Most of the time I am fairly much in favor of the EU. I’m an internationalist, and anything that gets up the noises of the jingoists at places like the Daily Mail and Daily Express has to be doing something good. Like most governments, however, it is often woefully ignorant when it comes to IT issues, and that means that it is prone to doing things that are monumentally stupid. Here is a case in point.
Last year the EU decided that cookies on websites were an unacceptable intrusion into citizen’s lives, and that all websites would have to gain consent from users before creating any cookies. The IT industry complained that doing this would require time, so they were given until May 26th this year to get their act together. Nevertheless, a KPMG survey published in April estimated that only 5% of major UK companies were compliant. The level of compliance is likely to be much lower amongst small businesses. Indeed, I suspect that vast numbers of small businesses, and private individuals who own websites, don’t even know that the law exists, and wouldn’t have a clue how to comply if they did.
What’s a cookie? Well, it is a piece of software that allows a website to store information in your browser and pass that information on, either from page to page on that site, to another website you visit, or simply back to itself next time you visit. It is a very useful tool. Yes, it can be used to install malware, or to harvest personal data, but sharp knives can be used to kill people and that doesn’t stop cooks using them on a daily basis.
To give you some idea of the problem, here are the different ways in which cookies are used on this website.
1. Google Analytics — this is a very useful piece of software that very many websites install to get an idea of the where their visitors are coming from. Google is apparently negotiating with the EU, but as yet no statement has been issued.
2. Spam prevention — one of my main tools for preventing comment spam uses a cookie.
So now I have to give you the option as to whether any of these cookies will be created so that you can opt out if you wish. Ideally I should do that individually for each type of cookie, because you might approve of some and not of others. And I have to do that before you interact with the site, so that no cookies can possibly be generated without your consent. And I may have to do it each time you visit the site because the only way to remember from one visit to another whether you consent to cookie use or not is to create a cookie, and you might not want me to do that.
See the problem?
As is depressingly typical these days, the law is also very vague. It says that cookies are allowed if they are “essential” to the operation of the website, but what exactly does that mean? How essential does the cookie have to be? I can do without all of the above, it is just a total pain to have to do so.
Then there’s the scope. All of my websites are hosted in the US. The domains are registered in the US. But I’m a UK citizen living in the UK. Am I covered by the law? Probably, but I may not be. What about the bookstore? I don’t host that myself. It is part of the Shopify site. If it is covered by the law, then in all likelihood my LiveJournal account is too, and that has cookies all over it. What about my Twitter account? Or Facebook? The dividing line between a website that you own, and are responsible for, and one where you are simply a customer, is very blurred.
All of these things will doubtless be sorted out by test cases eventually, and hopefully common sense will prevail. However, I have no particular desire to be a test case (if you want to know why, see yesterday’s post on equality under the law). So I’m going to do my best to comply. This may result in various websites becoming rather annoying, for which I apologize in advance.