For those following this thread, and they didn't notice, we tried to transcribe the answers on that video. Just follow the earlier link.

Graeme - if I don't use GA there will be no GA cookies. Problem solved (at least for GA). :)

Engine - sorry, which link? There are at least 3. :(

This link [pubcon.com...]

you might have some ownership to make sure you provide the information to your users and I think that's common sense because if you've got a user who maybe doesn't understand how third party ad networks work and how web pages work, then clearly if they see something they don't like they are going to complain to the publisher first because that's who they think has maybe set that

This is the part where the problem is ..he's making website owners responsible for explaining Google cookies..and not Google..

And the use of the word "ownership" in

you might have some ownership to make sure you provide the information to your users

makes no sense at all ..

The accurate use of the English language and the appropriate choice of words so that sentences actually make sense has apparently been deemed "optional" for ICO spokesmen and women..

Or that sentence makes no sense deliberately ..

The transcription was very welcome engine :)

Anyone seen the bt dot com solution to this? What fantastic ingenuity for such a stupid law.

Also do a search for "ICC UK Cookie guide". This is much more detailed than the ICO one and it looks like BT have followed some of the guidance because they give you the option to withdraw consent for different categories of cookie.

Interestingly the ICO website doesn't really comply as they don't make it possible to withdraw consent unless you manually go into your browser cookies and delete the cookie that records consent.

Thanks for the link, Engine.

What a load of rubbish! Pretty much duck 'n' dive ICO, though. Still fails to adequately explain WHAT webmasters have to do and what (eg) G's responsibility really is.

Anyone seen the bt dot com solution to this?

What solution do you see? They're sending cookies when I check the headers.

There's a Javascript floater that appears bottom left saying:

The cookie settings on this website are set to 'allow all cookies' to give you the very best experience. If you continue without changing these settings, you consent to this - but if you want, you can change your settings at any time at the bottom of this page.

Change settings No, thanks

Find out more about cookies

At the very bottom of the page is a link to a nifty slider that allows you to turn off "Targeting" and "Functional" cookies but it will not let you switch off "Strictly Necessary and Performance" Cookies.

Cheers

Sid

Javascript is blocked by default so I don't see anything of what you said. But I see the cookies sent to my browser which are also rejected.

Not well implemented is it? But who knows, if it's something acceptable to ICO, you could send the cookies right away then later on activate javascript to prompt the user about his privacy that he shouldn't accept the cookies you already sent in the first place.

It seems to me that if you are going to do the gaining consent using Javascript then you should also only set cookies using Javascript unless they fall into the strictly necessary category.

Am I right in thinking that GA and Adsense both use js so will fit in with what you are saying Sid, as would any other adverts served by js - if js is not enabled, they wont see the ads and wont receive cookies.

Thanks, Sid. I checked out the BT site and the ICC guide. Interesting.

Unfortunately, I don't have the technical skills to implement this kind of thing. I think they forget that not all websites are run by big businesses with teams of programmers...

I was wondering about what sites have to comply. Do non-profit and personal sites need to comply? What about .uk sites owned by someone outside the EU? Does doing business with the UK force these requirements on a site, or most they be UK based in some way?

Hi Graeme,

It's the EU not just the UK but it is an interesting question.

It is definitely all EU hosted sites but as I've said, I think, earlier in the thread I think that any offence takes place where the user's browser is. Having said that how could they possibly police or taker action against someone in a country outside the EU/ I don't think that they could.

Someone forgot that its a www not a euw.

I wish they'd (MEPs) just go back to fiddling their expenses and leave the serious stuff to people who know something about the subject. This should have gone the same way as straight bananas.

This should have gone the same way as straight bananas.

Let this storm in a tea cup blow over and it may still go that way.
Does any one remember the EU Directive of about 2002-3 that all EU ecommerce sites need to publish full address and contact info on their site?

Some sites do because it's common sense to do so to reassure potential customers that they really exist but how many don't, even have their domain registration "protected" and how many of those have been fined/jailed yet.

Maybe I'm a little late to this game, but after reading through this thread, the transcript of the interview with ICO, and reading the guidance, I just don't get it.

I get what they are trying to do here, but practically, I don't see how this is going to work. There are quite a lot of websites in the UK that will be affected by this (intentional understatement). I'm concerned by one of the answers David Evans (from ICO) gave, when asked -

6. Surely the best way to implement this would be in the browser - i.e. requiring all browsers distributed in the UK to specifically ask the user if they wish to allow a particular site to set a cookie on their machine. Why has it been executed in this particular manner?

...I think the other important point there is in the way the question was phrased, sounded to me like somebody was suggesting it would be nice and easy if browsers simply asked you every time you went to sites, do you want cookies from this site. I could see that being fantastically irritating for users because I know how irritated I get when my browser tries to do things for me or tries to help me out, so maybe its not quite the silver bullet solution that the questioner thought it might be.

What I don't get, is how is this different to individual websites asking users whether they want to allow cookies? Surely that would be just as 'fantastically irritating for users', in fact, even more so because each website would do this in a completely different way.

My other main concern is one that has been mentioned before, is the apparent non-conformance by government sites, such as [direct.gov.uk....] Even today, when I access that site, I am not asked for confirmation of consent to allow cookies, but looking at what cookies are stored, they are not conforming to this law. Obviously, we are still a few weeks away from the 26th May 'deadline' where this law is supposed to be fully up and running, so maybe they've got an updated version just ready to go that meets all the new requirements, but if they do not get something out there by that deadline, surely that is a benchmark we could measure against? I'm not a lawyer, so I have no idea about the technicalities of law, but surely one cannot be held responsible if your site is acting in exactly the same way as a government site?

I just don't know whether I need to get some guys on this for our sites now, or whether we can just make sure our privacy statements are up to scratch, and leave it at that. I don't want to waste days and days of work, to do something that might adversely affect our user's experience of our site, if I don't have to.

Well if it had been implemented in the browser, it would save us a lot of work. Also, as pointed out earlier in this thread, this is supposed to be an "Opt In", but anything we do is likely to be after the visitor has received a cookie.

This whole thing appears to be totally unworkable and as you say, government sites are unlikely to comply totally.

I expect I shall create page with a lot more info the cookies set from my site (mostly care of Google) and tell people that if they do not want cookies then they should not continue to use my site.
The page will probably be so long that no one will read it.

government sites are unlikely to comply totally

And likely because they're immune to their own laws.

Based on this mentality they should take it further, EU should also sue the IETF or Lou Montulli for inventing the HTTP cookie header.

The other thing is the cookie header is not the only one you can use to track visitors. Browsers send various other headers for instance cache headers which can be used for tracking. In terms of privacy, the ICO site is no different it does sends these headers which pretty much violates what they advocate. IPs can also be used for tracking although it may not be as reliable, it's still possible and with the IPv6 coming it can be improved.

So tracking is here to stay one way or another. Those who believe they can eliminate it live in a dreamworld.

And likely because they're immune to their own laws.

This is an EU directive but is in UK law and is to be policed by the ICO. There are criminal sanctions so suing will not be what they do, prosecution would be more the thing.

What I think will actually happen is they'll warn you and give you a chance to comply. Government websites are not above the law though.

The law does not talk about cookies at all but "information stored on terminal equipment" so rather stupidly information stored on the server is not covered.

they'll warn you and give you a chance to comply

But is it possible for any functional website to comply?

Periodically I go through a UK directory I run looking for dead sites. I do this manually because a) automatic methods do not easily show up (eg) domain parking or altered function and b) because it's a relatively small number of sites.

Last night I ran through approx 130 sites. Of these, discounting the half-dozen "dead" ones, something like 70% tried to load me with cookies (I always use FF+NoScript and have cookies set to "ask me"). Of these, a handful tried to feed me a dozen or more cookies for (mostly) different adverts on the home page.

I can't see that lot (all UK owned) being converted to "opt-in before setting cookie" before the end of May.

But is it possible for any functional website to comply?

Cookies that are strictly necessary for the functioning of the website are exempt. You need a privacy policy to explain to folks why.

I've been playing around with a Javascript to gain consent and another so that folks can withdraw consent and delete the cookies that have been set. I'm having real problems with reliability and flakyness in some browsers.

I only use Google Analytics cookies on the user side of my sites so I might just take the decision to pull the code that sets the GA cookies rather than confuse my (exclusively UK) users.

i quite like the way the BBC does it at the moment (although i am sure this will change once the law comes in)

what they've got is a dedicated 'cookies' page that lists all their cookies by name, what they're used for, and how you can disable them (by giving links to doubleclicks opt-out page, for example)

i might just do that, to be honest. and ignore the "do you want to opt-in" box they want us to implement. i dont think its much of a risk at this early stage

Agree with you there Iondrum. If we go that far by the deadline I think we will have done well (and will be in the minority compared to those that do nothing or little)

There's a couple of opt in Javascript solutions. One called cookiesDirective.js and another from Wolf Software. If I was allowed to give a link to these I would.

I'm just getting into the practicalities of all of this.

The solutions I've mentioned above and another from a Scottish firm called Civic have some form of Javascript growl panel inviting you to click a checkbox to confirm that you give consent. They then set a "consent" cookie by Javascript. On subsequent pages on the site if the user has not given consent another growl will pop up, down or out and give you another request. If they have given consent the script reads the consent cookie and does not growl, it also sets the page cookies, GA cookies or whatever.

There's a few problems in this. If the user has previously visited the site then the old cookies remain in their browser until manually deleted. The law says that they cannot be read without consent so how does anyone prove whether they have been read or not. You can prove that they have not been freshly updated but not that they have not been read.

Also even if the user gives consent setting the GA cookies on that (probably landing) page is a bit flaky. Which massively devalues GA data even if it is allowed.

Perhaps the easiest and best thing to do is just abandon GA and other analytics/tracking cookies and just leave in absolutely essential ones. Where that leaves ad services and the like I really don't know.

The problem with JS is that a lot of people no longer allow it: NoScript is very common and I think there are options in other browsers.

I turn JS on perhaps one in a few hundred sites, and then mainly because I want to buy something.

Following the Cutts ultimatum ("let G see css and js or else") I've begun not serving JS (and css) if the visitor isn't human (as far as I can tell). Will ICO / whoever run bot-like tools to "view" for cookies? I can't see them using a human approach to this - far too many web domains. If so the JS solution fails.

If cookie is set by JS then JS is OK since cookie will not be set if JS is switched off. The last time I looked at stats well under 5% of users have JS disabled. Otherwise we wouldn't be bothered about Google Analytics anyway.

If cookies are set by server side script then the server side scripting needs to take care of the consent issue. Same principal though, on consent, set a consent cookie. Each script then checks for consent cookie and only if present set other cookies.

There are other ways to maintain state in session based systems other than cookies. Encoded query strings, frames etc etc. I remember when scripters first started using cookies and there was much discussion about alternative strategies. Cookies ended up just being easier.

It's not matter of implementation it can be implemented, but at what cost for your business?

If you want to buy something you search the net, you find the product you click the link and then maximum focus is given to the price, buy now etc. The likelihood of clicking the buy button right away to add something to the cart is extremely high. But what will happen is, instead of adding something to the cart you will be presented either with a notification to give some cookie consent or a page refresh about cookies aren't set and an option to comply. That's one example.

So maybe 5% of people block js, but 95% of consumers will click the back button in this case and go to another site without even reading the notification because after all that's not why they visited your page plus it looks spamy.

I've taken the decision to remove Google Analytics from my site. I may make a positive out of it by telling our users that we don't track them etc. We'll just fly blind(ish) for a while.