@g1smd ..:) nice, appreciated :) and the //comments made me smile ;)

I see Tradedoubler have just updated their site. Visiting it today, there was an overlay with a link to their updated privacy policy and a statement that by continuing on the site you are agreeing to the policy. The overlay does not dissappear until you click and "Agree" button on it. This appears to set a 1 year cookie.

This would appear to cover them but I notice the blurb from Affiliate Window that visitors should have "informed choice". With the TD solution, it is possible to click the agree button without going to the privacy policy.

Anyway, the TD site is likely to be visited by the likes of us so the opt-in will not cause a problem.
We on the otherhand may need to be a bit more careful with what we present to visitors to stop them hitting the back button.

Virginmoneygiving have made it a condition of use. Their growl bar ends with "By using our website you accept our use of cookies. Find out more about cookies."

It seems to me that this is a good approach and I've decided to use it myself but instead of a growl bar or similar I've just put a small notice in a prominent(ish) location with a big red "i" next to it. The text includes a link to the privacy policy page. On there is info about the cookies we set together with a link that allows users to delete the cookies that have been set. This takes them to a thank you page that does not set cookies. They can then leave via a link to a serch engine or by closing the browser window or tab.

Incidentally since you can clear cookies simply by setting the expiry date to an earlier date you just need to write a cookie with the same name and earlier date in order to clear it so the following simple code does all you need for GA cookies.

<!-- IN DOCUMENT HEAD Just change yourdomain -->
<script type="text/javascript">
<!--
function delete_cookie ( cookie_name )
{
document.cookie = cookie_name + "=; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/; domain=.yourdomain.co.uk;";
}
//-->
</script>

<!-- Put this where you want it in the page -->
<p><a href="<!-- Link to cookies deleted page -->" delete_cookie('__utma');delete_cookie('__utmb');delete_cookie('__utmc');delete_cookie('__utmz');">Clear Cookies</a> </p>

The following function works for me (borrowed from somewhere)- I call the function in the body tag of the thank you page. Deletes cookies on page load without having to name them.

function delete_cookie()
{

var new_date = new Date()
new_date = new_date.toGMTString()
var thecookie = document.cookie.split(";")
for (var i = 0;i < thecookie.length;i++)
{
document.cookie = thecookie[i] + "=; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/; domain=.domain.com;";
}
}

@denisl That works fine by me but there are a couple of superfluous lines in the code.

function delete_cookie()
{
var thecookie = document.cookie.split(";")
for (var i = 0;i < thecookie.length;i++)
{
document.cookie = thecookie[i] + "=; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/; domain=.domain.com;";
}
} 

You don't need the date variables as you have hard coded the date as Thu, 01-Jan-70 00:00:01 GMT.

I'm using that called by a link.

I'm just trying to persuade my shared server to let me use mail() to send a message if anyone actually uses the cookie clearing function.

I have now dropped the idea of sending myself an email when anyone uses this as I think people will play with it - clear the cookies, see that it works, then continue with the site and axcept cookies.

Could reduce bounce rate ;)

I got my first email last night. I'm going to carry on with this. I'm not interested in absolute numbers just want to see if there's a change over time. I suspect people will stop noticing the notices on websites over time. Just now with them starting to spring up on sites they will be inquisitive. Hopefully they will see them on big brand and government sites and this will give them confidence about ours.

Cheers

Sid

My own figures for my main site over the last 2 days, 14,000 unique visitors and 28,000 page views, are that there were 47 page views on my cookie page (0.17%), and 36% of these exited the site (either directly or through the delete cookie page I guess).
And this is with what I think is a very prominent link to the cookie page.

I'm quite happy with those figures. Like you sid, I believe visitors will come to see this as a sign of a professional site.

The DirectGov cookies page is amusing. It makes no mention of consent, it simply lists reams and reams of information on which cookies are set, specific details about them and when they will expire etc. It has links to other sites so you can read their information about cookies and links to pages about how to manage cookies on your browser but no mechanism for requesting consent, no means to revoke consent, no easy method to delete cookies and nowhere that says that it is a condition of use that consent be assumed to have been given by virtue of continued usage.

In short unless they are going to be busy this afternoon and tomorrow there is absolutely on way that they will be compliant.

Sorry to do a run on post but I forgot to mention.

On my "Cookies Cleared" page I've added some text to try and persuade them to change their mind. The link for "changed mind" takes them via a script that sends me an email to this effect.

If numbers get too high I'll change this to write a line in a log file.

I'm now seeing popups appearing on many sites, and I have to admit, it's already becoming extremely annoying. :/

I don't know if you guys have seen the solutions by some very big sites:
[bbc.co.uk...]
[mirror.co.uk...]
[bt.com...]

Each of these sites show you a message about cookies, but assume you consent, and set cookies anyway. Clicking any link on the page assumes you consent, and hides the message. Each of them do however allow you to control the cookies, but you can only do this after the cookies have been set.

The financial times website (http://www.ft.com/home/uk) is similar, apart from the message can't be ignored quite as easily, as you have to actually click to close the cookie message before continuing. Although it's not without its quirks, many cookies are set before you can view their cookie policy, or choose to opt-out of cookies.

I thought the ICO guidelines stated quite clearly that we needed to collect prior consent for cookies, but all these options don't ask before setting cookies.

Is this the way it's going perhaps? We can set any cookies we like as long as we display a prominent message about them? What do you think about these solutions?

With some servers it's difficult or even impossible to suppress the cookie-setter. That's why the browser option is much better - it catches the cookie before it's set. And (at least in FF) it also sets an option for the site saying "Use this option for all cookies from this domain" - very useful (eg) for "Do Not Accept" responses.

"Cookies law changed at 11th hour to introduce 'implied consent'"

[guardian.co.uk...]

taken from the new government .pdf

For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button.

that sounds like the BBC's implementation is all you have to do to stay legal. thats handy

What a complete waste of time. Why didn't they tell us this a week ago? Where do I send the bill for my wasted time?

Unlike a lot of other privacy issues where the company holds the data in secret and it's a struggle to see what information they have and how they use it, cookies are stored on the users machine and the user has direct and immediate access to them. In particular, users retain full control within their browser to inspect and delete any cookie at any time.

It was a crazy situation to put the onus on tens of millions of websites to modify their behaviour instead of asking a couple of dozen browser makers to improve their cookie management tools. The simplest method is to change the browser default to "ask the user about each new cookie".

[edited by: g1smd at 9:09 am (utc) on May 26, 2012]

does this law only concern UK sites or worldwide and do they go after where the server is located.

Any site hosted in the EU is covered by it, and I think any site doing business within the EU... but good luck to them to chase businesses fully hosted abroad.

Another crazy rule from people who has no clue about the web. Can a site just place a text at the bottom of the site where it say "we use cookies to make our site better" and thats it.

How about a article, news site, sport site.. a site which dont sell anything and placed in the US is that doing business with the eu, I would say no.

You've missed the point. It has gone away they are allowing us to imply consent by virtue of use. Have a read of the new guidelines.

[ico.gov.uk ]

I'm livid about the fact they left it until the day before to tell us not the fact thet they did it in the first place!

I think that the idea of three people having to send out a hundred million compliance notices and then deal with tens of thousands of cookie complaints per day forced their hand.

All we need now is for a disabled user using a non-visual browser to report they weren't informed or given a choice...

im not sure I get this, the point is they are informed and its not enough with a privacy page, so if I place "we use cookies to spy on you be cause we have facebook and google as role model" at the bottom of the frontpage, is that enough.

My interpretation FWIW is that there is a sliding scale.

Session and absolutely essential cookies for the functioning of the site do not need consent.

Cookies that are just used for statistical analysis and don't do anything to the website in real time need a notice, inclusion in privacy policy and consent can be assumed.

Cookies that re used to tailor your experience but you control should include a message that a cookie is being set to remember your settings next time, and therefore they store consent.

Cookies that tailor your experience in real time that the users have no control over need definite informed positive consent.

I only use GA so I'm just making a prominent link to a page on cookies that explains what we use, what they do and the fact that we assume they have given consent and in fact that it is a condition of use that they accept this. I'm not having a pop-up or growl bar, just a simple link that says "Cookies" that is a bit more prominent than my links to privacy policy, about, contact etc pages.

I'm thinking that the worst that could happen is they say "well done for trying but you need to do a bit more".

So now it's a question of working out how to do this implied consent thing.
These popups being used by some sites don't seem to be blocked by popup blockers - is that right?
I'm pretty ignorant about the whole cookie thing - I've read a lot but most of it doesn't help me or doesn't penetrate into my thick brain in an understandable way!.
My sites (like many people's I guess) don't place cookies themselves but affilaiate advertising, adsense, youtube videos, facebook "like" buttons I guess all do if people click on those.
I use a standard form privacy policy to comply with Google adsense TandC's anyway. Do you think that making this more prominent with a message saying - read our policy here and if you continue on the site your consent is implied will be sufficient?
Presumablky that would have to go on every page.

On the ico.gov site:

"...implemented by the Department for Culture, Media and Sport (DCMS)."

Ah, so not business, then. Still, I always considered getting a web site up and running to be more a hazardous sport than a business. Especially with the height of the hurdles being currently controlled by google. :)

Interesting that the ico site offers youtube links (with the advisory note that youtube sets cookies): youtube is a high-profile virus source that everyone should avoid - far more lethal than cookies. And that ico offers PDF downloads, which are also a potential source of viruses. I hope they have all their PDFs checked for virus and exploit content.

I've given this subject a good half an hour's thought - all it's worth really.

The first thing that came into my head was that if any site was prosecuted under this law then it would almost certainly make the headlines. It would then take many months for the prosecution to proceed and fail / win. So, no panic (unless your site happens to be the one in a million which is actually prosecuted) we will have due warning and then lots of time to implement a solution if it really does become neccessary.

So, stop spreading panic about this law, relax and see what happens. Just to reduce that chance of one of my sites being the first example site for prosecution I will place a small two line note at the top of each page saying something along the lines "by using this site you are agreeing to the use of cookies. Click here for more information about coookies and their use on this site". I will link to my existing privacy statement.

Given the fact that most sites don't even do the above, chances of being selected as a target for the first (if there is one) prosecution are reduced to almost zero.

In the end this law will accept the fact that browsers should be the first port of call for anyone wanting to stop cookies being placed on their computer.

And the real rub is this, if I am forced to stop the placement of cookies as part of my site's logic then I'm more than happy to do so. But a site without cookies is a site without income as far as I am concerned and I have no intention whatsoever to provide any meaningful content for free to the masses.

I will simply ask my users to consent to the use of cookies or not. If they don't then they will have to make do with the "print css" version of my site, without pictures, no videos and badly formatted text.

Google and Bing have remained amazingly silent on the subject of Cookies in the UK, I wonder why?

Just to reduce that chance of one of my sites being the first example site for prosecution I will place a small two line note at the top of each page saying something along the lines "by using this site you are agreeing to the use of cookies. Click here for more information about cookies and their use on this site". I will link to my existing privacy statement.

That is exactly what I implemented but I've now removed it as I think that the watered down guidelines don't even require this for analytics cookies.

As you imply the law (any law for that matter) is all about interpretation. Until there is a test case we will never know how much we need to do to be fully compliant.

I only use GA so I'm just making a prominent link to a page on cookies that explains what we use, what they do and the fact that we assume they have given consent and in fact that it is a condition of use that they accept this. I'm not having a pop-up or growl bar, just a simple link that says "Cookies" that is a bit more prominent than my links to privacy policy, about, contact etc pages.

I'm thinking that the worst that could happen is they say "well done for trying but you need to do a bit more".

I completely agree with your definitions and have taken the same actions with the 5 website I run for my company.