Published 4th April 2012, (c) Geraint Williams
This article was generated from a series of blog entries that I wrote on my blog geraintw.blogspot.com in March 2012 in response to the ending of the ICO deadline on the implementation of the UK cookie law (PECR). The aim of the article was to give some background on cookies that was easily understandable, the privacy issues, and what the legal situation was with having cookies on your website.
Cookies are starting to hit the headlines again as the UK deadline for meeting the EU Cookies directive draws nearer. The UK government had revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers, the ICO gave a year’s grace period starting the 26 May 2011 for companies to become compliant with new guidelines provided by the Information Commissioner Office.
Web pages use the Hyper Text Transfer Protocol (HTTP) to transfer the page from the web server to the client’s browser, it uses Hyper Text Markup Language (HTML) to code the page and the browsers render the HTML to create the web page on the screen. When Sir Tim Berners-Lee developed HTTP at CERN the particle physics laboratory on the French-Swiss border it was a stateless protocol, each transaction of transferring a single web page was a single session within the protocol and independent of the any other session, it was not possible to transfer information between web pages. It was not long before information was being exchanged between web pages by using Uniform Resource locator (URL) encoding in a GET request or in the body of a POST request. GET and POST are two types of HTTP request methods used by the client to request a resource from the web server. The URL of the request object is contained in the header of a request method.
Sample GET Request showing URL encoding
Sample GET Request showing data in the body of the method
When using GET request the transferred data is visible in the address box of the browser, in a POST request the data is not so visible. However these methods of transferring data are transient and don’t provide for persistence of data which is required for a more complex web application and for a personalised experience. As web pages are rendered on the client machines, a technique of using variables that will be stored in the client’s browser where developed, these variables are known as cookies.
The document Request for Change (RFC) 2019, Feb 1997 deals with HTTP State Management Mechanism and describes the two new headers introduced to the HTTP protocol, Cookie and Set-Cookie. The header Cookie is used in the Request object to send a cookie to the server, the Set-Cookie header is used in the response method to set a cookie on the client browser. In the RFC 2109, 3rd party cookies where not allowed, however this was ignored by some companies and RFC 2965, Oct 200 and RFC 6265, April 2011 have redefined HTTP State Management Mechanism.
There are a number of classifications of cookies that are dependent on the duration the cookies last for and which web sites can read the cookie
Classification of cookies
Attributes of cookies
Cookies are created by a web server sending the set-cookie header to the browser, from then onwards every time the browser requests a page from that domain the cookie header is sent as part of the request, this continues until the cookie expires. However cookies can also be set by a script on a web page manipulating the DOM if supported and enabled on the clients browser.
Below I have screen grabs of three of the most used browsers on a PC, showing the options available to control how the browsers interact with cookies.
Internet Explorer 9.05
The common features amongst the latest versions of browsers are
However the different ways of implementing the controls will make it difficult for a web site owner to give instructions on how to handle consent for cookies.
Ideally a web user needs a more flexible approach to controlling cookies than the blanket controls based on options of either ignoring all cookies, ignoring 3rd party cookies or accept all cookies. The browsers above do offer some additional features of which, the exceptions option is probably the most important in where a blanket ban on cookies can be overridden on selected web sites. A good feature that a lot of browsers are now implementing is allowing session variables which are typically associated with the management of web applications but only exists for the duration of the visit. An additional handy feature is the ability of some browsers to delete all cookies as it exits, thus turning all the cookies into session cookies.
The ability to accept only session cookies or turn all cookies into session cookies by forcing the deletion of them is of fundamentally important with a modern dynamic web application where session management cookies allow the web site to function as the user expects it to. With the new regulation a lot of web sites are being forced to offer two alternatives, consent to cookies or block all cookies as they can't rely on user’s configuring the browser settings. In fact assuming consent has been given as the browser accepts cookies has been specially ruled out and it is written a site must get consent before writing a cookie to the client browser.
A user of a web site is now being forced into either accepting all cookies as they want the functionality of the web application, or block the functionality of the web site as they don't want the functionality of some of the cookies. Although the regulations say consent for strictly necessary cookies is not required, the cookie specification and browser support are insufficient to allow acceptance of strictly necessary cookies and block all other cookies, unless the web site uses session only cookies for the strictly necessary functionality and uses non-session cookies for all uses and even then the browsers will need to be correctly set.
A number of countries around the world have produced guidelines and regulations on cookies but these only affect the relevant country. In 2002 the EU developed a telecommunication privacy directive and article 5, paragraph 5 gave directive mandates that storing data on a user’s computer can only be done if certain conditions are meet. These cover giving information on how this data is used and giving the option for the user to opt out of storing the data. Data that is necessary for technical reasons are exempted for the user opting out of storing it.
In the UK the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) implemented a European Directive - 2002/58/EC concerned with the protection of privacy in the electronic communications sector. In 2009 this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment.
The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The government prior to the introduction of the Regulations expressed the view that there should be a phased approach to the implementation of these changes. The Information Commissioner agreed that businesses would need time to implement solutions. He therefore confirmed that he would exercise his discretion and allow organisations a ‘lead in’ period of 12 months to put in place the measures needed to comply.
This lead-in period will come to an end on the 26th May 2012, there is just two months left of the period. During this period the Information Commissioner made it clear that organisation should be taking steps to comply with the rules, any complaints received about web sites during this period he would expect to see a plan of action on how the rules are going to be compiled with.
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies. From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the
requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
The regulation 6(3) implies the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is not necessary to repeat the request for consent. However it is hard to see if equipment used to browse the internet is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted; now it is an "opt in" requirement. In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner. In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as they have previously as part of the range of options available to them to make sure organisations comply with the law. The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent. The process of cookie consent handling is showing in this flowchart
At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.
No matter what a business view on the law is, it won’t stop the Information Commissioners Office (ICO) from taking action about complaints websites are breaking the law. The new regulations require more than just telling users about cookies and allow them to opt out and they need to be more pro-active in meeting the regulations.
The ICO recommend these three steps
Although cookies required for technical reasons are exempt, the actual scope of the exemption has been discussed in various forums and there have been some very inventive technical reasons as to why a cookie should be exempt.
In general the following are not exempt
The international nature of the internet and the use of third party cookies will make the scope for implementing the regulations and the responsibly difficult to establish clear. From the information released by the ICO it is clear and UK organisation is subject to the regulations even if their web site is hosted outside the UK. Organisation from outside European with websites designed for the European market and offering services or products within European should consider that European users will be expecting information on cookies and the ability to opt out. The responsibility for providing information on third party cookies and gathering the opt-in permission will be with the website owner as it will be technically very difficult for the third party to do so.
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers. The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie.
Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.