Thursday, 12 April 2012

Get your cookies while they're red hot

The European Union told us last year that we needed to get explicit permission to set a cookie in a visitor's bowser. The old technique of having a 'we use cookies and this is how you disable them' message on a privacy page was no longer enough and after a year's grace, May 26th 2012 is the date. After this time the UK Information Commissioner's Office could be on your case if you, (make that we), don't conform.

There's a nice developer feature in Chrome that makes it easy to see what cookies are set when you go to a site. Using this on the ATSF site shows that our hosting company sets a cookie and Google Analytics sets some cookies. I don't program any cookies into the site directly.

Despite the year's grace period, the situation is still potentially complex. A couple of useful places to go for more information are a PDF on the web site of the UK International Chamber of Commerce called the UK ICC Cookie Guide, and a piece on the ever useful Register site: A month to go on Cookie Law: Will Google Analytics get a free pass? which looks in more detail at the question of analytics cookies (with a lower-case A as well as an upper-case one).

One category of cookie needs no consent. As the guide says:
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these, cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.
This is a Category 1 Strictly Necessary Cookie.These quotes, by the way, are suggested text with which you can inform your users about what is going on with cookies on your site.

The next category is the Performance Cookie.
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
The final two categories are Functionality Cookies, which track preferences, and Targeting/Advertising Cookies, which tailor advertising to your habits and often pass information between web sites.

The Register reporter managed to get a quote from the Information Commissioners Office which suggests that they won't be loosing too much sleep chasing uninformed performance cookies and will be providing more guidance on this sometime soon.

The ICO web site helps us see one tactic for dealing with all this (and has done for some time). When you first visit it, on any page, there will be a message,as below, across the top of the page:
The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice.
With a check-box and a button. When you check the box and click the button the page reloads, the message is no longer there, and a cookie called 'ICOCookiesAccepted', with a year's lifetime, is set along with the four Google Analytics cookies. If you don't check the box and agree then every page you visit will have the message at the top.

The logic is as follows:
Check whether an AcceptCookies cookie is set. If it is not set then add the cookie form at the top of the page. If the cookie is set then don't add the form.

Accepting cookies using the form activates an 'invisible' page which records the referring page, sets the cookie and returns the visitor to the referring page.

For any web site with a cookie-tracked 'private' area, using cookie category 1, then you don't need explicit permission. However, consider the case where there is a login form on every page ... just a small one at the top probably. A common approach for such a site is to open a session for each page and then check the session cookies and if the user is already logged in you show slightly different content; even if that is just a 'Log Out' button. It is doubtful whether setting a cookie designed to manage a secure area is essential on non-secure pages or for non-secure visitors, so in future such pages will need to check for a 'private area' cookie before opening a session on such a page.

The Google Analytics cookie question is a bit more complex (and similarly for any cookie-based analytics system). If your visitors have to explicitly ask for such cookies to be set then they will be under-reported and the value of the analytics data is greatly reduced. (The ICO have admitted that only 10% of their visitors click this box.) Old fashioned web server logs will not be affected of course, and it would be interesting to see just how many, or how few, visitors do agree to cookies.

Your clients, particularly smaller ones, may not be aware of what is supposed to happen at the end of May. Now is the time to discuss this, even if the analytics cookie question is still a little open.