On 26 May the UK's Information Commissioner's Office (ICO) will impose an EU directive controlling the way websites are allowed to use cookies. The law says that sites must provide "clear and comprehensive" information about the use of cookies.
It says websites must:
- Tell people that the cookies are there
- Explain what the cookies are doing
- Obtain visitors' consent to store a cookie on their device
The only exception to this may be cookies used to keep track of a customer's purchases on an e-commerce site. It is hard to be sure exactly what the exceptions are, as the directive is quite imprecise.
The question that we are considering is, 'is this the most ill-considered piece of legislation ever conceived?'. Well the answer is probably 'no', given that the bar is set very high, but it must be a contender. The basic intent of the law is quite reasonable, to protect users' privacy. The problem is that the legislation is clearly framed by people ignorant of the way that websites actually operate. It is the third requirement, to obtain visitors' consent every time a cookie is stored, that is utterly impractical. Cookies are quite fundamental to the way that modern websites operate, to comply with the legislation most websites would need to be constantly asking whether they want to accept cookies.
To comply with the legislation will impose considerable costs on most website owners, because they will usually need to pay a programmer to rewrite their website software to do this, and in some cases, such as sites that rely on affiliate sales, could destroy the business entirely.
And it is quite pointless. If you don't want to accept cookies then it is easy to modify your browser settings not to accept them. For example, if you use Internet Explorer you can go to Tools->Internet Options, and click on the Privacy tab and use the slider to block all cookies if your wish. Other browsers such as Firefox, Chrome and Safari offer similar facilities. In Firefox for example you can view all the cookies from a particular website and choose to delete invididual cookies.
This is a much more sensible way to control cookies. If most people are unaware that they can do this, perhaps a campaign of user education is what is required. These settings could perhaps be made easier to find by the browser manufacturers.
Will this legislation actually have any practical impact? Will websites actually comply with it? Our guess is that most won't bother. A quick bit of inspection found that the UK government's own websites don't seem to be complying with the directive. For example the UK Parliament website: http://www.parliament.uk/ does have a page explaining what cookies are used, but there is no attempt to actually gain consent to their use. The same goes for the Inland Revenue website: http://www.hmrc.gov.uk/. So if even the UK government cannot be bothered to obey the EU directive, really why should anyone else? I imagine that will be the view of most website owners anyway.
It is certainly our expectation that this law will be almost universally ignored, and hopefully quietly removed again within a few years. It's all rather a distraction from the real threats to user privacy. As a web professional there are many things that worry me about web privacy: cookies come very low down on the list.