The stupid EU cookie law

In May 2011 a new law came into effect across the European Union that affects probably around 90% of all websites. The UK government has given UK website owners a year (so, until May 2012) to get up to speed with the legislation and do something about it. The law is to do with how cookies are used.

What is a cookie?

In Web-speak, a cookie is a simple text file that stores information about websites you’ve visited. They can be used for lots of thing, such as for the browser to remember that you are already logged into that website, to store items in a shopping cart on a commerce website, or user preferences on another site.

My main browser (Google Chrome) reports that it has stored 3722 cookies from 1374 web domains.

A cookie for a particular site can only be written to and read by that website. So, Facebook cannot read cookies created by Google websites, and Google websites cannot read cookies created by Facebook.

The worry is, however, that spyware software could potentially access these cookies—they are simple, easily read text files after all—and gain all sorts of information about you, such as browsing habits, personal details, etc. And it seems to be this that the legislation is aiming to address.

The issue

Over the next few months I’m going to have to get my head around this legislation, both for my own websites and for the University of St Andrews website. There has been some interesting and useful discussions about it on various JISC-run inter-university email discussion groups.

My main concern is that this doesn’t ruin the user experience. It’s going to be very, very annoying if you require to give consent to every single website before you can meaningfully use it. My fear is that it’s going to become the Web equivalent of the User Account Control (UAC) nightmare that Windows Vista introduced.

Update

Thursday 5 January

Last night’s post was a bit rushed. I didn’t expand it quite as much as I’d have liked but I was tired and I just wanted to get to bed!

Ironically, I kept waking up during the night thinking about it. At one point Jane was awake so I talked it through with her. She has to put up with that kind of thing from me all the time, poor girl!

Anyway, this morning I got three replies on Twitter:

  1. Surely new cookie guidelines are sensible? Happy to chat about this.
  2. The sad fact is, it puts EU based sites/companies at a disadvantage vs those in the rest of the world.
  3. In intent, sensible. In execution, I’m with @garethjms – stupid. Can only see negatives for UX.

And a couple of comments below (which I’ve only just approved). A nice balance of for and against. I look forward to getting my head around this and posting more about it, here and on my professional blogs.