homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / UK Search and Internet Marketing News
Forum Library, Charter, Moderators: IanTurner & engine

UK Search and Internet Marketing News Forum

UK's ICO Changes Cookie Law Policy To Implied Consent

 12:30 pm on Jan 31, 2013 (gmt 0)

This is just another stage in the farce of the cookielaw.

I hope that the lawmakers will finally realise thay should not be dabbling in areas they know nothing about.

The Information Commissioner's Office (ICO) has said that anyone who visits its website from "the end of January" will receive cookies. It said individuals will be given "clear, detailed information" about what cookies have been set and will also be given access to an "easy way to remove them" if they do not want them set on their machines or devices.

The ICO said its change in policy was "consistent" with guidance it has issued on obtaining "implied consent" to cookies. It said the purpose of its change in policy was to enable it to "collect reliable information to make our website better".UK's ICO Changes Cookie Law Policy To Implied Consent [out-law.com]

From a usability point of view, it's now gotten to the stage of being annoying visiting a site to have a stupid pop-up.

Earlier story
FOI Request Highlights UK Cookie Law Enforcement Problems



 6:52 am on Mar 11, 2013 (gmt 0)

It seems to me that we can now all take the warnings about cookies off our UK sites now without fear of prosecution?


 4:11 pm on Mar 11, 2013 (gmt 0)

I read the various links as saying that you still need the cookie warning but you no longer require the visitor to explicitly consent to them.


 4:15 pm on Mar 11, 2013 (gmt 0)

I read the various links as saying that you still need the cookie warning but you no longer require the visitor to explicitly consent to them.

That sounds like a more reasonable alternative. That's how the U.K. based(?) Ubuntu site that I have been visiting frequently handles it.


 4:55 pm on Mar 11, 2013 (gmt 0)

You can disable cookies for privacy.

If you disable cookies, the analytics program will not know that you don't want to be tracked.

The foregoing occurred to me after I knuckled under and added piwik's opt-out to the Legal page. I assume GA has something similar. After all, you have to be logged-in to G to keep your search terms secret.

Moral: You can't win :)


 6:33 pm on Mar 11, 2013 (gmt 0)

It has not been that specific, nomis5. It is kept fairly woolly, just like the conception of the law.
I think they have left it so that you tell people about the cookies, and if they proceed that is implied consent, rather than having to accept or deny.


 10:52 pm on Mar 11, 2013 (gmt 0)

Lucy - what analytics program? I assume you mean GA. Tracking cookies are not accepted if cookies are off. GA is not accepted if JS is off completely or even just for G.

Moral: You can win some of it. :)


 12:06 am on Mar 12, 2013 (gmt 0)

I assume you mean GA.

No, I meant piwik. In fact there are at least two types of cookies. One keeps track of repeat visitors, so it contains information on how you first entered the site. (A bizarre consequence is that piwik thinks I first entered my own site via Yandex search, because I happened to be trying something out :)) The other is the "do not track" cookie.

piwik unlike GA lives on your own site-- or at least one of them, if you're tracking multiple sites-- so there's no third-party cookie involved.

If scripting is off, all you get is the administrative gif. I don't think there's any way to disable this from the user end. But, of course, you're just giving the same information that's already in the regular logs.


 1:26 am on Mar 12, 2013 (gmt 0)

from [ico.gov.uk...]

Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a userís input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.

Third party cookies are becoming a problem for EU websites. I agree with Neil, those popups to explain about use of cookies are getting beyond a joke.

The cookies I use fall within the exception as described on that page. I ditched Google analytics simply to not need to provide details about cookie use. Its just one more way to confuse the end user.



 9:13 pm on Mar 12, 2013 (gmt 0)

Lucy - I missed your reference to piwik but should have expected it. :)

If you have cookies turned off, how can cookies track you? They have to read existing cookies to know where you've been. All they can do is log your current access and leave the cookie field in the log blank.

JS can be a real hassle and can at times be dangerous to health. I turn it on only where I absolutely need it and where I know the site. When I went to google groups to see what they thought about the latest yahoo mail password breach* I was told to turn everything on: I went away instead and found the information elsewhere. Sadly, there are a couple of instances where I need googleapis and cannot avoid it, protest though I do.

* yes folks, there is currently a lot of phishing spam being fed through yahoo mail servers following an unacknowledged breach of yahoo's user/password details. If you have a yahoo or BT-Internet account (same thing) then change your password now! Better still, get your mail from somewhere else (not G!). :)


 10:15 pm on Mar 12, 2013 (gmt 0)

If you have cookies turned off, how can cookies track you? They have to read existing cookies to know where you've been.

They don't need cookies to read their own database. Same as you don't need cookies to read raw logs. If I delete all cookies with my site's name on them, piwik starts tracking me.

Then again, I've only got one page that absolutely requires javascript for full functionality. Others are Added Value.* It's a voluntary function, and I recently added a paragraph that provides a rough-and-dirty form of the same information, with less detail.

* Generally pertaining to font which about 20% of the target audience has got, but <1% of the population at large, so you wouldn't notice.


 10:34 pm on Mar 13, 2013 (gmt 0)

But any source can only track me (by logs) as long as I stay on their site, if I do not use cookies, JS and GA.

Does piwik (company) collect data from the analysers installed on sites? If so I would be worried.


 1:09 am on Mar 14, 2013 (gmt 0)

Does piwik (company) collect data from the analysers installed on sites?

Not unless they're lying to everyone on a major scale. (I kinda doubt this.) In fact one of their selling points is that the database lives on your own website so there's no third-party involvement.

But I went back and checked. You're right, there is a tracking cookie. Entirely separate from the "do not track" cookie, so it does get a bit circular. Unless you go with the logs option, which I haven't explored yet-- mainly because I've already got my own log-processing code that does what I need. And no matter what you do, there's the noscript administrative gif that you can manually pull out of your own logs, should you so desire.

... Which is the underlying problem with all these cookie-blocking discussions. When a site uses cookies, it is by definition recording information that it has already collected. Outside the WebmasterWorld community, I don't think your average human-- which here includes EU legislators --understands just how much information is right there in the raw logs.

:: insert list of all WebmasterWorld members* who have ever visited my site, with or without cookies, with or without javascript ;) ::

* Well, OK: "or their proxy IPs".


 8:42 pm on Mar 14, 2013 (gmt 0)

I get the impression here that piwik has a JS (or other) link in each published page rather than logs being aggregated through the server, which is the default/usual state for web sites. Is that correct?

That's the only way I can see a log analyser issuing its own cookies.

In Firefox I have set "I do not want to be tracked. In theory that would be interpreted by a site as "I will neither set any cookie nor track your progress through this or any other web site". I very much doubt this is what happens: cookies, I know, are set on my machine to tell web sites that they should not track me. I have no idea whether they honor this or whether they use the no-track cookies to track me. Whichever, the ideal intent is not being honoured, I'm sure of that.

I agree that most humans - and certainly any bureaucrat - have no idea how the simplest internet protocol works and almost certainly, when presented with a "this site sets cookies" warning, simply click in frustration rather than find out what it does.

I have no warnings on my sites other than in "site FAQs" - but then, I only set temp session cookies. Which EU now say is ok, despite panicking us before.


 10:00 pm on Mar 14, 2013 (gmt 0)

piwik apparently goes in two stages. On each page there are a few lines of tracking code, resulting a request to a big fat .js file-- at 20K it's bigger than most of my pages-- that lives in your piwik directory. (On the same site, unless you've set a single piwik installation to track multiple domains.) This, in turn, sends a request to a php file living in the same place.

:: shuffling papers ::

Here is what it looks like in logs, starting with main page for context.

aa.bb.cc.dd - - [07/Mar/2013:15:35:05 -0800] "GET /fun/panda.html HTTP/1.1" 200 6982 "http://www.webmasterworld.com/profilev4.cgi?action=view&member=lucy24" "{user agent}"

aa.bb.cc.dd - - [07/Mar/2013:15:35:05 -0800] "GET /piwik/piwik.js HTTP/1.1" 200 21865 "http://www.example.com/fun/panda.html" "{user agent}"

{all subsidiary files here}

aa.bb.cc.dd - - [07/Mar/2013:15:35:07 -0800] "GET /piwik/piwik.php?action_name=The%20Panda%20Page&idsite=1&rec=1&r=215035&h=10&m=35&s=6&url=http%3A%2F%2Fwww.example.com%2Ffun%2Fpanda.html&urlref=http%3A%2F%2Fwww.webmasterworld.com%2Fprofilev4.cgi%3Faction%3Dview%26member%3Dlucy24&_id=16955bde49cf4769&_idts=1362699307&_idvc=1&_idn=1&_refts=1362699307&_viewts=1362699307&_ref=http%3A%2F%2Fwww.webmasterworld.com%2Fprofilev4.cgi%3Faction%3Dview%26member%3Dlucy24&pdf=0&qt=1&realp=1&wma=0&dir=0&fla=1&java=1&gears=0&ag=0&cookie=1&res=1440x900 HTTP/1.1" 200 361 "http://www.example.com/fun/panda.html" "{user agent}"

This is an entry page, so the same information appears twice. The first time represents the page the user is currently on, including referer if any; the second represents the page they first entered the site on, again including referer if any. Not on the present visit, but the first time ever.

If the user has scripting turned off, all this is replaced by the single request
GET /piwik/piwik.php?idsite=1
In spite of the .php, that is an administrative gif living inside an <img src> tag. As with any administrative gif, it will be logged with timestamp and user-agent, unless the user's browser is also set to not send a referer.

Oh, and the cookies aren't issued by piwik dot org. They're listed under example dot com.

[edited by: tedster at 4:50 am (utc) on Mar 16, 2013]
[edit reason] switched real domain to example.com [/edit]


 8:54 pm on Mar 15, 2013 (gmt 0)

Thanks for the explanation, Lucy.

So, with JS turned off (my normal browsing mode) you would not know anything about me other than whatever the standard site logs record - IP and which pages that IP goes to. The img, in that context, seems superfluous since it is only going to show what page is visited, which the logs already know.

And no cookies, of course.

I suppose you usually get naive users who have everything turned on, so that's ok. :)


 12:07 am on Mar 16, 2013 (gmt 0)

The img, in that context, seems superfluous since it is only going to show what page is visited, which the logs already know.

The difference is that the img call will be written to the piwik database, so you'll see it there too.

I suppose you usually get naive users

For a given definition of "naive" at least :-P

afaik, both cookies and scripting are enabled by default in all current browsers. But even piwik is powerless in the face of google's "no keyword given" :( I came up #1 in the search for ... what? Nobody knows.


 9:57 pm on Mar 16, 2013 (gmt 0)

Probably a result of their SSL policy. :(

If no G keyphrase then
show visitor a Do Not Use G banner
end if

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / UK Search and Internet Marketing News
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved