Forgot your password?
typodupeerror
Privacy Security United Kingdom Your Rights Online

Confusion Surrounds UK Cookie Guidelines 143

Posted by Soulskill
from the cookie-is-for-me dept.
pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."
This discussion has been archived. No new comments can be posted.

Confusion Surrounds UK Cookie Guidelines

Comments Filter:
  • by xenobyte (446878) on Tuesday May 10, 2011 @02:54AM (#36079894)

    It's just next to impossible to use the law as it is.

    To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

    This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

  • by Nursie (632944) on Tuesday May 10, 2011 @03:08AM (#36079932)

    "Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

    Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

    Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

    "This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

    Sure, and that's a valid use (IMHO). It could easily work this way though -
    User goes to front page
    Check for cookie
    If no cookie allow user to browse site
    When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

    If the cookie's there from the beginning then do the usual auto-login stuff.

    A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

    I realise all this makes things more complicated for end users as well, which is less than ideal.

  • by Nursie (632944) on Tuesday May 10, 2011 @03:59AM (#36080112)

    What's not an answer to the technical problem?

    Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

    I don't get why there's more of a problem than this.

    maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

  • by Anonymous Coward on Tuesday May 10, 2011 @04:28AM (#36080230)

    There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

    Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different userids at the same time, something that doesn't work with cookies. When the user navigates from one domain to another, generate a new session id. When loading images or scripts from a different domain than the current page, load them with a new session id.

    No tracking possible.

    "Remember me" would no longer be a setting on the page, which writes a permanent cookie, but a setting in the browser, which makes the current session id fixed for the current domain.

"Success covers a multitude of blunders." -- George Bernard Shaw

Working...