Today I was posed the question, by a prospective new client, of whether their new web site would breach the May 2011 UK cookie law. Although aware of the new law, I will admit I had not yet looked at the actual legislative requirements, lets take a look.
Where are cookies used?
Cookies are used by nearly all web sites to remember information about visitors in between pages and sessions. In most cases, this information is stored server side, not in the actual cookie, the cookie simply acts as a key.
Common use of a cookie – Analytic software
These statistics help site owners determine content that is popular, which browsers people are using and a variety of other useful information to help owners deliver better experiences to their users.
When you first came to this blog, my analytics software (www.getclicky.com) issued you with one of these cookies, all the cookie contains is a unique string / numeric identifier.
Other uses of cookies
A slightly more privacy invading example of cookie use is Google Adsense. They monitor what you look at (on participating web sites) and then show you advertising related to this. For example, if you go to KLM’s website (www.klm.com) and search for a flight, then go to any web site with Google Ads on it. I guarantee somewhere you will see an advert for KLM.
So what does the law say?
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. – Quoted from silktide.com
The quote above is extracted from the EU Directive in October 2009, which the UK went on to copy into law effective as of May 2011.
However, the law allows for cookies that are “strictly necessary for a service requested by a user”, the exact definition of this remains very vague.
So in a nut shell, if a UK web site wants to send you any cookies, legally, it should ask you before it does so.
Why it’s problematic
This law, in my opinion, is nearly as ludicrous as the law that was held up until 1976 for UK taxis to carry a bail of hay in their boot. This is for multiple reasons, to name a few:
- Lack of alternative options currently available to web developers to easily accomplish common
goals and abide by the law
- Cost to UK businesses to implement these alternatives
- Competitive advantages handed to business based in other geographical areas
- The impracticability of asking every user whether they would like to accept cookies
A superb resource regarding this matter with fuller detail of the law and it’s implications can be found here at silktide.com.
Update: I’ve made a follow up post on EU Cookie Law: UK Government ‘break’ the law they imposed