Dear ICO: This Is Why Web Developers Hate You

Dear ICO. On behalf of web developers everywhere, what the frolicking duck?

As the body responsible for policing the infamous Cookie Law in the UK, you don’t exactly have a popular job, to be fair.

A year ago you graciously granted us an extra year to comply with the law, announcing your decision just 24 hours before the law came into effect. Last week, 24 hours before the really-we-mean-it-this-time law took hold, you changed it completely.

Any web developer who actually tried to comply with the law in either case has been royally and totally screwed, for no reason other than your blithering incompetence. Thanks for that.

Curiously – and don’t think we haven’t noticed – a lot of big sites, like the BBC, Guardian, BT, Channel 4 etc. all revealed solutions which comply with your revised guidelines just prior to you announcing it. We assume you’ve enjoyed long and comfortable consultation periods with all of them, which you decided to share with us one sunny Friday morning a day before it becomes law. You know – the same lazy day everyone is making their solutions live.

Now you might say you’ve already spoken out publicly about what a light touch you’ve been aiming for, which is true. However anyone who’s been following the law for the past year can agree on one thing – no one had a bloody clue what they were meant to do. Not the Wall St Journal, or The Guardian, or WebTrends, or Adobe, or half-a-bazillion web devs. We’ve been floundering in a wind of ignorance while the one body with the responsibly to clarify anything sat on their collective asses and changed their mind last minute.

Look at your own implementation of the law (pictured) for instance. You rightly state others might improve upon this, but surely it occurred to you to hire a web developer who didn’t just drop out of kindergarten to design a solution that would be seen as the template for an industry? Surely you realise your own solution reflects the hard-edged ‘explicit opt in’ nightmare most web devs fear, not the light-touch ‘implied opt in’ you ultimately allowed everyone else to use?

Like many small businesses we’ve spent weeks researching and engineering a solution to the law (we even made ours open source). We know web agencies that spoke to hundreds of their clients, explained the painful but necessary changes, implemented and charged them who feel like setting fire to a flag with your logo on it right now.

Your job is to communicate and enforce this law. I don’t envy your task, but the subtle derision I suspect we share for it is no excuse for not doing your job properly.

P.S. Sort your website out. Spelling errors are rife, links are broken, images are missing. The laughable 10 page survey you point to uses an expired SSL certificate. The whole frickin’ UK web industry is looking at your site, and you’re making us cry.

P.P.S. If you want to protest the law, there’s a website for that.

Watch quick video tour of Sitebeam

Test your website with

or learn more
  • Tom

    Yes! Thanks Silktide. I couldntve put it better. My clients are now more confused by what I’m telling them than ever. Why is the ICO such a shambles?

  • http://twitter.com/nigedo nigedo

    ICO rewarded the “let’s wait and see” approach, so they can expect this to prevail next time they want us to implement changes.

  • oliveremberton

    Funny story: we posted this article, the surge in traffic knocked out our servers. We tried to identify where our traffic was coming from using Google Analytics: almost no data. Thanks Cookie Law!

  • Dee

    Thank you for making me smile in amongst the frustration……and thank you for the positive contribution with making the solution freely available.

  • http://www.timbarlow.net/ Tim Barlow

    Possibly a bit harsh, but then again… :)

    In fairness to them, I think they have been trying to give industry as much wriggle room as they dare and that is what has resulted in the general confusion.

    I do think the 24 hours notice has been well out of order.  Has Channel 4 and the Guardian worked with them? I’m not sure as I don’t think their solutions are compliant but then again, as you say the guidelines still leave doubt so we don’t really know one way or other.

    I do also think less time has been wasted than you suggest.  The ICO are not going to allow the “do nothing” approach (but at least we now have a “do something reasonable approach)

    • oliveremberton

      Agreed the ICO are in a tough spot, and I don’t think they want to cause any harm – quite the opposite. I still don’t approve of their job though!

      It seems likely that larger organisations were privy to a level of access the rest of us weren’t. Otherwise it seems hard to understand why all of their solutions rely on implied consent just prior to the ICO announcing as much. 
      The wasted time is something we’ve witnessed first hand on our own websites and those of our customers. People have spent months debating solutions, planning user interfaces, building working code, testing, deploying – and now at the last possible minute all of the rules have changed. This is after they gave us a year extension, so really I can’t see any excuse.

      Of course the tacit lesson they’re teaching here is not to bother complying – those who ignored the law are laughing so far!

      • http://www.timbarlow.net/ Tim Barlow

        You may be right about them having been privy to extra support but I think many (including ourselves) tried to read between the lines of previous guidance and came to a view that implied consent was going to be enough in some circumstances. 

        In my mind the guidelines don’t change a whole lot as they haven’t said that simply putting up notices will be legal, simply that they hope to not to have to enforce the legislation with people that do adopt that technically illegal approach.

        Again though, the 24 hours notice is totally out of order, especially as I had heard that the ICO were informally giving out this message some time ago.

        • oliveremberton

          A year ago I wrote a short book on the Cookie Law ( http://silktide.com/cookielaw/resources/free-ebook-on-the-cookie-law )

          For this I did a painful amount of reading on the law and deducing likely implications, which included things like realising analytics was essentially prohibited (this was not universally accepted at the time, came to be accepted, and was subsequently discounted when the ICO later said ‘they’re not allowed, but unlikely to be prosecuted’).

          I’m not going to claim my analysis was remotely near perfect. However the fact was I and others like me did a ludicrous amount of research to try to identify ambiguous conclusions that frankly could and should have been stated clearly in the first place. Surely that’s the ICO’s job?I’ll take some deep breaths now :)

          • Lawyer in the Shade

            Its obvious that the Cookie Laws have been ‘your baby’ for a while. You’ve made videos, web sites, books etc.

            How much of this was done to promote your self / your own business?

            Its not a bad thing, to ride on issues to promote yourself, but I think the lesson to be learned is: Don’t waste too much time and and effort trying to capitalise on silly laws.

            You’ve leanred your lesson now.

            I hope we all have. No more fanfares and campaigns. When the next silly EU law comes in, we should silently wink to the ICO and ALL keep quiet about til it gets forgotten.

            Then let it turn up 200 years later in on an episode of QI as a peice of interesting trivia.

  • http://www.helpwebhosting.com/ shubh

     What is going on the EU law. And about 12 hours before it again change as i read on guardian. I did not , they change the law and developer phase the problem.

  • http://twitter.com/idea15webdesign Heather Burns

    Since I first publicly spoke about the issue in February, one of my main points of concern was ICO’s consistent failure to declare the consequences and penalties for cookie law compliance in anything other than vague and generic threats. This resulted in the near-hysterical scaremongering we saw, with some unscrupulous web designers advertising their “cookie compliance” services with clip art illustrations of people behind prison bars, and others perfectly happy to scream about half a million pound fines for the mere act of having cookies. ICO seemed pretty unconcerned by that.

    And yet now evidence suggests that they were, to use that vomit inducing phrase, “working in partnership” with many content providers all along in encouraging a solution which they had no intention of telling the general public about.

    ICO has previously had to hand over its site analytics data due to a Freedom of Information Act request. I think another request should be filed as a matter of urgency: who has ICO been working with and how long have they been working with them – and why were they content to keep this quiet as a little game between themselves and the big boys?

    • http://www.timbarlow.net/ Tim Barlow

      I guess the problem is that if we push them, they will have no choice but to come out and say it has to be prior consent?

  • http://twitter.com/idea15webdesign Heather Burns

    They’re a government organisation funded by our taxes. They work for us. If we don’t push them, we concede that we work for them.

  • Mandy

    Yes, the ICO are incompetent. But let’s not forget that it was the eu that came up with this rubbish in the first place.

    • silktide

      That’s very true, although I wouldn’t like to claim the ICO are doing the best job of interpreting and implementing this law for the UK.

  • Alistair

    The ICO cannot be publicly seen to be too lax. The law is the law, and if they don’t enforce it the UK government will be sued by the EU, for failing to enforce the law they had to create.

    The entire thing is a farce, but to expect the ICO to be able to get this right is asking for the impossible.

  • http://www.paligap.com/ Iain Bartholomew

    It certainly seems to me that people like the BBC, John Lewis, Nationwide Building Society and others had some kind of tip-off about the approach that was going to be taken. I mentioned it on Facebook at the weekend, but it didn’t generate any discussion.

    Nobody knows what’s going on and it’s just ridiculous to be making revised announcements at or on the cusp of a weekend, on short notice to the deadline.

  • http://www.paligap.com/ Iain Bartholomew

    Interesting that the ICO website is now reporting an infinite redirect loop. Probably busy trying to understand its own advice…

    • oliveremberton

      Amusingly they had a bug earlier today which Chrome reported as a redirect loop. Chrome’s suggestion was to “clear all cookies” and try again. Ho hum.

      • http://www.timbarlow.net/ Tim Barlow

        Just too funny

    • Junk Buster

      It’s worse. The infinite loop (it’s an error 301, really) occurs when you click on an internal link without having ticked the “I accept everything you say” box.

  • http://ukwebfocus.wordpress.com/ Brian Kelly

    UK Universities have also been wondering how they should respond to the ICO legislation. A year ago in a post which asked “How Should UK Universities Respond to EU Cookie Legislation?” [1] I described how we had been given a year’s grace.  In December a post on The Half Term Report on Cookie Compliance [2] suggested that the ICO were likely to focus on documentation and policies, and a post last month which How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? [3] found that most universities were simply explaining what cookies are, described the cookies they use and providing information on how to disable cookies.

    I had been given no advance notice of changes – but interpretted the signals coming from the Government which suggested that they weren’t going to take a hardline approach.  However such an approach might have been easy for the public sector as we tend not to carry adverts on our web sites.

    References

    1 http://ukwebfocus.wordpress.com/2011/05/26/how-should-uk-universities-respond-to-eu-cookie-legislation/
    2 http://ukwebfocus.wordpress.com/2011/12/15/the-half-term-report-on-cookie-compliance/
    3 http://ukwebfocus.wordpress.com/2012/04/16/how-is-the-higher-education-sector-responding-to-the-forthcoming-cookie-legislation/

  • Pingback: The ICO Amends the EU Cookie Law to Allow ‘Implied Consent’

  • Pingback: The ICO Amends the EU Cookie Law to Allow ‘Implied Consent’ | PHP Developer Resource

  • Bumblemoo

    Unbelievable post, basically what I’ve been ranting in my head for so long. Having to explain to clients why they need these ridiculous restrictions in their websites which has caused 60-80% drop in analytics as visitors simply refuse the cookies. What is the point anymore? How to trash the Internet. ICO really have nothing better to do. Guys please please sign this petition we need 100k signatures to get this reviewed in parliment. Send it to your clients!

    • http://twitter.com/homotechnologic homotechnologicus

       This won’t trash the internet at all. only business models that rely on monitoring without consent. If 60-80% opted out, then do you think people really wanted to support such models or they were simply just unaware? Why does the advertising industry think it is their god given right to monitor people. You wouldn’t allow them in your home? The 20-40% that opt in will be providing more accurate data anyway. PS I am a software architect and web developer and I block most cookies am shocked at the state of my friends not even understanding what is going on. This at least makes them think.

  • Bumblemoo
  • Richard Ashby

    Speaking as a developer who has also invested a not insignificant amount of time into this I feel your pain.

    But reading between the lines in interviews (particularly on Econsultancy) I’ve long suspected that the ICO have been of the same opinion as ‘the rest of us’ in that they think this law is ridiculous. To what extent I obviously can’t say. They seem to have been towing the official party line and I suspect working away in the background to loosen the interpretation. At least I hope so, because that’s a more better that being incompetent.

    This whole thing seems much like DDA – some companies pay lipservice to it, most ignore it and but a handful actively embrace it. Same with the cookie law- not that it’s even called that. They only clarified THAT a month ago!

    Nuts!

  • http://www.softpress.com/ Joe Billings

    Typo: “We’re been floundering in a wind of ignorance”

    • oliveremberton

      Fixed – thanks!

  • Kevin Edwards

    Damned if you do, damned if you don’t. For anyone following the ongoing advice from the ICO you will know implied consent was always the end goal that informed consent would deliver. 

    Yes, the advice has been broadened and hardened on implied consent and that is to be welcomed. But the ICO guidance is still unambiguous that implied consent can only be delivered via informed consent unless an adequate trust relationship exists between a website and its visitors. 

    Anyone would think the ICO has done a complete volte face – they haven’t: they’ve continued to say doing nothing isn’t an option. 

    The ICO also said at numerous events they would offer further guidance on implied consent in May 2012.

    • oliveremberton

      They said they would offer further guidance *the month that the law comes into effect*? (As it happens, the day before).

      How the hell is that anything but incompetent?

      “For anyone following the ongoing advice from the ICO…”

      I’ve made two videos about it, written an e-book about it and probably read as much on this law as anyone. Believe me, the ICO’s ‘end goal’ was not exactly conspicuous. Heaven forbid, they could just have stated it?

  • Pingback: Dear ICO: This Is Why Web Developers Hate You – A response | Hoinick

  • jakenoble

    Good stuff, I’n completely with you on this one!

  • frydmancom

    Informed by @timbarlow:disqus last year and more recently by @twitter-87808502:disqus in February, we knew that something needed to be done and were on the verge of contacting all our customers with the recommendations to do cookie audits, etc., and then the ICO interview with eConsultancy gave us pause for thought.

    In fact it gave us breathing space to get on with other fee-paying work.  I’m glad now that we did. We were waiting to see what bigger players found and reported about showing notices for implied consent.  

    Now I wonder quite how much the majority of the main online brands in the UK *will* do and whether web developers will consider this a dead dog – like laws about sheep being brought into exams at Oxford – for sites that don’t have any behavioural ad tracking.

    We’ll wait. And see.

  • Pingback: Examples of handling the EU Cookie Law | Toasted Digital

  • Pingback: The EU, Cookies And That Pesky Law | 8 Gram Gorilla

  • Pingback: Why I hate the Cookie Directive « Owen Blacker

  • http://www.tisindia.com/ Andrew watson

    I don’t think that all the web developers are going to agree with you. 

    • oliveremberton

      “I don’t know the key to success, but the key to failure is trying to please everyone.” 

      I’m sure some people disagree with me, and that’s fine. At least 300 people tweeted in support of this article though, so I wouldn’t say I’m alone.

  • Pingback: Who Wants A Cookie - Fruitbowl Media Blog

  • rosbiffer

    I see pop-ups on the Guardian, Telegraph and Nationwide sites – but not on all of the BBC sites or John Lewis.  As for Ebay, Google and Amazon (co.uk’s)…?  The Ministry of Defence have a pop-up but there’s just a link in the footer of the Home Office and Foreign Office sites.  You couldn’t make it up!

    The British Embassy site in Paris has neither a pop-up nor a specific link to Cookie policy – which seems to entirely represent the situation on this, the mainland, side of the English Channel – despite this being a Europe wide directive.  (If you look deep enough there is information buried in a footer link to Privacy Policy which to my mind doesn’t comply as it lacks specificity.)

    Working in France, I have seen very little mention of this whatsoever – well there’s a surprise!  There is legislation here relating to the provision of information – you are legally obliged to list the name, address and contact details of the site owner, managing editor and hosting company on all websites under a specific link called ‘Mentions Légales’.  Interestingly the Paris Embassy doesn’t do that either!

    My grateful thanks for your Open Source plugin – I’ll certainly use it, when and if I think it’s necessary.  At present it seems acceptable, given the examples set, to bury this in a footer link – sorry, of course not ‘bury’, I meant to say ‘make available’.

  • Sueskimo

    interesting that so many people see cookies as “evil” and won’t consent. It just shows that folk have no idea what goes on online. Someone said to me they didn’t know how their car worked either but it didn’t stop them driving but this is worse than not knowing how to fill your car with petrol – it is more like thinking fuel is bad for the car so I won’t use it

    • http://www.ongoingworlds.com/ David Ball

      When describing to my family at the weekend I likened cookies to a supermarket rewards card. They collect information about what you buy, but it’s a positive thing because you get vouchers for the things that you like. 

  • Pingback: Perhaps Your Site Isn't Illegal in Europe? - SitePoint

  • Pingback: How I baited the UK government to sue me for fun and profit