: Why is the EU cookie directive causing so much excitement? I am confused by all the excitement surrounding the EU cookie directive; why is it such a painful thing? As far as I can see cookies
I am confused by all the excitement surrounding the EU cookie directive; why is it such a painful thing?
As far as I can see cookies that are required for your site to function are allowed such as shopping carts and site logins. Am I missing something here?
The original HTTP specification was designed to work in a stateless way so to my mind this is a stepping stone in the right direction towards stateless RESTful websites. Why should state be added to the process when it is not needed.
There is plenty of mileage left in Digest Auth etc so why is everyone worried?
An obvious answer might be that Google Analytics needs to set cookies to be able to track traffic. There is a somewhat unsatisfactory answer to this point: cookies.dev.wolf-software.com
So have I missed something that I should be panicking about? What has you worried about it?
More posts by @Angie530
3 Comments
Sorted by latest first Latest Oldest Best
The "excitement" relates to confusion about how the new directive (PDF: 2009/136/EC) should be interpreted and implemented, and whether or not it's fair to European webmasters:
Do the laws apply to third party cookies?
The UK data protection body in charge of enforcing the laws in Britain says in their guidelines that they're seeking clarification (see my answer here), but until then, we don't know whether we'll have to ask permission to use third-party cookies from Google Analytics, for example.
Might the laws cripple EU websites?
If it turns out that the new laws require European webmasters to ask each visitor's permission to use third-party cookies, this will affect a lot of websites and render analytics, affiliate systems, usability testing, and even video embedding from third-parties (many of which use cookies) unusable or far less effective. It will also require many site owners who otherwise wouldn't have had to issue a request to store cookies to suddenly do so, drop the services, or seek cookie-less alternatives.
Does the directive apply to services hosted outside of the EU?
Related to the above, if I run a business from the UK but run a blog on a hosted service outside the EU that makes use of 'unnecessary' cookies, must I rebuild my theme to request permission to use them? If so, will the service be prepared to provide this functionality? If not, do I have to migrate my blog elsewhere? These questions are yet to be answered.
How best to obtain permission?
The new directive exists to ensure that people without technical knowledge have the same control over their privacy as more technical users. It does this by turning an opt-out system ("here's a cookie, you can always vomit it up if you don't want it") into an opt-in system ("would you like a cookie? here's what's in it...").
The new laws are great for consumers, welcomed by privacy groups, more closely aligned with opt-in email and permission marketing conduct, and in line with the sentiment expressed by movements like Do Not Track, which hope to block information harvesting techniques employed by behavioural ad networks.
The trouble is that opt-in systems carry more interface overhead than opt-out ones, because a request for permission has to be made to every user. Article 66 of the directive says:
"The methods of providing information and offering the right to refuse should
be as user-friendly as possible."
Unfortunately, they leave the actual method as an exercise for the reader. This is probably a good thing, because having the method dictated might make implementing the law even more painful. That said, it still raises a lot of questions about the best way to gain consent.
The ICO has stepped in to offer a list of six methods to request cookies (see page 6). They admit that no solution is ideal:
Pop ups (ugly - see this discussion - and often ignored by users)
New terms and conditions (users must explicitly agree to them before using the site)
Settings-led consent (good for visual customisation, not so good for analytics)
Feature-led consent (still have to make users aware that cookies are in use)
Functional uses (they suggest a permanent 'permissions' area with notifications)
Via third parties (but they don't know how the laws apply yet)
Since there's no 'one solution fits all' approach to request permission to store cookies, each site owner has to come up with their own way of doing it. Because no real thought has been given to standardising the request format or presenting a common look and feel, we're likely to see a hodge-podge of different pop ups and implementations.
Shouldn't browsers be handling this?
The ideal scenario might be to delegate all of this to the browser, but controls for cookies aren't mature enough and, even if browser updates brought granular cookie support, we'd still have to accommodate older browsers, which makes some kind of in-page request inevitable.
Does it present a commercial disadvantage?
The new privacy laws might make EU Web services less attractive than US ones. As Nick Halsted of TweetMeme says:
"If you go to two websites with identical functionality and one of them asks you to sign a big scary box that says ‘I am tracking everything about you’, and the U.S. one doesn’t, which one are you going to sign up for?" [source]
Not only might the addition of a modal permissions bar result in decreased sign ups and engagement, but we can't even split-test alternative request methods, because tracking the results of a split test first requires us to ask the user for permission.
What's more, if it turns out that EU businesses can't use Google Analytics et al without permission from each visitor (when US businesses can), isn't that a competitive disadvantage too? The US already has a thriving start-up community and funding ecosystem. Some would argue that privacy directives, while great for users, are a pain for businesses because they further stifle those competing with companies outside the EU.
Has it really been thought through?
While the goal of empowering users with decisions over their own privacy is a noble one, the usability aspects haven't been thought through. The good news is that (in the UK, at least) we have until May 2012 to figure something out.
In short, it's nothing to worry about, but there's a lot to think about. Once the ICO clarifies the case for third party cookies and other EU data protection officers have done the same, it's important that European webmasters pool resources to present a unified solution.
Most complaints I've seen fall outside of the exceptions you've mentioned and more into the realm of marketing/data. Some of the big issues I see are:
Standard analytics (Google Analytics and others)
Additional testing (A/B testing etc for usability/conversion rate optimization)
Affiliate tracking.
Re-marketing there are many programs now that drop a cookie and generate dynamic ads based on user's activity.
Personalization - such as offering personalized product recommendations based on previously viewed products etc.
Admittedly I'm US based so I haven't followed this as closely as others may have but I don't believe any of the above fall into the "exceptions" and all are widely used.
It appears to be painful for people who read the headlines and don't know that about those allowed exceptions.
It is also painful if you have cookies for statistical purposes as they aren't allowed without consent:
The exception would not apply, for
example, just because you have
decided that your website is more
attractive if you remember users’
preferences or if you decide to use a
cookie to collect statistical
information about the use of your
website.
www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
It's also painful because although it's easy to put JavaScript on your site that does statistics tracking it's not easy unless you've seen that plugin.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.