Thursday, 03 May 2012
The EU Cookie Law and your website

You've probably ended up here doing a Google search and there are hundred of websites tagging onto the "EU cookie law" that comes into effect on the 26th May 2012.

Firstly there are a lot of sites offering solutions and consultancy around the issue. If you are a developer who just wants to get down to the knitty gritty with all the cool free tools that are available on the Internet then please continue. Secondly the wording I have used and the various interpretations are my own, I strongly encourage you to read the ICO guidelines before implementing them and would also add that you use any of the wording or ideas I have put down here at your own risk.  If you are a large organisation I would refer to your legal department first for their interpretation of the law.

Right everyone is talking about doing a cookie survey and a lot of organisations will offer to do one for you. The truth is, this isn't a hard task at all it just takes a little time. All you need to do is make a list of all the pages on your site and all the actions you would go through on your site. Then get yourself a copy of.

  • Firefox (if you don't already have it, all web developers should have a copy)
  • Firebug (just about every web developer I know has this installed)
  • Firecookie (Its an add on for fie bug to to tell you about cookies)

Now there are plenty of other tools out there you can use. The ones above just happen to be my favourite.

What cookies do we have?
Right fire up FireFox and enable Firebug and then FireCookie then visit the website you want to do your cookie analysis on

image

You should see something similar to the image above. As you can see we have 4 session cookies and the cookies with the underscores on them are from Google Analytics. We'll worry about Google Analytics later, the next step is to find out if any of these cookies are still being used by your site. In many cases a lot of sites don't use the ASPSession cookie although this is enabled by default in IIS (if your site is hosted on IIS). If you know you are not using it (you may want to do some tests on a dev environment first). Turn the ASPSession off using the following Microsoft Technet Article. So far in the above site I have eliminated 2 cookies from the equation.

The next step is to navigate the pages in your site (remember the list I mentioned above), use your contact forms and any other functionality in your site that may use a cookie. If you are using an ecommerce site, add items to your basket and monitor what cookies appear. Note these down as you make your way around your site.

After you have a list of all of the cookies on your site you need to list down what their purpose is and you have to work out if its easier to carry out that functionality without a cookie. So for example if you are storing the fact that a user has seen a message in a cookie and the user is logged into your site. You may want to make use of a server end process to store this information against the users profile which would enable you to get rid of another surplus cookie.  For example when logging into a website a user is usually given a session cookie. The site checks this session cookie and may look up details such as the user id, username and basket items for example using this session cookie against the database. You could use this very same session cookie to store the fact the user has clicked on a message by using a table which stores the users preferences against their user id.

These are all the cookies we need
After we have made sure we have gotten rid of the cookies that are surplus to our requirements the next step is messaging to the user about the cookies we want to keep. The Information Commissioner Office appears to be clear on one fact and that is the "obtaining consent" before placing a cookie on a users machine.

What does obtaining consent mean to us?
It basically means that before placing any cookie onto a users machine you have to ask them if this is ok. There appear to be various caveats here, for example if the cookie being placed on the users machine is essential for them to receive a service or functionality they are asking from you. From what I can understand you are fine placing this cookie onto their machine as long as you inform them you are doing so. Here are some examples

Ecommerce site adding item to my basket for the first time
If this is the first time a user adds a product to their basket, you could use the following message

"In order to add this item to your basket we need to store the following cookie on your machine" Yes/No

If the user consents to this action you do not need to ask the user again as you have now gained consent. You may also need to gain consent for the very fact you may store a consent cookie on the users machine (yes it does get rather silly).

"In order to register the fact you have given consent to store this cookie on your machine we need to store another cookie on your machine" Yes/No

However I don't think you will be dragged over hot coals if you don't. Additionally because the cookie is essential to the working of your site I have heard from some people that they believe giving notification for this action should not be needed. As you can see the law is quite open for interpretation I suppose it depends on just how cautious you are being.

Logging into a secure site
If a user logs into a website for the first time you could use the following message placed by the login button with a tick box they have to tick before logging in.

"In order to log into this website you agree to receive what is called a session cookie on your machine"

or without a tick box.

"In order to log into this website you agree to accept the following cookies .."

Analytics
This option is going to cause a lot of pain and a lot of websites are going to lose out if they use cookie based analytics packages such as Google Analytics. As far as I can tell there is no other way around this but to actually present a nice big dialogue box to the user with one of the following messages.

"This sites uses Google Analytics in order to monitor its performance and for us to make improvements to our site. It does not store personally identifiable data about you. Can we place a cookie on your machine to enable this functionality?" Yes/No

The above according to some results I have seen usually leads to a black hole in analytics data. However the following text may work better, however may prove controversial depending on the organisation.

Deny Access/Catch All Scenario (Controversial)
The following text may prove controversial and I have no idea of knowing how it will impact the business of a site. Although if enough large sites do it, it may be something users become used to.

"In order to use our site the following cookies will be placed on your machine. If you object to the use of these cookies you will not be able to use our site" Yes/No

Under the message all cookies the site uses are listed with their purpose on why they are being used. This solution is probably the easiest solution to implement and the wording can be altered to reflect that. The dialogue box is shown to anyone who does not have a "consent" cookie on their machine.  Implementing this above solution though could be a problem depending on how cookie generation works on your server platform. You could implement it in various ways here are  a few examples.

Before your site places any cookies on a users machine you:

  • Check for the consent cookie on the users machine. If the consent cookie does not exist you redirect the user to a page containing you above message.
  • Check for a consent cookie. If it is missing you activate code to display a light box on the page with your above message. Clicking ok reloads the page calling your cookie generation functions to place cookies on the users machine. I favour this option as the user can see your site behind the light box and know they are just a click away from getting to it.

Master Pages

  • If your site makes use of master pages you most probably have the Google Analytics activation code sitting here. It should be a simple process of placing this code inside a placeholder that is not activated until a consent cookie is detected.

Terms and Conditions/Privacy
Don't forget you will also, if you haven't already done so need to update your websites Terms and Conditions /Privacy pages to reflect the above.

Conclusion
I understand what the new Cookie Laws are trying to achieve however I believe the approach they have taken hasn't taken into account the many software packages and platforms that will need to change and could cost dearly. There are also the smaller ecommerce sites that make do with out of the box packages where the owners of these sites have no knowledge of how they work just that they have been installed and they run their businesses off them. There are also countless blogs out there with analytics and various bits of functionality they're users probably have no idea are using cookies.

I hope this article has proved useful, and I am sure as I have seen already on various sites that I may have opened myself up to flaming from people in the comments section. If you have interpreted things differently, please share your knowledge, the sharing of ideas is part of how we learn right?