Thank you very much for organising this. I found it very helpful (if not definitive).

IanTurner - thanks. Look forward to reading it! :)

From reading the above, is part of the problem third pary cookies set by (eg) google et al? If so, don't web browsers default to "block third party cookies"? Mine does but not sure if it was me that set it.

FYFI The ICO continuing the "slipperyness" ..

[theregister.co.uk...]

Think I'll wait for the CNIL to decide..( at which point I'll decide wether to keep my UK companies ) at least the CNIL don't "pussy foot" around Google and try to make webmasters carry the can for the plex..

Why don't anyone in UK challenge this stupid law?

Google Analytics Cookies

When I look at cookies set in my browser from my domain I see these four cookies _utma, _utmb, _utmc, _utmz. The browser appears to associate these cookies with my domain.

I was under the impression that a domain could only access cookies on a browser that it had set. Therefore only mydomain.com should be able to access them but Google actually does.

Who is responsible for those cookies?
How can Google access cookies that the browser thinks belong to my domain?

it would be Google's responsibility

You're missing the point. They're outside EU.

The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.

Reference:
[google.co.uk...]

Yes but is it Google who set them or me?

It's Google via your site's analytics js or other script you integrate with your pages. To normal visitors it looks like your site does this, don't expect them to check the cookie domain origin on their browser.

And for this reason browsers have some global cookie controls to set whether or not third party cookies are allowed or not. As far I know the default is off for years now.

OK I get all of that. What I'm just trying to explore is the grey area that is created by this. You see I was under the impression that only the domain that set a cookie could retrieve the cookie but here it looks like two domains can retrieve the cookie. My domain and Google.

It seems to me that privacy implications, which is what this is all about, only come into play if I (my domain) retrieves the cookie and do something with the information but I never retrieve it, my site does nothing with it. It is retrieved by Google and they do something with it. It is then only, by me, used for looking at the statistics created by analytics. I can't look at individual users and I can't react to individual behaviour.

I think that I'm going to have to read the wording of the legislation because it might well come down to interpretation of the finer points of the law.

I think session cookies such as those used temporarily for shopping cart functions are exempt. Persistent cookies that remain after the browser session has closed seem to be the main focus. The requirement is that uses indicate their compliance for sites to place a persistent cookie.

From the govenment pdf: "Activities unlikely to fall within the exception:
Cookies used for analytical purposes to count the number of unique visits to a website for example"
> Does that kill Google Analytics for visitors who don't click 'Comply'?

"First and third party advertising cookies"
> 'Click 'Comply' to see Google Ads'. I don't think so!

The law says:

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment- Version 2 7
13 December 2011
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Since I have not stored or gained access to information stored by having Analytics code on my pages I don't see why I should have to comply with paragraph (2). The "person" who does this is Google Inc. Whether the EU has jurisdiction over Google Inc will come down to where the alleged offence took place. I would say that since the storage of and access to the information takes place in the users browser then where that user is in the EU the offence takes place in the EU.

The ICO disagrees. In their guidance document they say

The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.

The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.

There's a major problem in all of this. The law is about people gaining consent from people. How can it be proven who you obtained consent from. If upon consent being given you store a cookie on a user's browser noting that consent, how do you know who has given consent? or if a different user of that browser who has not given consent visits your site how can you know that they have not given consent? Can one person give consent on behalf of someone else?

The whole thing is a complete mess!

...and what if they delete the cookie that proves they gave consent? :(

@gmb21: That site needs to check if the consent cookie exists, if not: obtain consent again.

Unless you store information yourself, in a log or database, only the user of the browser controls evidence that consent was given or not. Your only defence, from a proof point of view, is that you included code in your pages that that had the function of obtaining consent. You can't prove that it actually did. It seems to me that this has more serious privacy implications than setting cookies. You could easily interpret the requirements that you need to store this information for as long as there might be some legal action taken against you.

Also as the law is drafted you might have to prove that a person gave consent not that the consent from some person was given but rather which person gave the consent. So really you need them to give you 3 pieces of identification information so that you can ID them. Name, date of birth and address should do. So now in order to fully comply with the law we need to know the identity of the person and keep that information in a secure form for 6 years.

Brilliant!

Can anyone point me towards information on what cookies do what?

for my sites I see:
__gads
__utma
__utmb
__utmc
__utmz
PHPSESSID
cprelogin
cpsession
logintheme

Apart from PHPSESSID, I have no idea what these do and what scripts or third parties set them.

__gads
__utma
__utmb
__utmc
__utmz

These are Google Analytics

cprelogin
cpsession
logintheme

These are just your CPanel cookies. Users don't have these only website admin

Cheers

Sid

PS I don't have __gads as I think that I'm running old analytics code.

Thank you sid. But how do you find this information if you don't knnow it?

I see the BBC have a large page about their cookies and what each does. I'm sure no-one is going to read it all.

I also didn't see an opt-in.

Maybe a stupid question.... but...

Is this something that a USA based publisher with a USA hosted site needs to worry about?

.

No..it isn't ..and you don't :)
Unless the FTC adopt a similar set of rules..( isn't going to happen while you have your "lobby" system )..so companies based ( ie where the company / business registered / incorporated ) outside of the UK and the broader EU are not affected by any of this..

However any company or business registered in the UK or the EU ( even if they are hosted outside the UK or EU ) must comply with the legislation in place in country or countries where their business is registered..

And not all EU countries are implementing / enforcing the EU legislation the same way..the UK is being particularly vague..in the opinion of many, specifically so as to not "catch" Google..

Thank you sid. But how do you find this information if you don't knnow it?

Just put one of the strings into a search engine. Bing does a good job with __utma . Annoyingly Google does a little better.

Cheers

Sid

Leosghost; Thanks

IANAL but as far as I can see, the rules are satisfied by adding something like "by using our website you agree that we can set cookies for the following purposes".

The rules seem tighter for targeted ad cookies, but if they are third party the company setting them has the primary responsibility.

IANAL but as far as I can see, the rules are satisfied by adding something like "by using our website you agree that we can set cookies for the following purposes".

The problem with that is the fact that a cookie, Google Analytics for example, is set on page load so by the time they see that message they already have a cookie set.

One solution I'm thinking of using is to drop analytics for all sections of my site(s) except the interactive, script driven bits. I could change these so that on click signifies consent to set a cookie and that this would be a condition of entry.

The only way I can see for anyone to be certain of the correct interpretation of the law is for there to be a test case. Having gone to the High Court once before I wouldn't fancy being the one who took on that little task!

Cheers

Sid

It may be that some sites will choose to block access to their site if the cookie isn't set.

Clearly there's no requirement to get Googlebot to tick the box as GB doesn't eat cookies.

So how do you identify a real "user"? How do you distinguish other bots from users?

Those who blindly require all users to 'tick a box or see no website' could find themselves deindexed from various searchengines.

This is a completely daft law. The requirement should have been for browser makers to build in better cookie management facilities, and better tools to set policies.

The fact that bad bots collect and return cookies is one very big thing in cookies' favour. The cookies (temporary session in my case) are often returned through IP-hopping, which makes it easier to trap such activity.

A very good way of over-coming the problem of GA cookies is to not use GA. I decided long ago they were too evil to live and GA was one of the very first things I decided against.

@Hissingsid, this is what the ICO says

It is likely to be more difficult to obtain consent for this type of cookie where you do not have any direct relationship with a user � for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible, measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies.

In the case of a third party cookie:

These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.

@dstiles, this legislation is a good reason to use GA: it puts most of the onus for compliance on them.

this legislation is a good reason to use GA: it puts most of the onus for compliance on them.

Don't count on it, they may have to deal with FTC if US decides to go suicidal with online business - which i really doubt - but not to ICO.

we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.

Graeme,

Since the ICO will be doing the policing this is very good news since it seems that we will not need to get consent before setting these cookies. It would be up to Google but since they are in the US do they have to comply? It could be argued that any offence would occur where the browser is rather than where the data is collected and analysed.

Cheers

Sid

Sorry to do a follow on but I just found this very specific advice in the ICO's guidance document.

We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

"What steps you can" what the hell does that mean, I wonder.