New cookie law in UK?

Discussion in 'Discussion' started by simmons1, Feb 25, 2012.

Thread Status:
Not open for further replies.
  1. simmons1

    simmons1 New Member

    Joined:
    Feb 25, 2012
    Messages:
    9
    Likes Received:
    0
    I read that the new "privacy" legislation relating to cookies (opt-in/opt-out) is become law in May 2012 in UK after being deferred since May 2011. But advice on the COI (Govt) website states that the "grace period" runs out in May.

    Have you, or any other members, got a script or some other way of conforming?

    I found a script to use for opt-in/opt-out of Google Analytics cookies, but I am now wondering what to do about cookies from StaCounter.

    Personally I hate the idea of every visitor being greeted with a message about accepting/decling cookies - it will drive people bonkers, I know it will get on my nerves!

    Chris
     
  2. webado

    webado Moderator

    Joined:
    Apr 29, 2004
    Messages:
    28,168
    Likes Received:
    1
    This is quite useless. All browsers already have settings to allow or block cookies.
     
  3. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    The UK law is operational now and has not been deferred until May 1012, however the Information Commissioner's Office has said it will not prosecute until after that date provided UK website owners are taking steps towards complying, such as researching methods and analysing sites as simmons1 is obviously doing.

    As importantly, it is also now saying that it is unlikely to prosecute UK websites owners who are using analytic methods that use first party cookies, even if user consent is not sought, provided they make it very clear to users that this is being done, along with providing other information that they should already be doing under earlier legislation.

    Unfortunately this does not apply to StatCounter, because it uses third party cookies, so user consent is required.

    webado, I don't know what you mean by "quite useless" but EU member states have stated that the cookie control methods used by all current browsers are not good enough to satisfy the regulations about getting user consent, although that might change in the future as browsers are updated.
     
  4. pawpoint

    pawpoint New Member

    Joined:
    Feb 27, 2012
    Messages:
    1
    Likes Received:
    0
    We will just have to hope that the internet browsers quickly update themselves for this. I agree with simmons1, the pop-up will just drive people mad, just like the pop-up adverts used to before the browsers added automatic closure on request.
     
  5. webado

    webado Moderator

    Joined:
    Apr 29, 2004
    Messages:
    28,168
    Likes Received:
    1
    All I can say is that EU regulators and those regulations are:
    1) useless
    2) a product of ignorance
     
  6. simmons1

    simmons1 New Member

    Joined:
    Feb 25, 2012
    Messages:
    9
    Likes Received:
    0
    Webado,
    I totally agree, it is borne out of ignorance of how the internet works! But it claiming to be protecting people's privacy is a good "vote-catcher".

    DavyAndDavy,
    the question of first-party cookies is very dubious: Google are now saying that GoogleAnalytics is a first-party cookie but if it is issued by Google's servers how can it be (it is is not issued by the actual website?), so I think Google is going to fail on that one.
    StatCounter's cookie is definitely a third-party cookie so, under the current EU/UK legislation, visitors have to be shown explicitly (by a message box) that cookies are being used and given the option to opt-in/opt-out. Pawpoint's comment about browsers will not apply (in UK) because ICO have stated that it is insufficient to use a browser cookie blocker - they must be unique to the website?
     
  7. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    I agree that the law is stupid but that doesn't mean it can be ignored. I also get the feeling that the UK ICO thinks it's a bit stupid and is throwing a lifeline to UK website owners by outlining the circumstances when it "probably" won't prosecute.

    There is nothing dubious about the Google analytics cookies being first party. Just examine the cookies and the domain is your site, not a Google site, so by definition they are first party. Sure, a Google server actually deposits the cookies but it does it in your name and, in effect, it's your website that asks it to do it. The important bit is that Google cannot read these cookies back unless the user visits your site and you, in effect, pass on the information to Google. (I know the Google server is doing the work but it's because of code embedded in your site.)

    In contrast, the StatCounter cookie belongs to the StatCounter domain. That means StatCounter can read the cookie that has "your" visitor information when "your" visitor visits any website that uses StatCounter.

    So yes, whichever way you look at it, you need to get user consent to leave a StatCounter cookie. It's not really opt-in/opt-out, it's more like opt-in. But it doesn't have to be via a message box, it depends on the nature of the website. If, for example, it's a forum such as this then the consent could be gained as part of the registration system. But for normal browsing sites then it has to be something in your face.

    If the user says no, or doesn't respond, then you have to disable StatCounter completely. (Or rather not enable it in the first place - you can't use the script until after the user has given consent so the landing page will probably not get recorded.) Evidence shows that 10% or less will say yes so personally I think that any such system will not only put off visitors but will render the statistics pretty much useless.

    It would be much better (for UK owned sites) if the StatCounter cookie was first party but I guess that involves a lot of redesign work on StatCounter's part because I think they use a single cookie for all websites.

    Also, StatCounter says the cookie is only used to identify repeat visitors. If owners were given the option to stop StatCounter cookies for their websites then owners would loose the repeat visitor information but they could at least be legal Europe wide.
     
  8. simmons1

    simmons1 New Member

    Joined:
    Feb 25, 2012
    Messages:
    9
    Likes Received:
    0
  9. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    In my opinion, for most websites, asking for user permission to use cookies is a complete waste of time.

    Most people do not know what cookies are and the majority of those who think they know about cookies believe they are bad. Cookies have had a bad press and this legislation doesn't go any way to contradict this, probably the opposite.

    Most people who are asked for consent using pop ups, overlays or anything similar will therefore either say "no" or will not answer the question. This means, your analytics will be nigh on useless. A freedom of information request to the ICO about there own website, which has a user request banner, suggests that only 10% of users have given consent, based on visitor numbers recorded before and after the banner was introduced. So your statistics won't mean anything and you won't really know how big your sample is.

    I think that only websites that operate a sign-in/membership system, and get user permission as part of the sign-up T&Cs, will get meaningful stats results.

    For UK owned websites the only solution, it seems to me, is to take advantage of the leeway that the ICO seems to be offering in its latest guidelines, which includes only using first-party cookies for analytical purposes, or don't use cookies at all. Unfortunately that excludes StatCounter.
     
  10. mikehenson

    mikehenson New Member

    Joined:
    Jun 1, 2005
    Messages:
    15
    Likes Received:
    0
    Statcounter need to act on Cookie Control

    As an EU Company, Statcounter needs to be pro-active on this issue. Comments from Webado as a Forum Moderator are unhelpful and an insult to members.

    http://www.civicuk.com/cookie-law/index provides the tools to ask the visitor for permission, Statcounter now needs to provide an implementation of its cookie that can be controlled.

    I think Statcounter is missing out on a valuable opportunity here to promote itself.

    Why use the CivicUK tool kit and draft policy document; Statcounter could produce its own branded tool kit and documentation that would increase its visibility worldwide.

    It would be nice to see someone from Statcounter themselves involved in this discussion and working towards a resolution in order that we can act legally.

    My company is in the business of providing websites to town and parish councils throughout the UK and we MUST be seen to be acting within the legislation. If Statcounter is not prepared to resolve this issue then we will have to move our sites to a supplier who will.
     
  11. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    I asked in December what was StatCounter's take in the matter but there was no official reply. I'm also surprised that StatCounter has not expressed an opinion, except what was essentially a dismissal on the Blog before the EU Directive came into force last May.
     
  12. mikehenson

    mikehenson New Member

    Joined:
    Jun 1, 2005
    Messages:
    15
    Likes Received:
    0
    I've just written to them via their contact form but if their Moderator's attitude is anything to go by we are wasting out time.
     
  13. webado

    webado Moderator

    Joined:
    Apr 29, 2004
    Messages:
    28,168
    Likes Received:
    1
    Why don't you write to those law regulators to strike down such asinine laws borne from ignorance instead?

    Just sayin' ...
     
  14. mikehenson

    mikehenson New Member

    Joined:
    Jun 1, 2005
    Messages:
    15
    Likes Received:
    0
    Webado

    This thread does not need moderation or technical assistance so I can see no point in you continuing to contribute.

    What this thread does need is input from Statcounter staff.
     
  15. lutetia

    lutetia New Member

    Joined:
    Jun 9, 2004
    Messages:
    166
    Likes Received:
    0
    I don't understand the point of such regulations. For example, you live in country A, but your website is hosted on servers in country B, and your visitors come from countries C, D, E, F, G, etc., how is the website owner's country of residence even relevant?
     
  16. webmonkey

    webmonkey New Member

    Joined:
    Dec 1, 2011
    Messages:
    123
    Likes Received:
    0
    At the risk of being called a cynic; more jobs for the boys and girls perhaps?

    Joking aside, you raise a very valid point which Mr Henson seems not to grasp. No disrespect to him, but the Web does not revolve around UK law and UK councils.

    Many of us host sites in various countries that serve the needs of clients in many other countries, where legislation differs from that in the UK, EU or USA.

    I'm afraid I agree with Webado - this legislation is both pointless and impractical, but then so much legislation is...

    Just my two cents. ;-)
     
  17. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    The Legislation is EU driven and is EU wide, albeit subject to slightly different interpretations in different member states.
    As far as I know it was primarily aimed at behavioural advertisers but by targeting the cookie, or similar, it affects most other websites.

    We may think that it's pointless and impractical but that doesn't mean it can be ignored.
     
  18. webmonkey

    webmonkey New Member

    Joined:
    Dec 1, 2011
    Messages:
    123
    Likes Received:
    0
    No? Are you sure about that?
    Here's what one of the top jobsworths...oppsss, "EU Information Commissioner" has to say in the official document:

    "Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”

    Please note the bit I've highlighted in bold.

    You may have a different interpretation, but to me it clearly says: 'If you're simply tracking visitor hits (regardless of what you use to do this) we're not going to bang you up anytime soon.'

    That this interpretation is correct in confirmed in the next bit of the document which says: "“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

    Seems pretty clear to me...:roll:
     
  19. mikehenson

    mikehenson New Member

    Joined:
    Jun 1, 2005
    Messages:
    15
    Likes Received:
    0
    Unfortunately Statcounter cookies are THIRD party and that is part of the problem.

    We as "members/users" of Statcounter place their code on our websites so that we can see and track our visitors but Statcounter also has access to this information and what they do with the information is out of our control.

    Furthermore, Statcounter are registered in Dublin which is part of the EU so they too are legally obliged to comply with the legislation which may affect everyone who uses Statcounter and not just those based in the European Union.
     
  20. DavyAndDavy

    DavyAndDavy New Member

    Joined:
    Dec 19, 2011
    Messages:
    46
    Likes Received:
    0
    I'm quite sure the legislation cannot be ignored and I'm sure about what I've said in this and other threads when it comes to the UK position and the UK Regulator. I assume you mean UK Information Commissioner and not EU Information Commissioner and the UK ICO has indeed made the statements you quote. But as mikehenon points out, StatCounter uses third party cookies and not first party cookies. That's why I've asked StatCounter to change to using first party cookies, as Google Analytics does.

    When it comes to the wider EU, outside the UK, I don't think the other Regulators are saying the same thing but I don't know for sure. The Irish Regulator has made a statement about session cookies being OK to use without permission but I don't recall any statement about persistent cookies when it comes to analytics. That's why I have asked StatCounter to add a feature to allow website owners to disable cookies but still use StatCounter.
     
Thread Status:
Not open for further replies.

Share This Page