UK websites: No one bothers with cookie law, why should we? Many website operators have responded to the Information Commissioner's last-minute watered-down tweak to implementing the European Union's cookie law by doing absolutely nothing to show that they have complied with the legislation. That's the damning verdict from consultancy outfit KPMG, which looked at 55 UK websites to see …
Quite!
Even claims in dodgy ads for making eyelashes 'lusher', or some such manage a larger sample size than that.
Can almost imagine the scene at the KPMG 'research centre': "Shit, we've got 7 minutes before we have to hand in this report, been caning the gak for the last 8 hours and 23 minutes....right, let's see how many sites we can squeeze in".
And these twats audit how many of the FTSE 100?
You mean "appear lusher". Like "healthy looking hair" which isn't actually healthy at all. Perfect for the sort of idiot who actually agrees that the screen on the ipad really does "look this good", when viewed as an advertisment on their television.
Still, I don't blame them. It obviously works.
They could have at least audited all of the FTSE 100 web sites. That sample might have meant something, even if it's still ultimately pointless.
KPMG are totally useless, as the last ten years has demonstrated over and over again. They continue to exist due to backhanders on a massive scale to government ministers who are promised "jobs" consisting of ten hours of turning up at conferences to stuff their faces every month in return for 50 grand a year if they just make sure that the company's failures are continually overlooked every time they tender.
It;s not just KPMG, of course. Our company sub-contracts for PwC and getting a glimpse inside reveals why these big "consultancy" firms are so bad at everything they do - they're staffed by and run by total idiots who don't understand their own company let alone anything they're brought in to look at. I've never met so many people with so little feeling that they might get the sack if the project they're on goes wrong.
And quite rightly. I've watched them throw hundreds of thousands of pounds (not their own, of course, the NHS's) at projects that were ill-conceived and badly designed for no obvious purpose and then, when the moron in charge moves to a different department, they just forget the whole thing. Literally not the slightest effort to even deliver the pile of crap they had developed so far. 100% waste.
I always have a good laugh about the idea that the private sector is some haven of efficiency and quality - 9 out of 10 times it's the private sector that actually ran or designed some great public sector disaster. And most of the time, the people in the public sector had repeatedly pointed out that the project was in trouble years before the collapse. But of course, they can't offer the minister a three-girl blowjob in the Caribbean and a 50K boost to his pension for the rest of his life, can they?
Thank goodness we don't have corruption in this country like those nasty foreigners; otherwise it would be easy to become cynical.
> Well that's obviously a very good sample that's going to give them an accurate picture of what's going on, isn't it?
Depends on how the sample has been selected. If it was done diligently, then a sample of 55 can have enough statistical power to make significant inferences about a vastly larger population.
I don't know the methodology used by the auditors so I cannot formulate any valid opinions as to its suitability. I don't see much that is "obvious" here about it being a good sample or, particularly, otherwise.
...why can't El Reg use cookies to remember that I have consented to them using cookies and therefore stop asking me EVERYTIME I visit the site if 'I'm fine' with them using cookies (even though there is no option for me to 'not be fine' with it)?
On the other hand maybe I have blocked all cookies or something - I can't be arsed to check.
Anonymous, cos I can't login any more :(
No, there seems to be something broken with the cookie handling on El Reg.
Certainly cookie 5 (eucookie) is not set, no matter how many times I click on 'I'm fine with this'
Unfortunately the table on <a href="http://www.theregister.co.uk/Profile/cookies/>El Reg cookie policy </a> does not indicate which domain would want to set which cookie, so it's a bit difficult to be more precise.
We really need a more complex approach to cookie management.
It seems fitting that this should be based on the hierarchy of crunchy comestibles.
So a cookie that you are prepared to keep permanently until it expires would be flagged - "rich-tea biscuit"
One which will be deleted as soon as your session ends will be represented by the shorter lived "hobnob".
And a cookie that never even makes it as far as the cupboard would be a "chocolate caramel"
I gave up and adblocked the notification message instead...
What filter did you use? I am sick of the thing coming up every_fucking_page of the site despite me clearing out cookies and allowing them for el reg. I'm sick of the damn thing. A plague of boils 'pon your web monkey's wotsits, Reg!!!
It's a moronic law written by people with no knowledge of the technologies involved. It's practically unworkable as it stands and will hopefully be dropped entirely shortly. If not, at the very least lets hope that ignoring it becomes commonplace. Like how it's illegal to park your car on the pavement but the police are unlikely to prosecute you for it unless you're causing a problem for others.
Not sure I agree. There also tends to be lots of confusion about this law (seems even with KPMG) and the versions I've read so far (can't be bothered to look for the original and try to make some sense out of it) are quite unanimous: the cookies which you should warn about are the so called session tracking cookies. So cookies which could be (ab)used by other websites to gather info about the stuff he or she did on your website.
But regular cookies such as keeping registration info for a website, "functionality cookies" (as I tend to call them; so making sure stuff works for the current website session) and all the other cookies which are required to make sure your site operates as normal do not fall under this law.
With that in mind I don't think this law is very stupid. Because the one thing people get bothered with are the trackers. The stuff which makes sure that the website still knows you looked for shoes, but also allows other websites to pick up this info and throw shoe ads in your face.
Its not as if that behavior couldn't be prevented ....
> can't be bothered to look for the original
It's often a good idea...
> the cookies which you should warn about are the so called session tracking cookies
This is not sufficient, per the legislation.
Regulation 6 says this :-
"a person shall not store or gain access to information stored, in the
terminal equipment of a subscriber or user unless the requirements of
paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of
the storage of, or access to, that information; and
(b) has given his or her consent.
"
Note that this covers all cookies, not just session cookies.
Whether or not any of this will actually be enforced is another matter of course. And the ICO's "implied consent" defence essentially nullifies any possible prosecution unless a site is truly taking the piss, and its users complain.
Vic.
IANAL but I believe it actually isn't illegal to park your car on the pavement. I think it's illegal to 'drive' your car on the pavement but, if it's just parked there, that's fine. The police will only move your car if it is causing an obstruction. Of course, if there are double yellows on the road you are still liable to be ticketed, but it can be useful where there are no lines and some idiot at the council has built out a bit of pavement purely as a nuisance (I'm sure we can all testify to this phenomenon).
How do you park your car on the pavement without first driving on it? Therefore the act of being on the pavement implies getting there illegally.
IANAL also but I get annoyed with people parking on pavements and i have to squeeze around them. I feel sorry for anyone in a wheelchair. If there is a car on the otherside of the raod meaning it would be impractical to park opposite it, don't. Find somewhere else to park dont use up the space intended for people walking.
Rant over, off topic, coat fetched.
Parking on footpaths is illegal in Landan Town (http://www.legislation.gov.uk/ukla/1974/24/section/15).
The cookie law annoys me as I keep seeing these silly grey banners wittering on about cookies. I wondered why they kept popping up everywhere. If I want to stop cookies it's not hard and I shall make the effort. I just wish the law made them put the "cookie spam banner" in a .js file with a given name to make it straightforward to block.
To cover cookies that can track your behaviour outside of the website it was set within, or allow cookies from a TLD to be excused while browsing that TLD.
Surely that would just let normal everyday shortlived session cookies do their thing while 'dealing with' cookies that track your wider behaviour from stuff like FB & Google
"breach of the 2006 Companies Act by failing to disclose the registered name, number, registered address and VAT number"
I think that's only required if the website is trading, no?
Either way, the legal requirement seems entirely reasonable, and it's the lack of enforcement which is the problem.
You want my custom, you comply with the law. It's not unreasonable is it?
Dobbies Garden Centres are the most recent offender I came across. Dobbies were bought by Tesco in 2008 but you'd barely know it from their website; the Ts+Cs still reference the pre-Tesco company number.
"the Ts+Cs still reference the pre-Tesco company number"
That'll be because Dobbies Garden Centres Ltd (guessing that's the correct name) is the same trading entity as it was before Tesco bought them, so their registration with Companies House hasn't changed. Just because the profits are now going to Tesco instead of Mr Dobbie doesn't mean the company number has to change too
"Dobbies Garden Centres Ltd (guessing that's the correct name) is the same trading entity as it was before Tesco bought them,"
Not really.
Before Tesco bought them it was Dobbies Garden Centres plc. Look it up on Webcheck at Companies House, where the name change is on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.
Nowadays, Dobbies are a (wholly owned?) subsidiary of Tesco. Dobbies are not a plc at all.
If traders are not going to be honest about who they are, as legally required by the Business Names Act and subsequent legislation, they do not deserve to stay in business.
Brussels introduces new law. The UK implements it, increasing costs for UK businesses. The other Europeans states ignore it thus making UK businesses slightly less competitive.
I saw a report a few years ago that looked at how the various states implemented laws passed down from Brussels. It turns out that the UK is the most compliant or all member states, with France and Germany happily ignoring anything they didn't agree with or could not be bothered to implement.
It is little wonder that France and Germany want more power passed on to Brussels. They will simply ignore it whilst the fools in the UK implement it.
Dumping this clusterfuck on web developers is inane and shows a lack of understanding of how cookies and the internet function. If cookies are an issue that requires legislation, it should be on the browser makers to provide controls that are suitable for managing cookies (doing the work in one place- well, OK, 5) rather than asking millions of websites to alter how they work.
After all, the website doesn't store or transmit the information in the cookie, it asks the browser to do it.
Exactly my thoughts.
If it was implemented at the browser, it would have two other benefits:
- it would be consistent for every site you visit, instead of the present situation where it's all over the place... top, bottom, side, buttons, checkboxes, etc.
- it could be turned off at the browser for people who don't need warnings on every individual site they visit, whereas now you have to 'ok' each individual site
Well done to everyone who has ignored this stupid law, and he's hoping you continue to.
With a minor change to the cookie "spec" (haha), this information could be easily transmitted along with any cookie, and it wouldn't require web developers to come up with 50,000 different definitions of the __gads cookie does.
Changes to the cookie "spec" happen when a quorum of browser developers determine that new features are needed, and can happen very quickly. Just look at the adoption of the "HttpOnly" and "Secure" flags on cookies.
I'd be fine on a law saying EU websites must emit a "Purpose" flag on cookies, and that browsers in the EU must implement a cookie control mechanism that displays and manages this information.
These sorts of laws should be run by engineers first so that we can say "No, you dipshit, that is complete bonkers, this is how the problem can be solved simply and cheaply".
At the present moment those who develop browsers have no legal responsibility to accurately implement any of the HTTP protocol or to render any of the HTML tags in any of the specifications.
If the ICO makes it the responsibility of the browser developers then they would have a legal responsibility to implement certain features. Failure to do so might make them susceptible to fines, from the ICO, for failing to properly disclose what a 3rd parties cookie does.
What would happen to those browsers that did not implement this special feature? Would they become illegal to use or distribute? Would it be illegal to intentionally develop a browser that ignored this feature?
The ICO has put the burden in the proper place and it is with those who want to use cookies: The web sites.
NOTE: I also think it is a shit law and hope everybody ignores it.
> With a minor change to the cookie "spec" (haha), this information could be easily transmitted along with any cookie
Functionally, that's what was attempted with P3P ( http://www.w3.org/P3P/ ) which, at the W3C site states, is dead in the water as nobody took any interest on it.
Although I suppose new life could be breathed into it if appropriate legislative changes were made. From my recollection, P3P seemed quite adequate from a technical or CHI (computer-human interaction) point of view.
The browser could assume that every site has a privacy policy and show a warning if you have not visited the site before that you should read the privacy policy regarding cookies. At least then, the warnings would look consistent. And you could no doubt turn them off centrally, for the 99% of us, who really don't give a toss.
But no. Every single web site has a different privacy policy, and the onus is now on the casual visitor to read each and every one, in order to make an informed decision on whether to use the site? Seriously, it is obvious that this is completely impractical and that *nobody* is going to waste their life reading pages of legal agreements on every web site they visit.
How's this as a better solution:
All browser vendors, on each update, send the user to a 'run once' page on their site (Moz does this already, IE too after major version update). They detect EU ip addresses, and in this case, give you clear info on cookies, and the tools in their browser to control them.
Simple eh? Those who care about cookies can learn to use the tools in their browser. Everyone else can carry on before. Millions of man hours across Europe not wasted on this pointless exercise. Couple of dozen man hours at each browser vendor.
and as I see it, most browsers already have controls in place to restrict cookies or only block 3rd party cookies, or ... so don't even need it to be developed.
Like you, I don't really see why it should be down to web developers either, particularly as most of the offenders using tracking cookies are probably hosted outside of the EU anyway, and therefore don't need to comply.
(For the record, after removing the Google Analytics snippet, I have zero cookies - unless you login which is solely for editing via the CMS anyway. However I'm still unclear whether I'm compliant if I've not written a cookie use policy statement and published it, saying that we don't use cookies, or whether simply not having any cookies is sufficient... Anyone?)
This post has been deleted by its author
I think it's worth shouting out how good Channel 4 have been on this. Their Video explaining what they do with cookies, fronted by Alan Carr is entertaining in its own right... Very open and clear about what they do with the info - including using it for targeted ads which brings them more revenue (and what that revenue is used for - more of the programmes you love).
But the vast majority of websites are run by individuals, small non-profit organisations and small businesses who don't have the resources to hire celebrities (or Alan Carr), quite possibly are using a CMS and so don't actually know what cookies their site uses, and maybe aren't that clued up on cookies themselves.
The point of the law is to prevent invasion of privacy. Non-tracking cookies should be unequivocally exempt (no grey areas about whether they are essential to the functionality of the site). Ubiquitous tracking cookies like Google etc should be the responsibility of Google etc - first time they want to track you, they should ask. That shouldn't be the individual responsibility of every single one of the millions of websites which use adsense or analytics.
ICO: There's a new cookie law
Webmaster: OK, have I broken it?
ICO: Maybe
Webmaster: Well, are you going to fine me?
ICO: Possibly
Webmaster: OK, then will you tell me how to avoid breaking it?
ICO: Well, it's up to you really. We'd kind of like you to ask your audience, but if you assume it's OK, then that might be OK, unless someone complains, and then it might not be. OK?
The European Tour website www.europeantour.com is pretty hard handed about all this.
They gush "This website like many others uses cookies. It enables us to provide the very best user experience and many features are dependent on storing cookies. For a full list of the cookies we use and what they do please review our Privacy Policy." and one can Accept or Reject.
Rejecting, shuts down access to the site completely!. So because they need a cookie for their "key functionality", such as persistent log in and flagged players in the live scoring page, all access to the site is shut down.
The same goes for the iPhone app.
This is a rather heavy handed approach and one that I am sure will garner lots of amazingly positive responses from their user base.
The question nobody seems to have asked, is there anyone out there who disables all cookies and leaves sites that pop up asking you to use a tick box. It's a fact of life when you use the internet you will have to use cookies. It's like somebody not accepting any post because they might get pizza flyers.
My dad has cottoned on pretty quickly that (a) there's a new law in place, something to do with "cookies" and (b) that this is resulting in lots of annoying new pop-ups and unintelligible questions to answer when visiting websites.
In his case it was the new BT cookie pop-up: he had no idea which one of the three options he should choose, and so he called me for advice. Personally I'm just ignoring all cookie pop-ups, as I can't be bothered to research the implications of the cookies used by each website that pops up the notification. And the dodgy sites aren't exactly going to tell me to block their dodgy cookies, are they?
This is really simple (and for once, the EU got it right).
* If you're using Session cookies, you don't need to change anything. Implicit consent is fine.
* If you're using Personalisation cookies which benefit the user (eg to remember site preferences, or store a long-term login), you also don't need to do anything [though perhaps you should mention it in the privacy policy]
* If you're using tracking cookies (for cross-site advertising), then the law is quite rightly targeting you. Basically that behaviour is pretty evil, and although you can persuade the user to waive their privacy rights by "accepting" the tracking, this shouldn't happen.
* 3rd party analytics (eg Google) and non-tracking advertising are the grey-areas.
Here's a simple test;: if the average geek would consider your cookie beneficial to him, then you don't need to ask for consent. If you think the average geek would prefer to reject your cookie, then you do need to ask for consent (but you shouldn't be using that type of cookie anyway).
Another way of looking at this: very few businesses work with the "free content, ad-supported" model. Some do (eg The Reg; Facebook). But, If you aren't reliant on advertising, then this rule doesn't affect you, (or you are completely incompetent.)
You ask why the fuss? That's why.
Most sites don't implement their own cross-site tracking, because most site owners don't control or influence large numbers of sites. Many sites use Google for adverts and analytics. It's the ambiguity over Google et al which is causing the concern.
That is all assuming the rest of what you say is actually how the law will be interpreted. This still has the capacity to become a weapon for those with wealth or power to use against websites they happen not to like.
@Richard Neill
Well said. Good summary and very much the approach I take.
AFAIK the Google Analytics cookies are fine. I'm not at all bothered by this as everyone uses them so the information commissioner's hardly going to pick off one site for that.
Also, don't forget that HTML5 allows local storage of name=value pairs and also local databases. I'm sure these also apply in the same way as cookies (which aren't mentioned in the legal text?).
Some of you are claiming it should be down to the website developer to sort out this cookie mess - but you are clearly thinking that every single person with a Website in the UK is a talented web developer can write PHP, HTML and Javascript in Microsoft Notepad. You are completely wrong - a lot of websites are built by instant site type software, a lot of CMS / blogs like joomla etc don't have any option yet for switching off cookies... and then you have problems with dropping code from twitter, facebook, google etc onto your site - in many cases just using a iframe. What about the Met Office? they allow you add a Met Office widget to your website - I'll bet you that transfers a cookie with it. It's not like it's a law that only targets UK business either - as far as I know (though the law is pretty vague) it affects ANY UK website regardless if it's a charity, business, hobby, recreation site. I agree with other posters - this SHOULD be down to the browser manufacturers - it doesn't even need legislation - the browser that gets it right starts getting market share leaving the other manufacturers to play catch-up - and they will - because they have to - in order to stay relevant.
IE doesn't allow third-party cookies in IFRAMEs. This is Microsoft's solution to security; disallow cookies by default.
http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer
(BTW the P3P doesn't always work so you need to implement other solutions for session management if you really have to use this)
I came back to developing about 6 months ago because the tools dont do my nut in anymore - CSS3 is lovely, HTML5 is ace + ruby is both simple and powerful.... then this happened. It's clearly written by people without 0.1% of a clue how the internet works.
How do I track if someone doesn't want to keep the cookies?
"What we need is some sort of extra file which is stored on the client from session-session to specify if cookies should be used. And they should be called biscuits not cookies"
... what he said ^^.
The alternative is a style-destroying bar of doom on every website. It's ridiculous. Well done Brussels.
This is a bit of a joke isn't it? I haven't receieved any formal notification about any of my sites needing to be compliant. Surely the onus is on the regulator to make potential offenders aware of changges to the law. Or does the UK Gov somehow know I read the Register and believe that to be ample notification? Maybe they're reading my comment right now!
Don't make the banner slide up, just make a single ignorable line appear at the top of the page until dismissed with a click.
The main site is irritating but the mobile site is fecking annoying now. I'd rather not have everything grind to a halt while the banner slides up, is tapped, then slides down again.
Further to that the "normal" site which used to be browsable on my old "feature phone" is now unusable on it due to a huge popup which will has no button to dismiss it and blocks up to 90% of the page.
My phone shows me your adverts too (PCs always have AdBlock) and I used to use it to browse your site at least as much as my PCs so you'll be losing all my "ad impressions" if you care.
A couple of things I forgot to mention (Icon is for me)...
1) No sliding banner effects, just make it appear at the top with the rest of the page when loaded and disappear when clicked/tapped on.
2) No button, just a click or tap anywhere on the banner will make it go away. Opera Mobile, for example, zooms when you tap in an area with lots of links and it's not clear which one you wanted to tap. It just so happens that the putting the button in a layer above the page (with the page's usual links below) means it decides you've tapped in a crowded area and it zooms instead of dismissing the banner.
I run a small personal website, and despite researching the issue I couldn't really make heads or tails of what is required of me to comply with this joke of a law. So I put up a notice asking if you want to accept cookies. Clicking 'No' brings you to this page: http://www.callammcmillan.com/nocookie.php with an appropriately curt message.
As with most things that come out of Europe, this law is stupid, ill thought out and of benefit to absolutely nobody.
My bank simply said (from memory)..
We are required to inform you that our online banking system uses cookies to maintain security, manage your login, and deliver targetted adverts from selected partners. We are also required to inform you that you may opt out, however, opting out of any of our cookies will make our online banking service unusable.
Strange that I had blocked their "targetted advertisment" cookies ages ago, without ill effect.
Scaremongers.
"The Register uses cookies. Some may have been set already. Read about managing our cookies.
Please click the button to accept our cookies. If you continue to use the site, we'll assume you're happy to accept the cookies anyway."
Cookies blocked.
Whatcha gonna do?
Go off into the 'sulky corner'?
"The Register uses cookies. Some may have been set already. Read about managing our cookies.
Please click the button to accept our cookies. If you continue to use the site, we'll assume you're happy to accept the cookies anyway."
Cookies Blocked...
Browser remembers my pissword so even though I am not 'logged in', as per your now missing cookie, I still get to post again.
Fnar Fnar
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
