find a location for property in a new city

Wednesday, 11 May 2011

Why the ICO's new cookie directive is nonsense

As of the 26th May 2011 the law which applies to how you use cookies is changing and quite dramatically too as directed by the ICO. You are now being (asked / advised / ordered) to request your users' permission before storing any "non-essential" cookies on their machine. The given example of an "essential" cookie is one which remembers what is in their shopping cart. So, my thoughts follow.

Chances are you’re here because you heard about the changes to the rules on using cookies and similar technologies for storing information and are now trawling through Google trying to find the second part of the directive saying, "Just kidding!!!!1! lolllzzzzzzzzz, luv ICO xx" but getting progressively concerned as you can't find it anywhere.

I'm also guessing that you can't quite believe what you are hearing. Cookies? The cookies that have been around since early 90s? The ones that have evolved over almost 20 years? The ones that are now integral to your users' experience, your analytics, your business intelligence and possibly tracking click-throughs necessary for your revenue? Yes, those things. Oh PS you have about a week to change how you use them.

Development cycle

Does the ICO have any idea how development cycles work? You can't expect every website available in the EU to suddenly change something as integral as cookies that quickly whilst putting all other development work on hold. Also, since this will be such a degradation of user experience there will surely be a "well, you first" effect where no one will comply until their competitors also comply.

Example of why this isn't fair

Website1 has a link promoting Website2. Website2 sells several products. Website2 has promised that if a user who was referred from Website1 purchases a product it will give a proportion of its revenue to Website1.

This system could be implemented by checking the users' referrer on entry to Website2 and then storing it in a cookie. After clicking around the site a user purchases a product, a cookie is checked to see that they came from Website1 to determine whether or not to share revenue for that purchase.

In this example you can see how the use of this cookie is fundamental to the monetisation of Website1 and the relationship => traffic => monetisation of Website2. You can also see how that cookie is of absolutely no interest of the user and therefore "non-essential". So, when asked, would that user accept that cookie? Probably not.

Hypocrisy

So it hasn't come into effect yet, sure, but even still wouldn't you lead by example if you thought it was such a great idea? Find out by visiting the ICO homepage and viewing your cookies. Looks like analytics cookies tracking my behaviour to me. Update: almost a year later they have updated their site to not send cookies without asking first. Wonder how happy their analysts are with the lack of traffic statistics? Regardless I should concede this point.

Communication

Can you seriously change the law that significantly which such poor communication? I only found out about this through word of mouth (i.e Twitter) and then reading the "guidance" made me surprised to discover developers are now expected to be law graduates. I was expecting to read a clear directive not a rambling 10 page pdf of legal speak.

You can't stop tracking of information

Developers are skilled in the art of workarounds. We'll find a way of storing information about users regardless of this directive. For example if we're allowed a session cookie, we'll use that cookie to reference a plethora of information about the user in a database. Oh look, workaround is already there. So what are you achieving now other than making my DBA less happy?

Conclusion

If this is actually taken seriously you can get used to clicking a lot more often as websites ask you if you'd like to allow cookies or not. Possibly as some websites suffer from losing money streams from both essential tracking and poor user experience they may struggle to exist.

That or we will all be arrested (including the ICO).

Follow britishdev on Twitter

3 comments:

  1. Authentication cookies are classed as low priority because they don't divulge personal information. We've told our customers that as we only use cookies for authentication we're not high priority and may be able to just ignore this farce. It's good it's been deferred for a year though http://www.bbc.co.uk/news/technology-13541250

    ReplyDelete
  2. Governments sticking their collective EU noses where they are not required and this will only be another nail in the legislative coffin that is endeavouring to remove all profit from business and place in the hands of fat cats in Brussels - come the revolution brother ...

    ReplyDelete
  3. In your example of the affiliate site that gets a cut of purchase by users who follow a link to another site, as it is you're right, consumers would normally have no interest in consenting to a cookie. Although computer users generally click whatever they think will make annoying dialogue boxes go away without think much about what it means, so if you make it easier to say "yes" than "no", probably most people will say yes.

    If you don't do that sort of thing, you could probably get consent by offering a discount or a free gift with purchases. You'd have to give users something to give up a little bit of their privacy, even though all they're giving up is the information about what website they came to you from.

    ReplyDelete