Ways to ignore the EU cookie directive

Many regulations appear from the Europe without a murmur of discontent but one that has caused all sorts of consternation is 2009/136/EC.

For no logical reason, the directive requires you ask every single visitor to your website if you can collect, store and process personal datas (AKA the cookie law). It’s supposed to be a privacy issue but in reality it’s just a pain in the bum.

The cookie collection

There are all types of cookies. Some are very simple and just report the pages you visited to the site owner. Some cookies are needed to make a purchase on a website (they manage the checkout process). Some cookies remember your preferences others save your user name.

If you have advertising or use media on your site then the providers may well have their own set of cookies.

Cookies are not (generally) malicious but they can be used to provide personalised content (such as adverts that match your surfing habits).

Exceptions to the law

The EU directive says:

Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.

This means if you need to set cookies for your checkout to work or to manage a login request then you don’t need to ask permission to set a cookie. You do need to be a bit careful about this though. You can’t set the cookie on arrival, you have to wait until the visitor requests a service.

If your site falls over unless you have a cookie enabled then you will have to accept a reduction in visitors or change the way the site works – that’s what directive says.

If you really want to you can read the pdf of the directive.

The problem with the legislation

At the core of the directive is the requirement to ask permission before collecting, storing and processing personal data. They then blather on about cookies  and having all sorts of opt-ins. They offer no suggestions on how to do this so everyone is bemused at what to do next.

Note that the EU hasn’t yet complied with their own directive so no help there.

The UK Information Commissioners Office had a ludicrous solution with the message at the top of every page. Since they implemented the directive the number of tracked visitors has apparently slumped:

Stats courtesy of an FOI request by brockvicky

The ICO advice only covers cookies. They don’t say anything about situation where data is collected without using cookies. You could write a script that collected all the data without setting a single cookie.

How to implement the directive.

I have no idea. There are all sorts of the suggestions and none of them are much use. Here are three:

The pop-up. On arrival the visitor is presented with a popup asking if they want to allow the collection of data. If (like me) you have a pop-up blocker this this method is going to fail. Those that do see the pop-up are just going to decline.

The splash screen. On arrival the visitor is presented with a page that won’t allow access to the site unless they accept or decline. This is going to give you a bounce rate of 100% so not really a viable option.

The on-page message. Every page on the site has an area offering the choice of data collection or not. Ideally the message will disappear if you accept. This is probably the most usable method of opt-in but it’s going to get ignored by the majority of your visitors.

There are no doubt other methods but every one requires some action by the visitor and the default is always going to be: I decline.

Who really cares?

As a consumer I couldn’t give a stuff about the problems this causes for the webmaster. As the owner of a website it will be a little troublesome but not insurmountable. For most website owners all they want to do is track their visitors. They don’t need to know anything about you as a person, just how you use the site: where you came from, where you landed on the site, what you did and where you left the site.

Others however want to know a lot more. Advertisers are very keen to track your movements so they can provide target adverts. Some will want see which adverts work and which don’t. Some are quite intrusive and will log your keystrokes and where you clicked on the page.

It is this that the EU directive is really targeting. But in doing so they have made it very difficult for people to test pages and improve the user experience. If you don’t know how people are using your site then you won’t know what you need to change.

What to do next.

Nothing. Nothing at all. There was a 12 month delay on implementation (due to end May 2012) so all you needed to do is define how you are going to manage personal data.

But consider this. There are millions of websites. The EU doesn’t have the resources to police all of them so the chances of anyone being taken to court over no-compliance is virtually zero. We already have regulations on accessibility, contact details, whois, legal statements and so on and almost nobody has ever been challenged over non-compliance. Trading standards don’t care (unless you are selling dodgy goods) so I think we can rest easy about the rather silly law.

Update: The ICO has revised their position and now put the onus on the user to manage data collection not the webmaster. There is now implied consent for cookies.  A complete turnaround and makes the whole shambles even more ludicrous. Note that the ICO still hasn’t addressed the issue of data collection without using cookies….

Update 2: Since I wrote this article in 2011 lots has happened. Many site added a cookie consent thing to their sites and then took them off again. Many more told me they were tracking and only allowed consent (there was no opt out). As normal it has generated into farce.