PECR, cookies and you
"YAWN!" Amiright? Bear with me, this is important. The EU has recently changed the law regarding the saving of cookies on users' computers by websites. Until recently it was believe the new law was ridiculous, vague, impossible to implement and so expected to change in line with reality. The ICO "is the UK's independent authority set up to uphold information rights" and the enforcers of this new EU directive. However after some speculation the Information Commissioner's Office put doubt to rest by releasing its official advice on the subject which in no way helped the lines of reality and law converge. The trouble is that by May 26th 2011 the entire web development community in and out of the EU is going to have to rethink its use of cookies.
[UPDATE: Using this blog post as a partial basis for further investigation, Torchbox have posted their thoughts and a practical 'what you can do' on the situation here http://bit.ly/eu-cookies-law]
"Whats the big deal?"
The deal is that the new law changes a key line in the Privacy and Electronic Communications Regulations. It used to state that cookies could only be stored on a user's machine if the user was able to turn them off and if you explained somewhere on your site what the cookies did. In the new version, you're only allowed to store the cookie if the user has provided consent. This comes into force on May 26th 2011.
"Right, so?"
"Consent" is required before any cookie is set. Cookies are used for trivial things like setting your favorite Powerpuff girl background image when you return to the site, but they're also used for important things like keeping you logged in and your personal details private, or tracking your activity so the site owner can improve the site. Cookies can also be used by third parties to track information about you and spam you with adverts. Sometimes those third parties might even sell that information to other people, to push adverts at you harder.
"I don't want adverts, it sounds like consent is a good thing"
Unwanted adverts are bad, no doubt about that, but cookies are only misused in a minority of cases by a small subset of bad people. While the EU directive is almost certainly trying to target these bad people, its clauses are vague and in the interpretation of the ICO, in charge of enacting the law, all cookies are being tarred with the same brush.
"What does this mean to me, your average web user?"
Cookies are set and used by literally every second, if not every single website you use. This directive only affects sites in the EU, but thats still a hell of a lot. To comply with this ruling by May 26th 2011, every website in the EU is required to ask you for your consent to store each cookie it needs. Given how many sites use them, you're going to be on the receiving end of a lot more tedious Terms and Conditions, questions and confirmations in future.
That "tracking of activity" I mentioned before is actually vitally important to the websites themselves. Tracking in this case is what the web development community knows as "Analytics" and is one the cornerstones of the trade. It records the pages you visit and the buttons you click but in an anonymous way so you, personally, are lost amongst all the other users. Nothing invasive about you is ever recorded and you can never be identified personally. The site knows what pages you visited, which you could argue is more than you'd want it to know, but its no worse than your bank knowing your recent payments, or any shop knowing your card recently purchased a Ginster's pasty.
More practically this analytics helps improve the sites which use it. It tells the owners what is popular, where things are going wrong, what parts of the site are hard to use or need simplifying. By requiring users to give consent before this information is recorded there's likely to be a drop-off in the number of users who allow it and where does this leave the site's owners? In the dark, with no/less data on which to improve the site and make your lives easier.
"What do the web designers need to do?"
For starters, sites using Google Analytics will have to ask visitors if they can store Analytics cookies. This is going to require some really careful wording if sites want to keep the information flowing. Bear in mind that the new law effects all cookie use, not just analytics-related ones. The work involved is going to cost clients/sites quite a lot of money on the whole. Its a considerable dent in the collective budgets of EU industry. The one thing I haven't touched upon in this article are the changes required to non-analytics cookies, which developers will need to address too. From my personal perspective they are less of a problem: its relatively easy to modify your own website's code, but the analytics systems are all third-party - we don't have much ability to change those.
For the time being however, much of the problem with this new law is caused by the ICO's "advice" on the matter which reads a lot like they don't quite understand what the EU are asking for. The directive itself isn't clear, but the ICO's advice only muddies the waters further. Developers really need to keep an eye on the ICO site as they state in their documents that their advice is a "Work in progress" and is known to "[not] yet provide all the answers". Indeed, as I hope this article illustrates, the ICO's advice is impractical and badly needs a rethink.
I'm going to be contacting the ICO in the next couple of days to get some clarity on these issues and Torchbox will be posted guidelines on their blog too. In the meantime if you fancy trying to decypher the conflicting advice of the ICO, you'll want to read their Practical Application document.