EU Cookies Directive - 26th May 2012

[Jimmy0]

http://www.ico.gov.u...de/cookies.aspx

Is anyone actually aware of the new law coming into effect on 26th May 2012? It basically states that if your website uses cookies to store information on a users PC, you must gain their consent to storing the cookies before doing so. (E.G. The banner displayed at the top of the ICO site).

I am interested to hear from people who run their own websites, and those who work within company's also, as to what (if anything) you / the business you work for, is going to do in order to comply to this new law?

[stereopixels]

My company are opting for a bt.com-style opt-in mechanism; last year we started developing a tougher approach which insisted before people browsed our site they make a decision, but in an interview the information commissioner touched on the BT.com website and how their approach looked "perfectly fine"; our approach would have probably meant more people clicking "no" and leaving us completely unable to track them around our site (I should point out that our Google Analytics cookies are the only cookies we set except for logging into certain areas of our site; we try to be as respectful as possible about our visitor's privacy), BT are using implied consent by allowing a timeout of around 15-20 seconds where they specify that the website will set cookies... if the user ignores or cancels the warning they are giving their consent, if they click the "no cookies" option on the warning instead, then they'll opt out. Once they've opted in or out they can easily change their minds later via a cookie preference option on the page.

[Vice]

I will be ignoring this directive on my sites when it comes in to effect. Business as usual.

[Miuku.]

I will be ignoring this directive on my sites when it comes in to effect. Business as usual.

*stalks Vice's website and sicks missus the lawyer on Vice*

:D

[Glassed Silver]

Don't host your site in the EU.

Simple lol

I don't host it in Germany, because you are FORCED to write an imprint.

Now generally I'd be fine with writing one, no doubt, but I won't let others tell me what's on my site and what is not.

Suck it, I'll take my business elsewhere haha

Glassed Silver:mac

[jakem1]

I'd like to see sites making it clear what they're storing in cookies and giving me the option to keep configuration settings and block any tracking.

Sites also need to work better without cookies. For instance, block cookies on YouTube and you're always presented with an annoying and totally irrelevant banner related to language settings or some nonsense.

I hope the EU really cracks down on sites that ignore the directive.

[Jimmy0]

My company are opting for a bt.com-style opt-in mechanism; last year we started developing a tougher approach which insisted before people browsed our site they make a decision, but in an interview the information commissioner touched on the BT.com website and how their approach looked "perfectly fine"; our approach would have probably meant more people clicking "no" and leaving us completely unable to track them around our site (I should point out that our Google Analytics cookies are the only cookies we set except for logging into certain areas of our site; we try to be as respectful as possible about our visitor's privacy), BT are using implied consent by allowing a timeout of around 15-20 seconds where they specify that the website will set cookies... if the user ignores or cancels the warning they are giving their consent, if they click the "no cookies" option on the warning instead, then they'll opt out. Once they've opted in or out they can easily change their minds later via a cookie preference option on the page.

Interesting interview... It certainly seems to me that ICO are not overly bothered about explicitly gaining the users consent, but more to trying to educate them about what cookies a site uses and why.

I will be ignoring this directive on my sites when it comes in to effect. Business as usual.

This doesn't surprise me one bit, and I expect it to be the attitude of most people out there.

I'd like to see sites making it clear what they're storing in cookies and giving me the option to keep configuration settings and block any tracking.

Sites also need to work better without cookies. For instance, block cookies on YouTube and you're always presented with an annoying and totally irrelevant banner related to language settings or some nonsense.

I hope the EU really cracks down on sites that ignore the directive.

Well, that in essence is what the new directive is for. However, I cannot personally see it being well enforced.

The company I work for is going for an "all or nothing" solution. This being a modal window that appears asking for the users consent, it has a quick sentence explaining about the new directive, with a link to the privacy policy page (opening in another modal window). It will then have a check box, which when ticked enables a continue button to be pressed, which will then allow them to proceed and use our websites. If you don't click continue, then you will not be able to use our sites.

This is one of the most hideous solutions I have heard of, however none of my protests and different proposed solutions to the problem (e.g. updating the privacy policy page to expand what cookies we use, and why. And perhaps having an information bar along the top of the screen stating about the new directive and linking to this new page, but not stopping the user from using the websites) was listened too, as the higher ups were too scared about being fined due to it not actually gaining the users consent. But hey, what do I know... I am merely a placement student and at the end of the day do what I am told :p

Be interesting to see if we get any complaints from our customers next week when we put this solution live.

[n_K]

I thought it was already passed last year? Oh well, I stuck a 'proud to ignore the EU cookie directive' on a few of my sites for the hell of it, and ignored it.

[AdamLC]

Well I dont care about my personal sites but at work we have had to implement various things on our client sites. Most of them no longer have Google Analytics which on most of them was the only cookies anyway.

Although saying that some clients have opted to use a php server side google analytics method :)

[jakem1]

Well, that in essence is what the new directive is for. However, I cannot personally see it being well enforced.

Yes, I know what the directive is for but, as you pointed out in your post, different companies will come up with different solutions to ensure compliance. I just hope that the majority of websites adopt a sensible approach that distinguishes between cookies that are used for settings and cookies that are used for tracking. I doubt that will happen though as most will want to continue tracking users and will ensure that their websites are difficult to use if users don't agree to be tracked.

The company I work for is going for an "all or nothing" solution. This being a modal window that appears asking for the users consent, it has a quick sentence explaining about the new directive, with a link to the privacy policy page (opening in another modal window). It will then have a check box, which when ticked enables a continue button to be pressed, which will then allow them to proceed and use our websites. If you don't click continue, then you will not be able to use our sites.

This is one of the most hideous solutions I have heard of, however none of my protests and different proposed solutions to the problem (e.g. updating the privacy policy page to expand what cookies we use, and why. And perhaps having an information bar along the top of the screen stating about the new directive and linking to this new page, but not stopping the user from using the websites) was listened too, as the higher ups were too scared about being fined due to it not actually gaining the users consent. But hey, what do I know... I am merely a placement student and at the end of the day do what I am told :p

Be interesting to see if we get any complaints from our customers next week when we put this solution live.

I agree. This does sound hideous and it's precisely the sort of thing that I hope websites avoid. However, if companies choose to take an "all-or-nothing" approach to cookies then I hope educated users will choose to avoid them. I should be free to surf the web without having my privacy invaded. The EU directive was designed with that in mind and companies/individuals should abide by the spirit of the directive when redesigning their websites.

[jakem1]

I thought it was already passed last year?

It was passed last year but it only comes into effect this year to give everyone an opportunity to modify their sites.

[Jimmy0]

I thought it was already passed last year? Oh well, I stuck a 'proud to ignore the EU cookie directive' on a few of my sites for the hell of it, and ignored it.

It did pass last year, however a 1 year grace period was given in order for websites to develop solutions in order to become compliant.

Well I dont care about my personal sites but at work we have had to implement various things on our client sites. Most of them no longer have Google Analytics which on most of them was the only cookies anyway.

Although saying that some clients have opted to use a php server side google analytics method :)

Did any of those sites rely heavily on needing the statistics given from tracking users? I assume not if they decided not to use Analytics?

I agree. This does sound hideous and it's precisely the sort of thing that I hope websites avoid. However, if companies choose to take an "all-or-nothing" approach to cookies then I hope educated users will choose to avoid them. I should be free to surf the web without having my privacy invaded. The EU directive was designed with that in mind and companies/individuals should abide by the spirit of the directive when redesigning their websites.

Indeed, and I do agree with you. I have protested many times against the design the company has gone for, but to no avail. I am hoping that after a couple of weeks they will see that other sites have not taken to such extreme measures and not getting fined, and they will decide to take a less harsh approach. (This process may even be sped up if we get any customer complaints)

[ZakO]

Most of our clients' websites use Google Analytics, we're contacting them and giving them the choice (it's their legal responsibility);

1. Disable Google Analytics (and possibly use different cookieless analytics software/scripts)
   
2. Add an Accept / Decline cookies modal window
   
3. Ignore the new directive and leave the site as-is.
   

For my own sites which use Google Analytics I'm going to be (for now at least) ignoring the new directive and seeing how other popular sites approach it. It has already been stated things like Google Analytics are a "grey area" regarding the new directive and it's unlikely anyone will be fined/prosecuted for Google Analytics alone.

[-Alex-]

I agree. Lots of sites use Google Analytics as it's a very common thing to have running. Also, look at sites like twitter.com - according to firefox it has set 42 cookies on my computer - I don;t see any intrusive popups there. Facebook is the same too - lots of cookies, yet no popup/warning - personally couldn;t care less on both accounts as all the cookies used in both of those sites are just there for auth and remembering the odd setting, that speeds up my browsing experience significantly. Have also just gone the hsbc website and can't see anything at all relating to cookies.

When those big sites start adhering then I'm sure a lot of other sites will too.

As a web developer, this is just an example of something else you need to take note of * big sigh *

Twitter and Facebook are exempt from this, since they are outside the jurisdiction of the EU directive. As for HSBC, I haven't looked at their site personally, but if the cookie is required for the core functionality of the site, that also makes them exempt.

The directive is more for tracking cookies (like GA).

[+DonC Subscriber²]

I've taken this as an opportunity to ditch Google Analytics and a social sharing feature. Glad to see the back of them myself.

From what I've found, all the things that people actually look at can be done with log file processors.

[Salem874]

http://www.ico.gov.u...de/cookies.aspx

Is anyone actually aware of the new law coming into effect on 26th May 2012? It basically states that if your website uses cookies to store information on a users PC, you must gain their consent to storing the cookies before doing so. (E.G. The banner displayed at the top of the ICO site).

I am interested to hear from people who run their own websites, and those who work within company's also, as to what (if anything) you / the business you work for, is going to do in order to comply to this new law?

YEah

i heard about it, but didnt hear much detail on what we're required to do and by when until last week when i visited a site (work related) using Cookie Control (i think thats what its called).I'd better start working on getting my sites compliant, not much time left though.

Is this applicable to all sites or only EU hosted ones?

[-Alex-]

YEah

i heard about it, but didnt hear much detail on what we're required to do and by when until last week when i visited a site (work related) using Cookie Control (i think thats what its called).I'd better start working on getting my sites compliant, not much time left though.

Is this applicable to all sites or only EU hosted ones?

Not even EU hosted... just EU registered companies. Doesn't matter if it's hosted in the US, the Middle East, or EU... it's only applicable to EU businesses. Hosting location plays no role in it.

To quote a post of mine in another thread:

2 points on cookies, potentially of relevance to the OP:

http://silktide.com/cookielaw

I.e. if the OP is outside the EU, or if the cookie is necessary, it's fine to use a cookie.

[Glassed Silver]

[...] Facebook are exempt from this, since they are outside the jurisdiction of the EU directive. [...]

True until you have a logged in session with Facebook, then it gets to Facebook Ireland and hence, has to comply with EU regulations.

So browsing the web, being logged into Facebook (either closed tab + active session with them OR open tab and active session with them) will put them under EU laws.

EU users sign up and agree to TOS with Facebook IRELAND.

Glassed Silver:mac

[-Alex-]

True until you have a logged in session with Facebook, then it gets to Facebook Ireland and hence, has to comply with EU regulations.

So browsing the web, being logged into Facebook (either closed tab + active session with them OR open tab and active session with them) will put them under EU laws.

Glassed Silver:mac

Ah, didn't know FB had a company registered outside the US. Just done a credit search on them, and it seems they have more than just the Irish one actually:

Good to know!

[Tjcrazy]

So it's only if you host your site in the EU? If my site is a UK based site, but hosted in US - I'm not under this directive?

[-Alex-]

So it's only if you host your site in the EU? If my site is a UK based site, but hosted in US - I'm not under this directive?

Other way round. Hosting location is irrelevant. The directive covers all EU companies.

[Glassed Silver]

Ah, didn't know FB had a company registered outside the US. Just done a credit search on them, and it seems they have more than just the Irish one actually:

Good to know!

Yeah, there are others, but their importance doesn't seem to be of much magnitude, as you always sign up with Facebook Ireland in the EU. (at least here in Germany, and I think that's the case for all EU countries)

That's because the FB Europe HQ is in Ireland, the subsidiaries are of no function to the actual TOS relations to their users afaik.

I guess those are merely for marketing, spokespersons, support, localizations, etc...

Rather the background kind of work - nothing too much TOS-ish. (I guess)

Probably I can buy marketing deals with those, too.

Other way round. Hosting location is irrelevant. The directive covers all EU companies.

Exactly.

I guess the only exception are private persons... Could be totally wrong though...

Glassed Silver:mac