Thursday, 26 May 2011

How the cookie crumbles

ICO, number 10, parliament and EU web sites flout new cookie law!

The modifications to The Privacy and Electronic Communications (EC Directive) Regulations 2003 and in particular Section 6, which essentially relates to use of cookies on web browsers, comes in to force today.

First problem is that does not update UK SIs. Why? That is crazy. Anyway, to read the regs in their current form you have to read The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and specifically the changes to Section 6.

This makes it read as follows :-

(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b)is given the opportunity to refuse the storage of or access to that information.
(b) has given his or her consent

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a)for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

So, what does this mean?
Basically, you cannot store or retrieve any information (e.g. a Cookie) in/from terminal equipment (e.g. a Browser) without consent, and no longer can that be a failure to opt out - it has to be specific and informed consent. The exception is for strictly necessary usage for a service that was requested by the user.

Now this could be a real pain for web developers. Sesison cookies are pretty common, although for what most web sites do they are clearly not strictly necessary. But so are analytics to track numbers of users, and they tend to use cookies as well. It could be argued it even applies to controls for caching like Last-Modified headers as caching is not strictly necessary. Even so, plenty of people argue that even session cookies are strictly necessary - but who knows.

What is extra special is that Ed Vaizey has written a letter just two days before the legistaltion comes in to effect (so well after many people have spent a lot of time trying to comply) essentially saying not to worry. He seems to be saying :-

(a) Browers will change so that you have to say you want cookies rather than the default of allowing them. (would be fun any browsers doing that as a blanket change to a default setting as everyone would turn cookies on just to get to facebook and so would be consenting to the situation before the new law)

(b) That the legislation specifically does not say the consent has to be prior consent. He says consent could be obtained afterwards! He seems to be suggesting that we just all wait until browsers are updated and in the mean time the ICO will do bugger all.

Now sorry if I am being thick here, and I am not a lawyer so not sure how to read that, but surely such a notion creates a Schoedinger's legislation, making sending of cookies create a sort of quantum state of being legal and illegal at the same time. You can only resolve that once you later ask for consent and either find you get it or not.

Note that civil cases for damages for breach of this act can be taken to the county court from today and so he cannot say no enforcement will happen yet. Sadly it is hard to contrive damages for this else I would have issued a county court claim against the ICO this morning. Next holiday on expensive roaming mobile data I'll have a good look around the ICO site and then add up how much the extra header lines for cookies each way have cost me...

Yes, that is right, several sites are flouting the new law... Two cookies on main page Four cookies on main page Five cookies on main page Two cookies on main page A survey cookie

Note that even serves two third party cookies from so not even just own-site session cookies!

P.S. This blog is a web site and any cookies you get are fully in their control and not mine. I do not own, run or host this web site at all (though the domain is mine it just points to My role is just as a contributor to's site. I contribute text and images for articles. I am not storing or retrieving anything on your terminal equipment!


  1. Can you get remedies besides damages? If you can't say that you have experienced financial harm, perhaps you could still get an injunction requiring the ICO to stop setting cookies on the front page.

  2. No way browsers are going to switch off cookies by default. For a start they're mostly written in the US which isn't covered by this legislation... and secondly it'd break *loads* of stuff - and a lot of users simply wouldn't know how to switch them back on again... they's just say 'This browser has broken facebook' and downgrade/switch.

    So what's the legal position of server logs now.. User agent, refererer info.. even the GET line are all information provided by the browser.

    Also.. how do you store the refusal of consent. In a cookie?

  3. > Note that even serves two third party cookies from

    Do you mean serves two third party cookies? or do you mean that services two cookies?

  4. All of the above seems to being read in the context of web browsers and cookies.

    But I don't see anything that restricts it to that - when you email me, the bulk of the headers in your message are probably not "strictly necessary" and you probably don't have explicit consent to be permitted to email me those headers.

    No matter that you can't retrieve them later, I think.

  5. Also.. how do you store the refusal of consent. In a cookie?

    You don't, you just ask them every time, because you're not allowed to store the information.

    We had an interesting one with some Forums, and people clicking "Keep me logged in" and then "No I don't want to store cookies", then complaining to me that it wasn't keeping them logged in.

    if you ask the user if they want to store cookies, and they say no, the only reasonable thing to do is to ask again, as you don't know that they said no, eventually the user will get annoyed, and accept the cookie... I think this defeats the point, but is how I see it will be...

  6. Early versions of browsers used to ask for confirmation before submitting form data, accepting cookies, turning HTTPS on/off... These things have gradually disappeared as they turned out to be ignored and blindly clicked-thru.

    What is this the rationale behind this legislation? Surely the cookie fallout is just an unintended side effect? What are they actually trying to achieve?