Go to most websites based within Europe now, and you're often greeted by some big warning about cookies. Why has this happened, and is it necessary?
Cookies have been around since 1994. Coincidently, that's the year I started to learn BASIC as a twelve year old. A cookie is a text file related to the domain that issues it, and can contain anything at all. Typically this is used to store hashed keys to allow visitors to remain logged onto websites between sessions, but it has also been used for many other purposes.
Bad uses of cookies
Fixing the problem
The best way to fix the problem is obviously by writing code properly with security in mind. But with such an unregulated institution like the internet, and no professional qualifications required to create websites, that's not necessarily an easy thing to achieve. The European Union decided that the best way to tackle the issue is by to enshrine it into law. Enter the Privacy and Electronic Communications Regulations 2003 (PECR), Also known as the Cookie Law.
PECR covers lots of things regarding personal privacy, including issues regarding spam and opt-ins for marketing. The most apparent part of this law however revolves around cookies, largely because it was picked up in the mainstream media which send web developers and project managers into a frenzie. "What do we need to do?!" everyone panickingly said. Enter the world of terrible banners, modal popups, and disappearing information.
Cookie banners are almost always handled incorrectly
The regulation requires that users are implied about cookies. It also requires that users be given the opportunity to opt-out of cookies. What it does not say is that you need a banner, popup, modal, or anything of the sort to deal with it.
Everything that follows, in almost all cases, is unnecessary. Some of it is so wrong that it breaks other, arguably more important law. Banners. Big banners at the top of a page that talk about cookies and have a cross or an accept button. Unnecessary, and breaking the Equality Act 2010 if a user can't tab to the close button, especially if the banner is covering your main menu. Banners which fade out – worse than a single cookie link in your footer, because you have no idea if the user read the information and ergo, have no idea if you have the user's implied consent. Modal windows, my personal favourite, are the absolute worst thing you can possibly do to your website. Nobody cares, it makes the UI / UX awful, your bounce rate will be phenomenal, and every one I've seen hasn't been clearable with the escape key or by being able to tab to a close button, again breaking the Equality Act 2010.
What you should do
Code your cookies properly. All of the third-party ones should contain only anonymous data, and all of yours should contain only hashed keys (or flags) for use with site data safely protected on your server. With these precautions in place you really only need that cookie link in your footer. 39% of the websites in a 2015 study by the ICO about cookies achieved compliance in this way. Make sure it's accessible though – no tiny text or grey on grey! If it turns out that this simply isn't good enough for your website (which is unlikely), the worst that will happen is that the ICO will reach out to you and ask you to do something else. The great thing about that is that the ICO will also tell you exactly what you need to do to comply, which will vary by site.
Can I be fined?