I’ve just come into work on a beautiful sunny Saturday morning to remove a few more cookies from some clients’ websites inline with the new EU law coming into force this weekend – just to read that they’ve changed the rules at the 11th hour!
According to the Guardian, they updated the rules on Thursday and published them yesterday. I noted in my blog post yesterday about how we updated our website for the cookie law that they’d removed the PDF guidelines I’d emailed to all of our clients last week and not left so much as a redirect in it’s place.
And now, the crux of the issue is that you can assume “implied consent”. The BBC are leading the way on this by putting a big strip along the top of their page saying, basically ‘we use cookies unless you tell us otherwise’. Which isn’t / wasn’t actually inline with the law, which stated you had to specifically get people opt-in BEFORE planting any cookies on their computer. The BBC let you opt-out – the law was to make people opt-in or face a £50,000 fine.
I explained yesterday how this was an issue for anyone with a CodeIgniter website that has user accounts as a cookie is placed as soon as you visit the site. So there’s no chance of asking someone before they get to your site – unless you take them to a rubbish little holding page first. There’s also the irony of needing extra cookies to remember people’s preferences on cookies!
Now on the BBC, they tell you they use cookies, and they give you the option to choose which cookies they use.
Very interestingly – they have a section for “necessary” cookies, which you can’t opt out of. Like our CodeIgniter one. But whereas we have 1, they have quite a few, including BBC-UID which allows “log analysis to determine the number of unique users”. Their own stats package basically, which so many people argued they couldn’t live without when the law meant potentially not using Google Analytics.
Under the guidelines as they stood before yesterday, the BBC would have had to have each visitor actively allow it to use these necessary cookies. So a lot of the web shouted that the law was practically unenforceable. And the Government caved.
At least it means Google Analytics won’t completely go out of business… Rather than us have to ask people if we’re OK to use it – and let’s face it who’s going to bother to say “yes”? – we can just use it and then ask people if they’d like to opt out. We can then – as we’ve got the skill base inhouse – go down the BBC route of asking people if they’d like to opt out and if so, we just remove GA from the rest of their visit. And members of the public who don’t want to pay a developer to add any cookie cleverness to their site can simple tell people “we use cookies – if you don’t like it, you can leave”. Obviously they’re not going to want people to leave, but at the moment I don’t think the great British public care enough to think about it much!
It supposedly does also still mean though that you have to make cookie information clear – rather than just a little grey “privacy” link in your footer.
The websites I’ve come in to update today use the Facebook share icon, which plants a whole load of cookies on a user’s computer. But now, if we’re going with “implied consent”, then if you’re logged into Facebook you’ve given your consent to use Facebook. But there are a few cookies placed even when you’re not logged in, so I guess the sites still need updating to say “we use cookies – if that’s not OK, you’ll have to mosie on”.
The UK have had longer to conform than the rest of Europe which I assumed meant we were behind the times with conforming, but the Guardian claim that many were worried that if the law was enforced in the UK then we’d have a disadvantage over European websites where the rule is largely ignored. And there was me thinking we’d just lose out to the whole of the US and the rest of the world!
So I’m not surprised that the law has been eased, and I think the law as it stood was crippling to UK businesses. But I wish they’d sorted it out before now!