Monday 23 May 2011

The EU Cookie Directive

This Wednesday (May 25th), a new law comes into force affecting the ability of web sites to issue cookies to visitors. Under this legislation, web site hosts will require explicit informed consent from visitors before issuing cookies unless they are 'strictly necessary' to provide the service. Unfortunately the UK has been slow to legislate on this directive, so the law is extremely vague. What exactly 'strictly necessary' means is currently undefined, however, an example of a cookie that would not be considered 'strictly necessary' is the ability to remember your login on a login page.

There is a document issued by the UK Information Commissioner's office contains an overview of the new law and how it will apply to businesses that you might like to read.

For our part, we think we're in a good position for compliance. We don't use cookies to store login details or other account preferences - browsers do a good enough job of that nowadays. We do use session cookies for authenticating logins, but they would fall under the 'strictly necessary' use case (our service simply won't work without them). They contain solely a random number hash, are deleted on logout, and expire after a couple of hours, so have very little scope for any kind of personal data leakage and certainly no cross-site tracking, which is one of the chief concerns of the legislation.

We don't issue cookies to normal visitors at all, including those that are opening or clicking through from links in email messages. That said, another aspect of this legislation may apply to the use of tracking images (a.k.a. web bugs or beacons), but it remains to be seen what regulations are made in that area.

The most obvious point of concern for this legislation is for services that do track activity across sites, most obviously pretty much any web analytics system such as Google Analytics and many ad issuing services, such as Google AdWords, doubleclick etc. Google have yet to comment on the issue, but there is some discussion of it here. We're not concerned by ads since we don't use them anywhere, but Google Analytics is a very useful service that we do link with, and while we don't use cookies in conjunction with it (we just generate the specially formatted URLs it uses), you may well do on your own site. The requirement to obtain explicit informed consent for such services may prove extremely detrimental to both consumers and providers alike. Without that consent, providers can't target incentives and campaigns appropriately to visitors, and web advertising is likely to become much more random as a result.

In the short term there's little to be worried about. Communications Minister Ed Vaizey has said "We do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies."

We'll keep you posted on any changes that may affect your use of our services.

No comments:

Post a Comment