As many people will remember, a while back ICO caused a bit of a stir by announcing an…interesting…new law all about cookies.
In short, the law says this:
Even shorter: whereas you used to have to give the option to opt out of cookies, now you have to ask people to opt in.
The first question is how this affects behaviour. The best place to ask this question (thanks for the heads-up, Matt!) is the ICO site itself, which is one of the – presumably very few – organisations actually enforcing the law right now. The first thing you notice on their site is a horrible great banner slapped across the top, advising you to opt-in. Amusingly, it turns out they do actually place a cookie without asking your consent, because it is “essential for parts of the site to operate”. (Note this for later, folks, it may be your get-out clause…).
This is all pretty horrible visually but as ever those designer types will find a way. What is more disturbing is the effect this’ll have on the functionality underlying your site. A huge number of web sites and apps these days rely on the setting of cookies, often to retain state between visits. If you log into a site, go away for a bit and come back again to find you’re still logged in – that’s almost definitely a cookie at work.
This is all fine though, right, cos any visitor seeing that banner is just going to click the link for “a better web experience”? Um, no. Not in the slightest. Here’s ICO’s visitor figures, taken from a RFI.
I’ll leave you to work out when the cookie header was implemented:
(Note that this doesn’t mean that ICO lost ~90% of their traffic. It does mean that 90% of people didn’t check the box. If you’re web-savvy you’ll notice that viewing the ICO HTML source shows no sign of a Google Analytics tag when you first go to the site. Then if you check the box and consent, the GA code appears. The missing 90% is simply not being measured, rather than not being there…)
For those who missed the history, there was a panicked moment as ICO tried to enforce this law and then almost immediately decided that they were going to give businesses a year to comply. Just recently the conversation came up again on a forum I follow and in response I threw out a tweet to ask what my web developer friends were doing about it. Mostly the answers went all a bit ostrichey: heads buried, hands over ears and “we’re relying on the fact that something this ridiculous won’t happen”, or “that old law? That got buried, right?”. Well, no. ICO claims that from May 2012, organisations have to comply.
On the surface, this is clearly ridiculous. Not only do you – as MD of ecommerce site, or web developer, or web agency, or… – have to go back to all your sites and ensure that you have the opt-in available, but you also have to re-write any functionality which relies on cookies. If you don’t, you’re going to lose that 90% too, ‘cos people aren’t going to click your checkbox, either.
One of the worries which has been aired particularly amongst my museum / not for profit / government / public body web friends is that this will lead to a two-tier scenario. Commercial organisations clearly won’t take a 90% hit, or even spend the time retrofitting their technology to make it work in a cookie-less world – but those in these public bodies will be forced to comply.
The other bit that concerns many people greatly is that web analytics – which has undergone a rather lovely evolution since Google Analytics arrived on the scene – is going to be thrown back a good 5-10 years by this move. I remember spending entire days crunching log files back in the early 2000’s, and it’s not a world I want to return to. There are some solutions out there, but they’re not established in the way that GA is.
So far there seem to be few answers, and lots – and lots – of questions….