EU Cookie Law

Cookies

Cookies (Not that sort of cookie!)

Many people have heard about the EU cookie law now, and we’re seeing more and more websites showing popups about cookies as a response to it. But, there is a great deal of confusion about what it means in practice for website owners.

About Cookies

What is a Cookie?

A cookie is a piece of text that is sent from the server when you visit a page. It is stored on your computer and your browser sends the cookie back to server each time you request a page from that website.

Why do websites need to use cookies?

Cookies allow the website to verify that you are the same person visiting the site again. This can be used for things like keeping you logged in to a site, allowing you to add items to a shopping cart, or to track if you’ve visited the site before.

Are cookies bad?

Cookies themselves aren’t bad, they can’t do anything malicious to your computer, or allow access to any other data on your computer.

What’s all the fuss about then?

One example is that web pages can include widgets embedded within them such as adverts, or a like button, which will store cookies from the owner of the widget, not just the website owner. If you visit lots of sites with such a widget on, is possible for the widget owner to track you across multiple sites and collect information about which websites you’ve visited and potentially what you’ve been doing. Collecting this level of information is often considered too excessive.

The Cookie Law

About the cookie law

The cookie law comes from the EU’s e-Privacy directive. It’s about making websites more transparent about what they’re doing, and what data they’re collecting. It’s often not transparent to the user who’s doing what exactly when you visit a web page.

What does the cookie law require?

The cookie law is not prescriptive in the sense that it doesn’t tell website owners exactly what they need to do to comply. It puts to onus on the website owner to review the cookies that are sent when browsing their website, be transparent about what’s happening, and gain consent for the use of the cookies in a way that is appropriate for their site.

What does gaining consent mean in practice?

This is what many people are debating. You need consent to store cookies, but “implied consent” is also a valid form of consent for some cookie use. Many site owners have opted for the safest option of display a popup as the site is first visited and explicitly asking the user to opt-in to allowing cookies for that site. This obviously provides pretty bad user experience, as everybody hates sites that have popups.

Almost every significant site is using some form of analytics tracking via cookies, such as Google Analytics, and all sites with user accounts, or functionality like shopping carts, will need to use session cookies. It doesn’t seem particularly helpful for the user if every site they every visit has the same popup saying we use cookies. Explicit consent to use cookies is probably only required if something is going on outside of these typical and valid uses.

The model that is becoming more popular now after the initial panic is an implied consent approach. There there is an unobtrusive bar displayed at the top of the page informing the user the site uses cookies and provides a link to a page where the user can find out all the details. If the user visits a second page on the site, or clicks a dismiss button, the bar is no longer shown. This is an approach used by many government sites at the moment, including gov.uk and royalnavy.mod.uk.

Cookie information message on gov.uk.

Cookie information message on gov.uk.

Is the law a good thing?

Making websites more transparent about what they’re doing has got to be a good thing. Making every website implement a popup displayed each time a user visits a site is clearly just annoying, frustrating, and provides absolutely no guarantee that the information a website provides on cookies use is correct. But presumably the law gives the authorities more power to act on the malicious sites than they did before.

If you want to be sure what cookies are being sent, or to delete, or disable them, you can do this in the web browser.

Chrome Cookie Settings

Google Chrome Cookie Settings

Everyone needs to be a cookie expert?

What about someone running a small blog? Perhaps it’s running on WordPress and they have the technical ability to install a new theme and a few plugins to put various widgets on their pages. Do they now also need to become a cookie expert, perform a full audit of the cookies used on their site, and implement an appropriate consent model to get permission from their users? If not, they may get busted for illegal cookie use. That doesn’t seem reasonable or particularly beneficial to society.

Implied Cookie Consent Plugin for WordPress

What with all the confusion about what’s required, there are a ridiculously large number of plugins available for WordPress that help the site owner comply with the cookie law. I found that many of them were overly complicated to setup, or were too annoying for the user. Modal popups are a great way to turn away new users and increase your bounce rate. As none of these plugins seemed to do what I wanted, I decided I’d need to write my own solution. I’ve made it into a plugin and it’s now downloadable from the plugins repository.
wordpress.org/plugins/implied-cookie-consent

The goal was quite simple, to provide an unobtrusive information bar at the top (or bottom) of the web page informing the user the site uses cookies.

Cookie information bar displayed at the top of a webpage.

Cookie information bar displayed at the top of a webpage.

The colour and content of the information bar can be customised via settings in the admin. The information bar links to a page where the site owner can put their own text about the cookies used.

Implied Cookie Consent admin settings.

Implied Cookie Consent admin settings.

See the Implied Cookie Consent WordPress plugin in use the first time you visit AntarcticGlaciers.org, or on this site.

Further Reading About Cookies

ico.gov.uk
allaboutcookies.org
aboutcookies.org

If you enjoyed this post, consider leaving a comment or subscribing to the RSS feed.
This site uses cookies. Find out more about cookies.