Actually removing analytics from your site might not be necessary, this interview [econsultancy.com] with Dave Evans from the ICO says:

It is unlikely (though not impossible) that we would take action just for analytics cookies.

and

Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary

I know it's vague wording and there's still a chance of a fine, but it seems like they're targeting the worst offenders of tracking cookies only.

You mean there's worse than GA ;)

I'm still going along the lines of Londrum above. Am creating a detailed cookies page with links to information on blocking cookies.
Also near the top of that page have prominent text asking visitors not to continue using my site if they are not willing to accept cookies (I rely on adverts for income so without cookies, visitors are just accessing my info for free).

I know it's vague wording and there's still a chance of a fine, but it seems like they're targeting the worst offenders of tracking cookies only.

I would hope that by going a long way to follow the spirit of the law, if not the letter, that we would be more likely to get a warning and a chance to implement an opt-in.
If that starts happening, then i would expect that opt-ins start becoming the norm - which isn't the case now.

Hi denisl I absolutely agree that without cookies we lose revenue. I like to also think that cookies give users a better experience of adverts. I mostly hate seeing adverts, but at least if they're adverts for things that I actually like, I won't mind them. But without tracking cookies I'll just be shown boring generic adverts that won't apply to me.

So I think this will really damage EU businesses, which is why we've created a site in protest of the law. If you want to protest go to [nocookielaw.com...] and sign the petition, and encourage others to do so.

If we get enough votes we can prove to the politicians who don't seem to understand the internet that this law needs either some serious revision or scrapping altogether!

How on earth can a group of "experts" get together and come up with something so complicated and badly organised/explained to fix a simple concept?

The problem is that politicians go to school and debate things endlessly without having to achieve results. Rarely have they ever run a business or even had a real job.

They certainly have never built a website!

Haha I think you're right internetheaven, they have made this far more complicated by introducing a law that we're not even sure how to comply with!

The company I'm with have been working on a popup banner that people can download and add to their websites so they can comply with the law. Not sure if that's the best solution, but it's one that a lot of companies are doing. I saw recently BT.com has a popup that allows you to approve/deny cookies, and so does games-workshop.com where you have to tick to approve cookies or you can't see the site at all. It's quite a shame that we have to put stuff like this on our sites at all!

I received this from the ICO with regard to Google Analytics Cookies.

As we understand it, Google Analytics is a third party service offered by Google that generates statistics about the visitors to a website. In our view, Google Analytics is likely to be captured by Regulation 6. However, we recognise that Google Analytics is a comparatively less privacy intrusive technology. You may be interested to learn that the ICO will be issuing some further guidance before the grace period expires on 26 May 2012. I understand the guidance will provide some additional clarification on this matter.

I've been keeping my eyes open for any prominent uk sites using any form of an opt in and havn't seen any yet.

Took a good look at a promining uk airline and you have to hunt for anything then found a cookie policy updated in 2008.
It does however give a lot of info about their cookies and at the bottom of the page there is a link in red to remove their cookies from your computer.
Clicking the link takes you to a page where it says the cookies should be deleted when you next close your browser.

It then says:
The simplest method if you wish to prevent xx.com from setting any further cookies, is not to visit the site. In some browsers it is possible to use the browser settings to prevent cookies being set.

For more details visit www.allaboutcookies.org.

If you wish to continue using xx.com please click the button below. Please be aware that clicking this button will result in cookies being set (subject to browser settings) and that any further use of this site will be taken as accepting their use.

I am now hunting for a script to remove cookies that are already set - any recommendations.

I have also found a site that gave links for all the main browsers, linking to info on blocking cookies for a particular site.

Is there a definative list of locations to find this info for all browsers?

Not sure where this came from but it works OK.

Ther's some HTML at the bottom to paste into your pages. You need to name the cookie and change the domain to your domain name. You can do as many as you like.

Cheers

Sid

function clearCookie(name, domain, path){
try {
function Get_Cookie( check_name ) {
// first we'll split this cookie up into name/value pairs
// note: document.cookie only returns name=value, not the other components
var a_all_cookies = document.cookie.split(';'),
a_temp_cookie = '',
cookie_name = '',
cookie_value = '',
b_cookie_found = false;

for ( i = 0; i < a_all_cookies.length; i++ ) {
// now we'll split apart each name=value pair
a_temp_cookie = a_all_cookies[i].split( '=' );

// and trim left/right whitespace while we're at it
cookie_name = a_temp_cookie[0].replace(/^\s+|\s+$/g, '');

// if the extracted name matches passed check_name
if ( cookie_name == check_name ) {
b_cookie_found = true;
// we need to handle case where cookie has no value but exists (no = sign, that is):
if ( a_temp_cookie.length > 1 ) {
cookie_value = unescape( a_temp_cookie[1].replace(/^\s+|\s+$/g, '') );
}
// note that in cases where cookie is initialized but no value, null is returned
return cookie_value;
break;
}
a_temp_cookie = null;
cookie_name = '';
}
if ( !b_cookie_found ) {
return null;
}
}
if (Get_Cookie(name)) {
var domain = domain || document.domain;
var path = path || "/";
document.cookie = name + "=; expires=" + new Date + "; domain=" + domain + "; path=" + path;
}
}
catch(err) {}
};

Put this in your HTML after changing the cookie name if necessary and yourdomain name. You can list as many as you like.

<a href="#" onclick="clearCookie('__utma','yourdomain.com','/');clearCookie('__utmb','yourdomain.com','/');clearCookie('__utmc','yourdomain.com','/');clearCookie('__utmz','yourdomain.com','/');">Clear Cookies</a> 

Thank you sid
Am looking around for a script that will delete all cookies for a domain without naming them. Have found some snippets I shall try later.

Have read that js will only delete cookie that is created by js - don't know why - or perhaps it is the destinction between client side and server side.

I also found this php:

// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}

This appears to have only deleted a session cookie, which I guess is set serverside.
Perhaps a combination of php and js will delete tham all.

3rd party cookies will be another story of course.

Hi denisl,

Perhaps not the place to be discussing coding but I think the issue is related to the domain that set the cookie not the technology that set the cookie. The browser doesn't know how the cookie was set, or at least that information is not stored in the cookie.

The point with .js is that it is only safe to assume that it'll do the job if the cookie was set by .js. If it was set by server side scripting then you can't be sure that the user doesn't have Javascript switched off. So the best way to delete a cookie is with the same technology that set it. When I say technology I simply mean either server or browser. It matters not what scripting language you use. You could set a cookie using Perl and remove it using php.

For Google analytics cookies the js I quoted is OK as GA cookies are set by js. You could have a link to a php script in noscript code if you want belt and braces.

Like you I don't think it is acceptable to tell users that if they want to delete cookies they should go to a page that explains how to do it manually in their particular browser.

Well it is more than that I think.

I don't see how we can possibly ask anyone to opt-in before any cookies have been set.
It seams to me that the best we could be expected to do is have a prominent link to a page where they can then click a link to remove those cookies already set.

I liked the way that airline then took you to page which then gave an opt-in - saying that was the only way you could use the site anyway.

I implemented a consent banner solution on our website yesterday.
I know it's not ideal and will probably annoy users, but it's the same thing that other people seem to be doing. We actually think our solution is pretty good compared to some of the others that people are adding to their websites (and some of them charge a lot of ££!), so we've released ours for free for other people to download and use.

[edited by: IanTurner at 2:07 pm (utc) on May 10, 2012]
[edit reason] Removed link - unecessary to the thread [/edit]

The link to my solution in the last post has been removed, so if you want to use the solution we're sharing, just google for "Silktide cookie consent" and you'll find it :-)

I've seen some others like CookieQ and CookieControl, which are similar, but the one we created allows our users to opt-in to the same type of cookies on all sites using the same plugin.

Which solution are you guys using on your sites?

Not being an uber-techie, I'm still somewhat in the dark with all this, so please excuse my ignorance(!)

None of my code on the sites' html/php pages sets or uses its own cookies - they are informational/reference sites, on which some limited advertising exists. I do not sell any products on my site pages, no shopping carts, order handling, payments etc.

However, these sites do host third-party code in places, for the likes of Adsense, Amazon, Ebay Partner Network, plus other affiliate network links and the like.

They also run stats tracking code (statcounter) on each page.

One site has a phpbb forum attached to it, which presumably uses cookies.

Where does this leave me from the point of view of having to ensure visitors' agreement with ref to cookies? I'm guessing that the stats code will be using cookies, and the forum, but I'm unsure about the other pasted-in code for Adsense, and the others?

Many thanks :)

DoU

Probably all of them will (attempt to) set cookies. It's a stupid "law" formulated and passed by internet ignoramuses.

@Duke_of_Url

With regard to essential cookies that are required in order for the website to function. They are exempt from the law. I would still make people aware that they are being set in your privacy policy and terms for using your forum etc.

The other cookies that are used to inject ads, track visitors etc are not exempt and require opt in by your visitors. They have to give you positive consent to store cookies on their machine.

Most/all of these 3rd party cookies you mention are set using Javascript. Most of the opt in solutions prevent the Javascript that sets the cookie from being triggered (or being incorporated into the page and therefore it can't be triggered) unless the user has given consent to cookies. In giving consent a cookie is set for that domain and thereafter the 3rd party code can run and their cookies set.

An interpretation of the law is that you must provide your users with the ability to revoke their consent. Amusingly the ICO website does not have this option in their solution (at least when I last looked a couple of weeks ago). The fancy BT solution allows the user to control which categories of cookie they will accept. But if you look the essential ones cannot be blocked.

Hope this helps

Cheers

Sid

PS Unless the ICO say it is OK to not ask for consent to Google Analytics cookies by the 26th I'm pulling GA code from my pages on the 26th. I'd rather fly blind than have my users confused.

Highly relevant article ..and the comments on it there are well worth a read too..
[theregister.co.uk...]

The ICO website has been attacked!

Disruption to our website

We’re sorry that some users may have had problems accessing our site over the past few days. This was due to an attack to our site. The website itself contains no sensitive information and was not damaged.

We will continue to try and keep our website available to all our users. Our helpline is available on 0303 123 1113 or 01625 545745 between 9am and 5pm.

Made me think - don't shoot the messenger!

leosghost - good link but still confusion reigns.

"A lack of an adequate technical solution within browser settings to enable user consent to cookies to be expressed was attributed by the ICO as the reason for the year's enforcement hiatus."

I've been using browser settings for years to allow me to only accept cookies if I choose to. Does any browser not have such a feature? Mind you, getting people to set up their web browsers properly in the first place is a problem - most do not have a clue!

Still failing to find any sites that would appear to comply. Came across a survey of 50 top travel sites (carried out end of April) that showed none comply or even have an obvious link to cookie info. Some had no cookie info at all and 2 had no privacy policy.

Out of interest, on my main site, I have had what I think is a very prominent link (separate from the menu) to my cookie page for the last 3 weeks. On that page I have tried to list all cookies set by my site and a list of 3rd parties that may set cookies. Approximately 0.2% of visitors have been acessing that page.

I now have a prominent (but not near the top of the page) link from that page to a page that deletes cookies already set by the site. That page has no menu but one link to the home page that clearly states by continuing they are agreeing to receive cookies. I wont know how many visit that page as it does not set cookies so has no analytics.

I expect that this would show a willingness to work towards compliance and keep me out of trouble for now. Shall wait to see what everyone does.

@denisl I'm wondering if what you have done (deletion script) coupled with a terms of use that make it a condition that they are deemed to have given consent if they continue to use and some form of notice to the effect "our terms of use have changed" click this link to read more about it. Would actually be enough.

Well that is what I am hoping.

Had some info from AffiliateWindow today (one of the networks i use) with a 25 page document I have yet to read and a 2 page document I have read.
They make the poiont that "realistically 26th May is not the day that all businesses need to be unequivocally compliant; rather it marks the ramping up of scrutiny of solutions that are being rolled out across the Internet. Therefore we should view next week as the start of the compliance process, rather than the end."

They also see the most important points to be to have a cookie page that gives as much info as possible about cookies set by your site and that a link to it should be prominent.

They also give specific information about the 3rd party cookies they set via my site, information that I don't presently have from other networks.

We manage 100+ websites for different businesses. Just starting to look at which sites do/don't use cookies. Found that sites with a WordPress blog have cookies - that I think can be construed as tracking cookies since WordPress has statistics plugins.

Also YouTube included on sites has many similar cookies.

Looks like any site with WordPress or YouTube must require consent before granting access to those services. Thats a business killer for the UK.

[edited by: kapow at 11:49 am (utc) on May 22, 2012]

@denisl

>>I wont know how many visit that page as it does not set cookies so has no analytics.

your raw log files will tell you how many hits that page receives

@topr8

Yes realised that after I typed it. like many, I use GA and don't look at raw log files.

@Kapow

I'm sure that the ICO is not expecting us to do anything that would be a business killer. At this point time I believe that we just need to give a lot of info on cookies and a way out. I know they are asking for prior consent but I also believe that they are not expecting that at the moment.

It will also be interesting to see what happens when other EU countries implement this. I thought the UK were first but have read something about Sweden having already implemented it but not found anything on how it is working, only comments that it could be a business killer.

Had some info from AffiliateWindow today (one of the networks i use) with a 25 page document

i got that too. there is a nice sentence in there which suggests that the lawmakers are expecting browsers to solve the problem eventually. they are obviously hoping that a user's browser will ask them the question, rather than the site. because that will make it a lot easier for every site to comply.

i've put up a detailed cookie page on my site, containing their names and what they do etc, but that's as far as I'm going. at least until we start hearing about some high-profile court cases.

your raw log files will tell you how many hits that page receives

You can write a separate log file from a single page and view that from time to time. I separately record all 403, 404 and 410 events to separate log files on some sites. The code also auto-senses whether it is on the live or dev server and amends the paths appropriately.

Set

$statusCode

to a three digit number before calling the include file when calling it from your error document pages. Set

$statusCode

to "nocookie" or similar when calling it from your "no cookies" page.

<?php

# Error Event Logging 2012-05-24 (logger.php)

$oldSetting= ignore_user_abort( TRUE );// otherwise can screw-up logfile

if( !empty( $GLOBALS[ '_SERVER' ])) {
$_SERVER_ARRAY= '_SERVER';
} elseif( !empty( $GLOBALS[ 'HTTP_SERVER_VARS' ])) {
$_SERVER_ARRAY= 'HTTP_SERVER_VARS';
} else {
$_SERVER_ARRAY= 'GLOBALS';
}

$requestHost= ${$_SERVER_ARRAY}[ 'SERVER_NAME' ];

if(stristr($requestHost, 'example.co.uk')) {
if(stristr($requestHost, 'dev')) {
define( '_DIRECTORY', '/var/www/vhosts/example.co.uk/subdomains/dev/httpdocs/includes/logfiles/' );
$site = 'dev';
} else if(stristr($requestHost, 'www')) {
define( '_DIRECTORY', '/var/www/vhosts/example.co.uk/httpdocs/includes/logfiles/' );
$site = 'www';
} else if(!stristr($requestHost, 'dev') && !stristr($requestHost, 'www')) {
define( '_DIRECTORY', '/var/www/vhosts/example.co.uk/httpdocs/includes/logfiles/' );
$site = 'www';
}
}


define( '_LOGFILE','errorlog' . date('-Y-m-') . $site . '-' . $statusCode . '.txt' );
#define( '_LOGFILE','errorlog' . date('-Y-m-') . $site . '.txt' ); // all in one
define( '_LOGMAXLINES','3000' );

global ${$_SERVER_ARRAY};


$logFile= _DIRECTORY . _LOGFILE;

$datetime= date( 'Y-m-d H:i:s O' );

$remoteIP= ${$_SERVER_ARRAY}[ 'REMOTE_ADDR' ];

$requestURI= ${$_SERVER_ARRAY}[ 'REQUEST_URI' ];

$referer= ( isset( ${$_SERVER_ARRAY}[ 'HTTP_REFERER' ]))
? ${$_SERVER_ARRAY}[ 'HTTP_REFERER' ]
: '<unknown referer>';

$userAgent= ( isset( ${$_SERVER_ARRAY}[ 'HTTP_USER_AGENT' ]))
? ${$_SERVER_ARRAY}[ 'HTTP_USER_AGENT' ]
: '<unknown user agent>';

if(preg_match('#(Opera\ [0-9]+\.[0-9]+)#',trim($userAgent), $extracted)) {
$agent = $extracted[1];
} elseif(preg_match('#^(Opera[^(\ ]+)#',trim($userAgent), $extracted)) {
$agent = $extracted[1];
} elseif(preg_match('#^(Xenu.*)#',trim($userAgent), $extracted)) {
$agent = $extracted[1];
} elseif(preg_match('#compatible;\ ([^;]+)#',$userAgent, $extracted)) {
$agent = $extracted[1];
} elseif(preg_match('#^([^\ ]+\ )+([^\(\)]+)#',trim($userAgent), $extracted)) {
$agent = $extracted[2];
} else {
$agent = '<see notes>';
}

$remoteIP= str_pad($remoteIP, 15);

$agent= str_pad($agent, 22);

$requestHost= str_pad($requestHost, 26, " ", STR_PAD_LEFT);

$requestURI= str_pad($requestURI, 80);

$referer= str_pad($referer, 110);

$userAgent= str_pad($userAgent, 120);

$logLine= $datetime . " - " . $remoteIP . " - " . $agent . " - ". $statusCode . " - ". $requestHost . " - ". $requestURI . " - ". $referer . " - ". $userAgent . "\n";

$log= file( $logFile );// flock() disabled in some kernels (eg 2.4)

if( $fp = fopen( $logFile, 'a' )) {// tiny danger of 2 threads interfering; live with it
if( count( $log ) >= _LOGMAXLINES ) {// otherwise grows like Topsy
fclose( $fp );// fopen,fclose put close together as possible
while( count( $log ) >= _LOGMAXLINES ) array_shift( $log );
array_push( $log, $logLine );
$logLine= implode( '', $log );
$fp= fopen( $logFile, 'w' );
}
fputs( $fp, $logLine );
fclose( $fp );
}
exit();

ignore_user_abort( $oldSetting );

?>

[edited by: g1smd at 1:32 pm (utc) on May 22, 2012]

@g1smd

Might do something like that. On some sites I have a script in the 404 page to send me an email with details. Might do that for the delete cookies page, just for interest.

londrum - I repeat: browsers already CAN ask if you want to accept a cookie.

Surely gov should be telling people how to set up their browsers to do this rather than hitting web site owners who, in some cases, cannot afford to change the whole of a large web site to comply with ill-thought-out legislation.