| 11:18 pm on Mar 5, 2012 (gmt 0)|
Some web sites push out temporary session cookies without the site owner being able to do anything about it (eg IIS web sites).
The law-makers, as usual, have screwed up by assuming that all cookies are bad and can be stopped by the site owner. My guess is that 95% of web site owners won't even know about this law and, if they find out, how they can stop the cookies. And, of course, what about non-UK web sites, which form the vast majority of UK-viewed sites (eg ALL of the major search engines and a lot of informational and "social" sites).
What is far more sensible is to let browsers block cookies by default, which is what Firefox+NoScript does and I believe other browsers may also do with a bit of messing about.
The down-side of that, of course, is that having blocked a cookie, that cookie remains blocked until the user goes through a lot of hoops to unblock it - and on some sites the number and name of such cookies is not easily determined. This results in ecommerce sites failing to work: no cookie, how can they keep track of what you've bought? And having tracked that, you then have to find the actual payment service's cookie and unblock that. At the moment, I can buy through one of my computers but no matter what cookies I allow I can't buy through another one.
For most web site owners, if they get a heavy fine for something they do not understand they will dump the site. Most web sites are not actually essential. Indeed, my half-dozen or so personal sites are not essential, although they do help people a lot. And most of those people are not in the UK. Go figure.
| 12:43 pm on Mar 6, 2012 (gmt 0)|
Are not session cookies saved on the server rather than the client?
| 12:54 pm on Mar 6, 2012 (gmt 0)|
This must be the dumbest piece of legislation I have seen for a long time.
To tell a website that you do not like cookies, you have set your browser settings to accept cookies and then you have to accept a cookie from the website that contains the information that you don't want cookies.
If you don't do that a nag screen asking you for permission pops up everytime you visit the website.
| 2:07 pm on Mar 6, 2012 (gmt 0)|
I agree, it's badly thought out, but, it's the law.
| 10:53 pm on Mar 6, 2012 (gmt 0)|
wingnut - no. On the browser.
Although the server needs to know you have accepted them if it wants to track (eg) a shopping cart. The server then retains the session info for about 20 minutes (depending on server setup) after the last site access.
Unlike some permanent cookies which are often used to build a cart on the web browser. Or a search engine of ill-repute that records your browsing history...
Those latter are the kind of cookies that the law-idiots think they are addressing, rightly or wrongly, whilst the temporary session cookies get lumped in with the permanent ones.
This legislation has been thrown about for several years and the dumbos still haven't got it right.
jecasc - the option I use is to set Firefox to block ALL cookies but only after asking me first. There is an option on the popup to "apply my choice to all cookies from this site." A bit tedious but if I know a site is going to be more useful with cookies then I can enable them at the outset or selectively as I go along.
You may be thinking of the sites that try to insist on cookies by saying "accept this cookie and we won't set any more" - eg G.
It will be interesting to see a test case on this. Several, in fact: UK site hosted in UK, UK site hosted abroad, international site hosted wherever. And, of course, US and EU sites selling to UK. That one will be fun.
| 5:26 pm on Mar 7, 2012 (gmt 0)|
The cookie issue is a frustration and most users won't know why they are having to grant permission to accept cookies.
The fact of the matter is that the legislation is here and sites have to comply.
| 9:37 pm on Mar 7, 2012 (gmt 0)|
No idea how I'm going to do it on IIS.
I can turn off session cookies for the whole web site through IIS Manager - but when I need them on again I can't get them.
Or I can turn them off on a page basis:
<%@ EnableSessionState=False %>
"... the session ID cookie is still sent and the Session_OnStart event still fires if a page with EnableSessionState=False is requested."
So: tell me, legal idiots of westminster, what do I do to comply?
| 11:57 pm on Mar 7, 2012 (gmt 0)|
|To tell a website that you do not like cookies, you have set your browser settings to accept cookies and then you have to accept a cookie from the website that contains the information that you don't want cookies. |
Hey, I know that one. I was cleaning up cookies recently and found one from guess which major search engine. The cookie was called was Remember Me and its value was set at No. Silly me. I thought "don't remember me" meant "don't set permanent cookies in the first place".
| 12:25 am on Mar 8, 2012 (gmt 0)|
The "don't remember me" cookie will stop the triggering of various scripts inside the server for this visitor.
A tracked visitor will submit the unique ID stored in their cokie when accessing the server and the server will then serve specific content to, or carry out specific actions for, that visitor.
| 8:49 am on Mar 8, 2012 (gmt 0)|
Note : 'The only exception to this rule will be cookies that are used on stores and for shopping baskets.'
This must be an exploitable loop hole!
[edited by: wingnut at 8:53 am (utc) on Mar 8, 2012]
| 8:52 am on Mar 8, 2012 (gmt 0)|
Session cookies are held in the broswer memory cache, does this contravene the law?
| 10:42 am on Mar 21, 2012 (gmt 0)|
Other than what is here already, what specific questions would you like to put to the regulators?
| 10:49 pm on Mar 21, 2012 (gmt 0)|
Would they consider listening to someone who KNOWS about the web and its workings, its privacies and its falacies?
| 9:22 am on Mar 22, 2012 (gmt 0)|
Well, it's not up to the regulator to change things, that's up to the lawmakers. What i'm interested in is getting questions from Webmasters about the law so that we can ask the regulator for clarification. So if you have a question that needs clarification, please post it here and i'll do my best to get it answered.
| 10:29 pm on Mar 22, 2012 (gmt 0)|
A clarification of temporary "session" cookies - ones that help navigation through the site, allows shopping sites to retain purchase information ON THE SERVER for 20 minutes or so, but place no real data onto the browsing computer. Without these many sites cannot function properly.
Some servers (as noted in an earlier post) cannot be told to not serve sesion cookies one minute and serve them the next, so a web site then becomes broken. If you go to a web site with a web browser that has been correctly set up then you will be asked to accept a session cookie. If your browser is not correctly set up (ie "accept all cookies") then you will not see the request. Regardless, the cookie will still be sent because the server has no choice.
Why are web site owners to be penalised for something that can ONLY be properly managed by the browser itself?
Why has about 5 years of debate produced no change to the original proposal?
What happens if the web site is not UK owned/hosted? 99% of all web sites come into that category: what will the legislators do, sue the Americans, Chinese, Australians... And, of course, google, who are one of the biggest anti-privacy cookie-setters in the world.
What happens if I move all my web services abroad? Will I still be liable if a cookie is set? If I register my business abroad?
And other things but it's supper time and I'm hungry.
In short: has anyone really thought this through.
| 8:44 pm on Mar 27, 2012 (gmt 0)|
One of the interesting questions that arises if you use third party ad networks is are you responsible for their dropping of cookies on to your visitors machines or are they.
If you are, as the webmaster, this is effectively going to make Adsense illegal in the UK.
| 10:24 pm on Mar 27, 2012 (gmt 0)|
I block advert cookies anyway - manually if new, otherwise it's pre-canned. Firefox also has several ways of pre-blocking adverts and their cookies.
Which I suspect most people do not do. But as noted, it's the user's responsibility to manage browser actions and resonses, not web site owners who have no real idea how their customers will react to their sites across a very wide world web.
| 12:44 pm on Mar 29, 2012 (gmt 0)|
|I agree, it's badly thought out, but, it's the law. |
So is a 70mph speed limit in the UK. I have driven 100s of 1000s miles up and down the M40 well above that speed and the cops just ignore you. Their "law" is above 95mph and they'll be interested - maybe.
I think similar (or even more lax) enforcement will go for this "law". I'm not advising anyone else to do the same, but I'm not stressing about cookie compliance and the EU.
As far as I know the EU law-makers think a cookie is a biscuit with chocolate pieces in it. They'll be far more concerned to ensure the chocolate pieces are evenly distributed throughout the cookie and, even more importantly, they are of the same size and shape.
| 2:46 pm on Apr 2, 2012 (gmt 0)|
It is a person who has to opt in but how can you know if it is the same person using the browser.
| 9:45 pm on Apr 2, 2012 (gmt 0)|
Never use GA and I block it in every web site I visit.
Does GA set a G cookie? If so, a very good reason to not accept cookies.
| 2:54 pm on Apr 4, 2012 (gmt 0)|
I arranged for a number of your questions to be put to the ICO and your can listen to the answers in a video interview.
| 8:12 pm on Apr 4, 2012 (gmt 0)|
Thanks but sorry, I can't view a video interview. When will people accept that text is 100% better than video in many cases?
| 9:51 am on Apr 5, 2012 (gmt 0)|
I have watched it - but agree with dstiles that video is a particularly slow and painful way to get information.
I will put together some comments over the weekend when I have time to really go through in detail what has been said (and to flick back and forward through the video - which again is extremely time consuming compared with the written word.)
| 10:58 am on Apr 5, 2012 (gmt 0)|
Would have been more use if the soundtrack was not totally garbled on the crucial points about session cookies and 3rd party cookies ( such as google analytic cookies ) and the apparent confusion by the guy from ICO about analytics ( which frequently do drop cookies ) and stats ( which if server side such as AWstats ) don't.
A Q&A session via email would have been much clearer..and not over 150 megs..I appreciate what you tried to do engine ..but that is a big chunk of data to download for those who are not on unlimited data packs* ..only to have the crucial bits unintelligible..
*my ISP deal is unlimited..but I understand that many in the UK or whose companies are based in the UK but are themselves outside the UK are not on unlimited data deals.
| 1:29 pm on Apr 5, 2012 (gmt 0)|
I found the video very useful. The ICO guy was able to give indications that he probably wouldn't give in black and white.
I wasn't clear on whether it would, for example, be Google's responsibility to get consent for Google Analytics Cookies and if they are whether this would be on a site by site, session by session basis or whether they could get a cookie set that would apply to all sites thereafter.
| 1:53 pm on Apr 5, 2012 (gmt 0)|
|I wasn't clear on whether it would, for example, be Google's responsibility to get consent for Google Analytics Cookies and if they are whether this would be on a site by site, session by session basis or whether they could get a cookie set that would apply to all sites thereafter. |
Unfortunately he made that no clearer..he appeared to say it would be Google's responsibility ..and then went on to say that website owners ( depending on the "tech level" of their visitors ) should explain ( in varying degrees of simplistic language depending on the tech level" of their visitors* ) to their visitors what 3rd party cookies are being dropped ..
So say you run an adsense supported health site..your visitors could be doctors ( who may know nothing about cookies, nor what each type can do )..adult patients ( who may know nothing about cookies, nor what each type can do )..or children doing "lookups" for their granny with a sniffle or a school project ( who may know nothing about cookies, nor what each type can do )..or a webmaster with a head cold ( who would know what various cookies do ) or an IT tech ( who might not know that there is more than one kind of cookie ) because they only work with hardware and in house mainframes..and your "accept / decline" message has to be understandable by all of these..and some of whom may not have the greatest vocabulary or even have English as their 1st language..
And on top of that, he wants you to explain what Google or any other advertising network that you may have space rented to is doing..
Appears to be more about absolving the big guys like G from any real responsibility and pushing it all onto the little guy ..whilst being vague enough to be able to at any point say "gotcha" for non compliance with a vague guideline..
Imagine that applied to driving..the speed limit will be variable depending on what you consider your category of vehicle to be..if you guess wrongly what we would consider it to be ..you may or may not face sanctions depending on the state of mind of the assessing officer..and what contacts at number 10 your passengers have..
* we have no idea what tech level our visitors have and what their understanding is ..they can arrive from anywhere ..and if we guess one way ..and the assessing officer at the ICO guesses another ..the fines can be huge ..the rules should be written down ..clear cut ..just like the highway code..or any other company law or rules which apply to UK companies or businesses on or off the web..
| 2:12 pm on Apr 5, 2012 (gmt 0)|
What he said about a browser solution is interesting though. My interpretation of what was said is that as long as a user had to opt in, ie the browser is initially set to not accept cookies, then the user could globally decide to accept them. If this is the case then Google could ask people to globally accept Analytics and Adsense cookies. The SERPS could have nag text with each listing if the user was in the EU and had not got the "I accept cookies" cookie set. The anlytics code could have a claok built in and a button inviting the user to set a default accept cookies, cookie. Also there would be nothing to stop all of the major services clubbing together and getting a default cookie set that applied to all services.
Have I misunderstood something?
| 2:24 pm on Apr 5, 2012 (gmt 0)|
I'd make a better guess, if the two parts that were unintelligible that I mentioned in #4437430 had been audible..they may well have contradicted his vague remarks about browsers signaling "acceptance"..
He did rather go out of his way to be "vague" whilst saying all the time that the vagueness was intentional and was for the webmaster's benefit..vague legislation and unwritten rules for compliance help no one, except lawyers who subsequently have to be employed to defend cases of non compliance..and compliance officers who wish to have discretionary ( read ..depends who you are and who you know ) powers..
Doesn't help that the legislation was drawn up by people who haven't a clue about the technicalities of the subject, other than they wanted to do something in the face of public concern about the "stalking" and "profiling" done online by Google, Facebook et al..
And G and F etc ,were not going to give any legislators a cluebat and a guide book to cookies and tracking, in case the legislators used it to hit them with a soon as they realised what is really going on and who is the real problem ..of course the legislators involved in the "ISPs must keep records and allow intercepts" ..do have a clue..but they are a big part of the problem..
|norton j radstock|
| 6:35 pm on Apr 5, 2012 (gmt 0)|
As a webmaster I have trouble interpreting the ins and outs of this -it will be interesting once expensive barristers get to argue over it....
| This 149 message thread spans 5 pages: 149 (  2 3 4 5 ) > > |