Home Blogs Diary 2012 05

All you need to know about the stupid cookie law

31st May 2012

If you thought the cookie law is going to stop anonymous marketeers tracking you on the W3, you were wrong. It could have been a good piece of legislation, perhaps even the end of online tracking. Unfortunately, though, the ICO has decided to enforce the law in a way that will only encourage this dodgy practice.

Revising the regulations governing cookies was a good idea in itself. The old rules, which basically said people should be given the option to opt out of cookies being stored on a computer (or whatever other device used to surf the net), were never taken seriously and certainly didn't prevent behavioural advertising from spreading like a cancer. In particular the latter was a concern for lawmakers. As anyone who uses browser extensions such as Ghostery and NoScript knows just about every major website shares data about what web pages you're looking at with secretive third parties. (These third parties then use this information to target you with what its systems think are personalised advertisements. This is supposed to enhance your browsing experience.)

The new regulations acknowledge that some cookies are okay. Cookies that make it possible shop online or access a web-based e-mail account, for instance, are clearly useful and have now been pardoned. At the same time the rules for cookies that aren't strictly necessary have been tightened. Websites can now only store third party cookies on your computer if you give your consent.

So why is it a stupid law?

In a word (or well, initialism): ICO. When the cookie law came into force, on 26 May 2011, the ICO announced that websites would have a year to work towards compliance. In its guidance the ICO suggested websites would need to get people's explicit consent for the use of any type of cookie, with the possible exception of cookies used purely to make a website work. This was a poor decision. It was bound to result in a draconian 'all or nothing' approach whereby people are either forced to except all cookies – the good and the bad – or none.

Rather than offering people an 'all or nothing' option websites could have been required to gain people's consent only for third party cookies. It really are only these cookies that are a pest; all other cookies are either extremely useful or harmless. Asking people whether or not a cookie may be set to remember your name on a comment form after you've left a comment, for example, is just silly. Asking people's consent for being tracked is a decent thing to do. It ain't rocket science, innit?

It wasn't to be. Shortly before the one-year grace period ended the ICO did revise its guidance, but only to rule that explicit consent is no longer needed; implied consent will do. In practice, this means a website is compliant with the cookie law if it warns people that cookies are being used and provide a link to a privacy / cookies statement. I don't think this is what the lawmakers had in mind. Or maybe they did; politicians and marketeers are becoming almost indistinguishable.

Give 'm a 301!

To illustrate how stupid the cookie law has become, here's a screen dump from the ICO website:

A screen dump of the ICO website. The requested page can't be displayed.
The ICO's implementation of its cookie law…

When you enter the ICO website you're presented with a message about cookies; a link to the ICO's privacy notice; and a tick box with the text I accept cookies from this site. If you don't tick that box you can't view any other pages on the site. Curiously, when you fail to tick the box and click on an internal link the ICO doesn't simply show a message explaining that you first have to tick its stupid tick box. Instead, it forces an error 301. Luckily, Iceweasel (a Firefox clone – long story) grasped what was going on and suggested the error may be linked to cookies being disabled.

Apparently, this is how the ICO reckons the cookie law should be implemented; unless you accept all cookies from a site you shouldn't be able to access its content. Had the ICO website – which is a Government website – shared data with third party trackers (which it doesn't) you wouldn't have been able to read its cookies guidance for the members of the public, unless you would have accepted a priory to be tracked.

I might note that the ICO's cookies policy clashes with my own cookies policy. I've told my browser to disable all cookies by default and manually add exceptions for sites that use cookies necessary for the functioning of the site. Just about every browser under the sun gives users this option, and it's the sort of approach the ICO ought to be encouraging. Sadly, the ICO doesn't. Even after making an exception for the domain 'ico.gov.uk' the 'error 301' creeps up. (Ticking the box sets a cookie named 'ICOCookiesAccepted' with the value 'True' – only if this cookie exists can you continue to access the site's content.)

The ICO's implementation of its own guidance is the worst possible. It's sets a disturbing precedent: unless you confirm that you explicitly agree with a website's policies you are not allowed to access a site's content. This has got nothing to do with giving people control over how cookies are being used and protecting people's privacy. The exact opposite is true: it forces people to give third party trackers carte blanche.

Unsurprisingly, I haven't come across any other websites implementing the cookie law in such an ignorant way. It seems websites either ignore the cookie law or simply state that they'll assume you agree to the site's cookies policy if you continue to use it. I don't think the latter is an ideal implementation of the regulations but it's a little more workable (in my case, I let them assume what they like while my browser blocks the cookies).

The morale…

Thanks to browser extensions such as Ghostery and (if you're part of the Firefox family) NoScript you don't have to care about the ICO's effort to promote tracking. The choice doesn't have to be between being tracked or not being allowed to view web pages. Anti-tracking add-ons make it possible to do both. Add an ad-blocker (maybe one that also gets rid of Facebook and Twitter buttons) and you've got the world wide wonderweb back.

Last updated: 
31st May 2012