On the EU Cookie Law

ETA: Please check out Trac #19622 – There will be a new way to do this in WP 3.4

I’m going to be bold and tell you that the new EU law, that goes into effect in the UK on May 25th, is going to be impossible to track and enforce, it’s being handled backwards, but besides that, it’s actually a pretty good idea.

For most people outside the EU, we have no real idea about what’s going on, so here’s a short recap. As of May 25th, a change to the EU law will require businesses to request permission from visitors to their websites before they can store information about their identity, history and preferences via third-party cookies. You can read the whole details in the proposal or Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services. Those links are full of legalese.

Now, I do want to point out that this only affects people who live in the EU. Arguably, it also only affects people who host sites in the EU, and you may be able to skirt around it by hosting in the US or Canada, but that’s a lawyer conversation. Basically, if you live in the EU and have a website that acts as a business, you’re kind of screwed. If you just have a blog with 100% personally controlled content and cookies that only come from your domain, you’re fine. The cookies, including the kind WordPress drops on your site, are not the kind they’re talking about. If your cookie is only tracking information used on your site (login information, recent comments, etc), you’re fine. If the cookie comes from someone else (like Google Analytics or Project Wonderful), then you need to explicitly tell the visitor and obtain their consent.

This is done for a pretty good reason, when you get down to it. When you go to a restaurant and pay with your credit card, you trust that neither the credit card company nor the restaurant are going to turn around and give your personal information to some other company who uses it for their own purposes. Legally, they have to ask you for permission to use your info, and that’s why sometimes they ask for your zipcode when you’re checking out at a store (and also why you’re totally allowed to say ‘no’ when they ask). Third-party cookies, that is those put down by someone other than the domain you’re visiting, should also be ‘agreed’ to. The EU argues that just visiting a site with Google Ads does not constitute consent.

Item #66 in the directive:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities

That’s a pretty hefty thing to get through, but it clearly spells out that third party cookies are when they’re on about. And in that, they’re right. There should be transparency to all this. We should know when we’re being tracked around the internet. But they’re wrong in making this the sole responsibility of the website owners. This is not to say that, as a website owner, I’m not responsible for the cookies my site puts down. And this is not to say that, as a website owner, I’m shouldn’t tell people how cookies and personal information I collect are used on my site. But to say that the ‘solution’ is for me to alert you with “Hi, the EU says I have to tell you about cookies and make sure you’re okay with them on your computer.” or not to use things like Google Ads, Facebook Like buttons, or Twitter integration is unenlightened.

The issue is not that I, as website owner, am using third party services, and it’s not even that I’m using those services in an ‘hidden’ way (I use Google Analytics on this site, which you can’t easily tell unless you look at my source code). The issue is that those services are using cookies to track you between sites. But it’s easier to go after you than it is to sort out how to go after them, at the end of the day.

Arguably, this is also being done to protect the website owners. If a visitor agrees to have the cookies, then you’re not longer on the hook if they complain. How are they going to (1) verify that (a) you did ask first and (b) they did consent, and (2) enforce this at all? The only way this can be enforced is if someone (or a program) goes to every single website hosted in the EU, or owned by someone who lives in the EU, and checks them for cookies without explicit consent. This could be automated, and emails could be automagically sent out to the site-owners, who would in turn have to look at their software and ads and deduce what’s making the cookies. Already, the UK has said they know companies won’t meet the May 25th deadline and don’t plan to enforce the law yet.

Let’s say that they decide they will enforce the law. How can they verify that a cookie for your site is on someone’s computer? WordPress saves cookies in the name of wordpress_verylonghashkey, where your HASH key is specific to your install. Now they do show up as ‘from’ the website domain.tld but they can be forged. The easiest way is to copy cookies from one computer to another (I just did that when I moved everything from my old desktop to the new laptop). Another way is to take the information I have in my cookie, and tweak it to apply it to someone else’s site. That way requires a lot more savvy, more information than I’m providing here, obviously, and it’s incredibly hard, but it can be done.

If they only rely on cookies that show up when your site is visited, they have to come up with a way to verify that it’s your site that put down the cookies and the visitor agreed to have the cookies put down. They have yet to explain how they’re going to be checking sites, which means you, as a site owner, still have no idea exactly what is and is not illegal to do. Sort of hard to protect yourself against an unexplained law, and it’s worse when you remember that “ignorance of the law is no excuse.” That should cut both ways. Ignorance in creating the law is no excuse.

There’s already a way for users to stop cookies from being stored on their computers. Every browser out there has a way to turn off cookies. Most have a way to say ‘Don’t allow third-party cookies.’ If that’s not enough, Don’t Track Us has plugins for most browsers that let you block tracking plugins.

To make this work, the EU needs to explain how they’re going to determine if you’re in violation of the law, and how they will enforce it. They also need to take this to the streets and tell the third-party cookie makers to stop. There are ways that third party tools can work around this, and one of which could be to tell people when they log in to FaceBook “We reserve the right to use your login credentials and other account information stored in cookies on other sites.” After all, the cookie belongs to FaceBook! Or we could just not use cookies at all for that sort of thing. But that has to change at the source of the matter, the third-party, and many of them don’t tell people that their cookies are used in such a way.

As it stands, this law won’t be enforceable, it won’t be understandable, and it will cause more hassle with the wrong people without protecting anyone at all. It’s still a great idea, but it’s just not going to work this way. All they’d done is made a law to tell people that their hot coffee is, indeed, hot.

Further Reading

• Wikipedia: HTTP Cookies
• Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council amending, among others, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
• Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services
• Don’t Track Us
• Google Holds Out Against ‘Do Not Track’ Flag

Ipstenu (Mika Epstein)

I’m Mika (aka Ipstenu) and I’m complicated. I’ve been on the net since the days of dedicated terminals and Novation CAT modems and solved Missionaries and Cannibals (or Goats and Cabbages) before I was six, and blog about WordPress and technical/computer things at Half Elf on Tech.

See Full Bio