Fixing a broken cookie law

Avatar image Oliver Emberton
Posted on September 5, 2012
22 responses

Dear ICO, sue usWe’re tired of the cookie law and the ham-fisted attempts to comply with it. Today we announced we’re dropping cookie solutions from our sites as a stupefying waste of time.

The law still exists of course and users still have legitimate privacy concerns. So we’re proposing a new solution.

A modest proposal

Let’s agree a standard way in which people can find a privacy policy. Our standard is simple, machine readable and human friendly. Any page with privacy concerns should contain a link like so:

<a href="privacy.html" rel="privacypolicy">Privacy</a>

(Note the use of the rel attribute)

This is simple but accomplishes a couple of things:

  • Standard language for humans. People can look for a link labelled “Privacy” or “Privacy policy” (for English sites). Simple and intuitive.
  • Browser augmentable. Future browsers or plugins could detect this and provide tools to help the user locate their privacy policy.
  • Give users control. Browsers or plugins could enforce rules like “disable cookies until I’ve seen a privacy policy” or “disable cookies for sites without a privacy policy”. Either would help drive up adoption and help the users who want it; but not interfere with users who don’t.
  • Easily testable. Automated tools can check these links are in place where they should be (we just updated Sitebeam to do this for free).

We also think any privacy policy should pass a simple test: your grandmother could understand it. We couldn’t find any that did that, so we made ours and you’re welcome to copy it.

Why this matters

Privacy is important, and it’s a great shame this farcical law does nothing for it.

You might say we’re proposing pretty much what people were already doing before the cookie law came into effect, except slightly better. That would be about right.

Most solutions to this law interrupt the user with a message to tell them that cookies are being used, and link to a long technical document listing those cookies in detail. How exactly does that help a normal web user?

What people need is an open and sincere dialogue about how their privacy is affected being used, together with controls to opt-out of tracking that might legitimately cause them concern.

We welcome your thoughts and suggestions.

Watch quick video tour of Sitebeam

Test your website with

or see prices & plans
  • http://twitter.com/minabird Valerie O’Neill

    Its not a good idea to redefine the rel attribute. Adding a new HTML element attribute would probably need W3C agreement and there are already standard ways to declare privacy policies (including cookie use). The P3P1.0 standard has a “well known” location for “human readable” policies and the W3C Tracking Protection group (DNT) has a draft standard which includes a way for publishers to declare tracking compliance & commitment.

    • oliveremberton

      When we checked P3P it was essentially abandoned. Too complex and never adopted in the years it was promoted.

      We’re not redefining the purpose of rel – indeed, rel is specifically designed to say what an external page is for, and is widely used by (for example) lightbox solutions to make images appear in lightboxes.

      So we *believe* this is both ludicriously easy to implement and fitting with existing standards. Happy to have the discussion though!

    • oliveremberton

      We did consider P3P, but it appears to have been effectively abandoned. Too complex and not adopted in the years it was actively promoted.

      We’re purposely not redefining the “rel” attribute – that’s designed to indicate a relationship between two pages, and the value of the attribute is not regulated. So if anything it should be designed for things like this. You see rel being used widely by say lightbox solutions as well.

      So we *think* what we’re proposing is both compliant with existing standards and ludicrously easy to implement. But either way we’re happy to have the conversation!

    • CyncialOne

      this wouldn’t be redefining this rel tag, this would be defining a new attribute for the rel tag? As far as I know no other standard uses rel=”privacypolicy”

    • http://twitter.com/foamcow Foamcow

      Is it not this kind of thing that the rel attribute is for? It is there to indicate a relationship between 2 resources and that is what it is doing in this instance.

  • peteduncanson

    This has made my day and its only 10:13am. We’ve been actively avoiding add cookie “solutions” to any of our sites for the same reasons, they just don’t achieve what is intended. Excellent that you are doing it in public.

    Pete

  • http://www.digitalbiscuits.co.uk/ Oisin Conolly

    Finally something that actually makes sense.
    I wish the ICO actually employed people like you….or at least people with some common sense!

    • oliveremberton

      To be fair, if we worked for the ICO and had to enforce this law, we’d probably kill ourselves.

      • CyncialOne

        I would revel in the joy of catching privacy violators. Personally I would volunteer to help them on a part time continual basis if they’d put effort into this.

        • oliveremberton

          That part yes. The vague, ill-thought-out law they were given to implement? Not so much.

  • CyncialOne

    I applaud your efforts but your own privacy policy is woefully inaccurate. Especially the several portions where you discuss third parties.

    • oliveremberton

      Could you be more specific? Happy to revise it.

    • CyncialOne

      I set about trying to create the “Perfect Privacy Policy” © once. The third parties make it really ugly because some states require you declare what info these third parties collect and how they use it.
      Also Google has some specific requirements for privacy policies that must be included on websites (that use Google serves like Adsense) to be compliant with the California privacy laws.

  • http://twitter.com/hadleybeeman Hadley Beeman

    Quick point of clarification: The European Directive 2009/136/EC is the source of the cookie rules you’re discussing here, which required governments of member states to implement the law in their own countries by 25 May 2011. We did that here in the UK with The
    Privacy and Electronic Communications (EC Directive) (Amendment) Regulations
    2011.

    The ICO is just the watchdog; it isn’t their job to make this policy. If you’re finding rules problematic, then you might want to direct your feedback to MEPs and the European Commission.

    Hope that’s helpful!

    • http://twitter.com/alastairh Alastair Houghton

      I actually tried to raise the issue through our local MP, who passed it on to Ed Vaizey, and I copied one of our local MEPs too. No joy, I’m afraid. I suspect web developers are seen as too small and low-profile to bother with, whereas privacy “advocates” are loud and get extensive press coverage.

      The thing that irritates me the most about this legislation, though, hasn’t been terribly well covered. In addition to banning the use of cookies, the law actually bans the use of other things (like the User-Agent string, or the user’s screen/window dimensions), because it talks about not gaining access to information stored on the user’s terminal equipment without explicit consent. If they had bothered to talk to any technical experts when drafting it, they would have discovered this — but they didn’t.

  • http://twitter.com/foamcow Foamcow

    I feel there is an inherent problem with your proposed solution in as much as putting a link to a privacy policy on a page does not mean it actually links to anything useful that meets any kind of defined standard. If that’s the only means to determine if “privacy is activated” then what’s stopping you linking it to a page containing a picture of a dog in a bomber jacket and nothing else?

    So it’s not really a “solution” that goes any further than the current requirements to have a privacy policy. In all honesty I don’t think there is any real solution other than for users to understand what goes on when they browse a website. Since many web “professionals” have trouble with this I can’t really see that happening so at the end of the day it comes down to;

    1. Have a privacy/cookies policy
    2. Have some regulation/guidelines about how to include information about Cookies and privacy in general and write it skilfully and in plain language.
    3. Educate “the common man” about what happens when they are browsing the web and the implications thereof.

    Wait, there is a *real* solution!
    Browser manufacturers make cookie usage plainly visible within the browser itself. This would allow for a centralised, controlled, explanation document to be easily available and help to educate people as I mentioned.

    It’s actually simple, it just needs to be done and I honestly can see no valid reason why it isn’t done already other than it would possibly effect advertising revenue somewhere along the line.

  • http://www.facebook.com/steve.linton.3158 Steve Linton

    You’re all trying to achieve “business as usual” despite the law. You want to track customers, build up profiles of their activities etc. I have a simple solution. DON’T DO THAT! Treat each customer connection as a different anonymous customer. Do not require registration or signups.

  • http://twitter.com/gavinfostered Gavin Foster

    Just read your nocookielaw site. Finally! I knew I wasn’t the only one. Redirecting all future customers who ask about this to this site in future. Kudos!

  • The Cookie Monster

    Common sense, easily implemented, unobtrusive to those who run the sites or don’t care, easily findable for those that do. Why is THIS not to proposed solution????

  • http://lucb1e.com/ Lucb1e

    If we are welcome to copy it, then why does it say “© Silktide Ltd 2012. All rights reserved.”?

    It makes no sense to put that under every page. My website has no copyright whatsoever, but that doesn’t mean that I don’t have copyright over my content.

    • silktide

      Luc you’ve got a good point! We have that copyright across all our pages and it was difficult to remove it for just the one page. We’ll probably change this copyright wording soon, but in the meantime you have our permission to copy our privacy policy

  • http://www.facebook.com/scott.lawrence.uk Scott Lawrence

    Review the EU Cookie Law Petition – epetitions.direct.gov.uk/petitions/33759