something about it. The law is to do with how cookies are used.

What is a cookie?

In Web-speak, a cookie is a simple text file that stores information about websites you’ve visited. They can be used for lots of thing, such as for the browser to remember that you are already logged into that website, to store items in a shopping cart on a commerce website, or user preferences on another site.

My main browser (Google Chrome) reports that it has stored 3722 cookies from 1374 web domains.

A cookie for a particular site can only be written to and read by that website. So, Facebook cannot read cookies created by Google websites, and Google websites cannot read cookies created by Facebook.

The worry is, however, that spyware software could potentially access these cookies—they are simple, easily read text files after all—and gain all sorts of information about you, such as browsing habits, personal details, etc. And it seems to be this that the legislation is aiming to address.

The issue

Over the next few months I’m going to have to get my head around this legislation, both for my own websites and for the University of St Andrews website. There has been some interesting and useful discussions about it on various JISC-run inter-university email discussion groups.

My main concern is that this doesn’t ruin the user experience. It’s going to be very, very annoying if you require to give consent to every single website before you can meaningfully use it. My fear is that it’s going to become the Web equivalent of the User Account Control (UAC) nightmare that Windows Vista introduced.

Update

Thursday 5 January

Last night’s post was a bit rushed. I didn’t expand it quite as much as I’d have liked but I was tired and I just wanted to get to bed!

Ironically, I kept waking up during the night thinking about it. At one point Jane was awake so I talked it through with her. She has to put up with that kind of thing from me all the time, poor girl!

Anyway, this morning I got three replies on Twitter:

  1. Surely new cookie guidelines are sensible? Happy to chat about this.
  2. The sad fact is, it puts EU based sites/companies at a disadvantage vs those in the rest of the world.
  3. In intent, sensible. In execution, I’m with @garethjms – stupid. Can only see negatives for UX.

And a couple of comments below (which I’ve only just approved). A nice balance of for and against. I look forward to getting my head around this and posting more about it, here and on my professional blogs.

4 thoughts on “The stupid EU cookie law

  1. It really worries me to think that these buffoons are making laws about things they don’t understand. Did anyone tell them that the internet was stateless (in more ways than one)? How are we going to persist a session. You can append a session ID to a URL, but then sharing sessions just got as easy as copying a URL!

    Buffoons I tell you!

  2. Hi Gareth
    I’m pleased that you have raised your concerns in a public forum. I feel that in order the UK Universities avoid reinventing the wheel we should be being open, as you are, about planned areas of work, and possible concerns about such activities.
    As you probably know before Christmas I wrote a post on The Half Term Report on Cookie Compliance in which I cited Ranjit Sidhu’s comment on the ICO’s guidance. Ranjit described how “the ICO [is] helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down“.
    I feel there should be some lightweight approaches we can be taking to document the cookies which we use. I also feel that if we work collaboratively, the HE sector will be able to demonstrate best endeavours which are being taken across the sector. This should be better than taking a piece-meal approach. It would be great if, for example, Scottish Universities could agree on a standard way of documenting their use of cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>