Monday, 28 May 2012
The EU cookie law, what a mess..

If you haven't already noticed, the EU cookie law has now become mandatory in the UK over the weekend.

However it's left a terrible taste in the mouths of several website owners when the ICO (Information Commissioners Office) at the last minute stated that it was ok to use "Implied Consent" as opposed to implicit consent  before placing cookies on the users machine. While thousands of website owners will rejoice. Those that had committed the recourses to meet the implicit cookie consent requirement are probably fuming.

Implied consent is effectively placing the onus back on the user by telling them that by using your site a cookie will or has already been placed onto their machine. If they are unhappy about this, they can remove it themselves, or they can just continue using your site as usual. As a large majority of sites have been informing users about the placing of cookies on their machines in their privacy policy for years you can't help but feel that it has somewhat lost its bite and makes a mockery of the whole situation.

What is interesting is there appears to be an attitude among some companies to sit back and see who gets sued first before taking any action. You can certainly understand their reaction when a large amount of government websites themselves are not compliant, this morning appears to be following with the implied consent root. By placing cookies on your machine and displaying a small message at the bottom of the page about their cookie policy.


You can't help but feel when the government came to overhauling their websites to try and meet the implicit cookie consent requirement that someone said "Hang on a minute we have X hundred sites and we're going to have to recode how all of them to handle cookies in one year!". I also couldn't help but wonder when developers were looking at the issue and discovered that certain server technologies they were using just couldn't be changed to handle the new cookie law requirement. The issue probably fell heavily on the ICO's shoulders, you can almost picture that meeting taking place. How on earth could they enforce a law the government itself was not even abiding by?

How are websites implementing the cookie law this morning?

No 10 Downing Street -

No 10's website (you guessed it) has gone for "Implied Consent" I get 4 cookies placed onto my machine. You'll be forgiven if you missed the information about Cookies I've highlighted it for you below.

Amazon placed 9 cookies onto my machine as soon as I visited the website with an anonymous browser. They also appear to have gone with implied consent, scroll right to the bottom of the page and you will see the words in the footer "Cookies & Internet Advertising"

Lloyds TSB -

Lloyds TSB have a small message at the top of their site that links to their cookie policy



Visiting several European websites, I found many of them also followed the implied consent pattern. The information about what cookies they placed on your machine was usually buried inside their privacy policy.

While it has been stated that Britain is out of step with EU law because of the use of "Implied Consent" which could lead to fights in the European courts, you can't help but feel the law really doesn't hold much water if the rest of Europe appears to be following the same approach. Perhaps someone somewhere responsible for the law, realised what a massive mistake it was and hopefully it will slowly be forgotten as yet another mistake. You only have to look at the European Unions own website which also uses "Implied Consent" with some details in its "Legal notice" to realise that not much will probably happen as long as you explain about your cookie policy in your privacy policy.

Report those offending cookies

The ICO has also created a page to allow members of the public to report their concerns about the use of cookies. Personally I really can't see too many people using it, if they were not aware of what cookies were to begin with. I would guess it is targeted more towards technically minded people, however these type of people are more than likely to just delete the offending cookie from their browser than think anything more of it.

Fighting Crime

The ICO also states on its website that ".the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online." It goes on to explain about the use of spyware and "..such activities often have a criminal purpose behind them.". While I appreciate the intention of the law to fight crime, I don't believe a criminal enterprise is going to stop using cookies in this way because it is illegal to do so. However when a criminal is charged with this very offense I presume I will stand corrected.

I await to see what will happen in the coming months, if anything happens at all..

posted on Monday, 28 May 2012 10:30:57 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 24 May 2012
Are hasty responses to customer emails harming your business?

We all know how important it is for companies to respond to customer queries. A customer with a complaint can soon become a companies worst nightmare when they begin to vent their frustrations using social media such as twitter and Facebook. Many companies recognise this and employ teams of people to respond to emails. To assist these people many of them are equipped with the standard responses to queries ie

  • "Our opening times are between x and y"
  • To place an item in your basket select a size first and click the yellow add to basket button.
  • To place a return log into your account and click on the "return items" button.

The last one in that list is a good example of an issue my wife once had with a website where she was trying to return an item. She informed the company that when she clicked on the "return items" link that the site gave her an error. She also copied down the error for the company to help them fix the issue.

The response she got, you guessed it!

"To place a return log into your account and click on the "return items" button."

The customer support team were either working on auto pilot and just saw the word "return" and nothing else not bothering to read the rest of the email. Or they had some sort of automated system in place for responding to emails. Because when my wife responded and told them they didn't reply to her email she got the same response again. It was only after several attempts that it appeared human sense kicked in and someone in the company acknowledged something was wrong.

I have had several cases myself when asking web based organisations questions. I have even gone to great lengths to stress that "I am NOT referring to X I am referring to Y" it seems as though if there is not a predetermined script for an error on the site or something that doesn't fit into how the company works someone somewhere just chooses the closest response. 

I am starting to see a trend here where people are beginning to vent their frustrations on twitter about this very issue. I am wondering if its become almost as big an issue as the outsourced call centre where the operator working off a script does not understand the problem the customer is having.

posted on Thursday, 24 May 2012 10:00:33 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 03 May 2012
The EU Cookie Law and your website

You've probably ended up here doing a Google search and there are hundred of websites tagging onto the "EU cookie law" that comes into effect on the 26th May 2012.

Firstly there are a lot of sites offering solutions and consultancy around the issue. If you are a developer who just wants to get down to the knitty gritty with all the cool free tools that are available on the Internet then please continue. Secondly the wording I have used and the various interpretations are my own, I strongly encourage you to read the ICO guidelines before implementing them and would also add that you use any of the wording or ideas I have put down here at your own risk.  If you are a large organisation I would refer to your legal department first for their interpretation of the law.

Right everyone is talking about doing a cookie survey and a lot of organisations will offer to do one for you. The truth is, this isn't a hard task at all it just takes a little time. All you need to do is make a list of all the pages on your site and all the actions you would go through on your site. Then get yourself a copy of.

  • Firefox (if you don't already have it, all web developers should have a copy)
  • Firebug (just about every web developer I know has this installed)
  • Firecookie (Its an add on for fie bug to to tell you about cookies)

Now there are plenty of other tools out there you can use. The ones above just happen to be my favourite.

What cookies do we have?
Right fire up FireFox and enable Firebug and then FireCookie then visit the website you want to do your cookie analysis on


You should see something similar to the image above. As you can see we have 4 session cookies and the cookies with the underscores on them are from Google Analytics. We'll worry about Google Analytics later, the next step is to find out if any of these cookies are still being used by your site. In many cases a lot of sites don't use the ASPSession cookie although this is enabled by default in IIS (if your site is hosted on IIS). If you know you are not using it (you may want to do some tests on a dev environment first). Turn the ASPSession off using the following Microsoft Technet Article. So far in the above site I have eliminated 2 cookies from the equation.

The next step is to navigate the pages in your site (remember the list I mentioned above), use your contact forms and any other functionality in your site that may use a cookie. If you are using an ecommerce site, add items to your basket and monitor what cookies appear. Note these down as you make your way around your site.

After you have a list of all of the cookies on your site you need to list down what their purpose is and you have to work out if its easier to carry out that functionality without a cookie. So for example if you are storing the fact that a user has seen a message in a cookie and the user is logged into your site. You may want to make use of a server end process to store this information against the users profile which would enable you to get rid of another surplus cookie.  For example when logging into a website a user is usually given a session cookie. The site checks this session cookie and may look up details such as the user id, username and basket items for example using this session cookie against the database. You could use this very same session cookie to store the fact the user has clicked on a message by using a table which stores the users preferences against their user id.

These are all the cookies we need
After we have made sure we have gotten rid of the cookies that are surplus to our requirements the next step is messaging to the user about the cookies we want to keep. The Information Commissioner Office appears to be clear on one fact and that is the "obtaining consent" before placing a cookie on a users machine.

What does obtaining consent mean to us?
It basically means that before placing any cookie onto a users machine you have to ask them if this is ok. There appear to be various caveats here, for example if the cookie being placed on the users machine is essential for them to receive a service or functionality they are asking from you. From what I can understand you are fine placing this cookie onto their machine as long as you inform them you are doing so. Here are some examples

Ecommerce site adding item to my basket for the first time
If this is the first time a user adds a product to their basket, you could use the following message

"In order to add this item to your basket we need to store the following cookie on your machine" Yes/No

If the user consents to this action you do not need to ask the user again as you have now gained consent. You may also need to gain consent for the very fact you may store a consent cookie on the users machine (yes it does get rather silly).

"In order to register the fact you have given consent to store this cookie on your machine we need to store another cookie on your machine" Yes/No

However I don't think you will be dragged over hot coals if you don't. Additionally because the cookie is essential to the working of your site I have heard from some people that they believe giving notification for this action should not be needed. As you can see the law is quite open for interpretation I suppose it depends on just how cautious you are being.

Logging into a secure site
If a user logs into a website for the first time you could use the following message placed by the login button with a tick box they have to tick before logging in.

"In order to log into this website you agree to receive what is called a session cookie on your machine"

or without a tick box.

"In order to log into this website you agree to accept the following cookies .."

This option is going to cause a lot of pain and a lot of websites are going to lose out if they use cookie based analytics packages such as Google Analytics. As far as I can tell there is no other way around this but to actually present a nice big dialogue box to the user with one of the following messages.

"This sites uses Google Analytics in order to monitor its performance and for us to make improvements to our site. It does not store personally identifiable data about you. Can we place a cookie on your machine to enable this functionality?" Yes/No

The above according to some results I have seen usually leads to a black hole in analytics data. However the following text may work better, however may prove controversial depending on the organisation.

Deny Access/Catch All Scenario (Controversial)
The following text may prove controversial and I have no idea of knowing how it will impact the business of a site. Although if enough large sites do it, it may be something users become used to.

"In order to use our site the following cookies will be placed on your machine. If you object to the use of these cookies you will not be able to use our site" Yes/No

Under the message all cookies the site uses are listed with their purpose on why they are being used. This solution is probably the easiest solution to implement and the wording can be altered to reflect that. The dialogue box is shown to anyone who does not have a "consent" cookie on their machine.  Implementing this above solution though could be a problem depending on how cookie generation works on your server platform. You could implement it in various ways here are  a few examples.

Before your site places any cookies on a users machine you:

  • Check for the consent cookie on the users machine. If the consent cookie does not exist you redirect the user to a page containing you above message.
  • Check for a consent cookie. If it is missing you activate code to display a light box on the page with your above message. Clicking ok reloads the page calling your cookie generation functions to place cookies on the users machine. I favour this option as the user can see your site behind the light box and know they are just a click away from getting to it.

Master Pages

  • If your site makes use of master pages you most probably have the Google Analytics activation code sitting here. It should be a simple process of placing this code inside a placeholder that is not activated until a consent cookie is detected.

Terms and Conditions/Privacy
Don't forget you will also, if you haven't already done so need to update your websites Terms and Conditions /Privacy pages to reflect the above.

I understand what the new Cookie Laws are trying to achieve however I believe the approach they have taken hasn't taken into account the many software packages and platforms that will need to change and could cost dearly. There are also the smaller ecommerce sites that make do with out of the box packages where the owners of these sites have no knowledge of how they work just that they have been installed and they run their businesses off them. There are also countless blogs out there with analytics and various bits of functionality they're users probably have no idea are using cookies.

I hope this article has proved useful, and I am sure as I have seen already on various sites that I may have opened myself up to flaming from people in the comments section. If you have interpreted things differently, please share your knowledge, the sharing of ideas is part of how we learn right?

posted on Thursday, 03 May 2012 21:47:06 (GMT Standard Time, UTC+00:00)  #    Comments [0]