Cookies, banners, and privacy

27th of February 2017

Go to most websites based within Europe now, and you're often greeted by some big warning about cookies. Why has this happened, and is it necessary?

History

Cookies have been around since 1994. Coincidently, that's the year I started to learn BASIC as a twelve year old. A cookie is a text file related to the domain that issues it, and can contain anything at all. Typically this is used to store hashed keys to allow visitors to remain logged onto websites between sessions, but it has also been used for many other purposes.

A modern and the heaviest use of cookies, is by trackers. These trackers, usually anonymously, help third parties keep an eye on where you've been. I used one of these – Google Analytics – which shows me where visitors have come from, how they found me, what they were interested in, and which browser they were using / other technological information. This information is useful to me as I know which technology to support, can see what is and isn't working with my site, and ultimately allows me to make things better for my users.

Advertisers also use trackers. Because cookies are related to the domain the come from, and these trackers are loaded directly from the advertiser's domain, an advertiser can see which sites you've been to and what you looked at on each site. Websites which use the same advertisers will often show adverts for sites you've recently visited for this reason. Look at a pair of shoes on Schuh, and they'll follow you around the internet. This is useful advertising for companies because it keeps their products in your mind.

Bad uses of cookies

Developers, developers, developers, as Steve Ballmer says. Developers come in all types and, especially where web developers are concerned, they're not necessarily very good. Developers have used cookies to store all sorts of things which should never have been stored in a cookie. Personally identifiable information, plaintext passwords, sensitive information that you wouldn't want to share – all things which could be read by anyone with access to the same computer. This bad coding practice lead to cross-site JavaScript (XSS) which is injected into an insecure webpage (of which there are many), pull all the information out of the domain cookie, and send it back to bandits.

Fixing the problem

The best way to fix the problem is obviously by writing code properly with security in mind. But with such an unregulated institution like the internet, and no professional qualifications required to create websites, that's not necessarily an easy thing to achieve. The European Union decided that the best way to tackle the issue is by to enshrine it into law. Enter the Privacy and Electronic Communications Regulations 2003 (PECR), Also known as the Cookie Law.

PECR covers lots of things regarding personal privacy, including issues regarding spam and opt-ins for marketing. The most apparent part of this law however revolves around cookies, largely because it was picked up in the mainstream media which send web developers and project managers into a frenzie. "What do we need to do?!" everyone panickingly said. Enter the world of terrible banners, modal popups, and disappearing information.

Cookie banners are almost always handled incorrectly

The regulation requires that users are implied about cookies. It also requires that users be given the opportunity to opt-out of cookies. What it does not say is that you need a banner, popup, modal, or anything of the sort to deal with it.

One of the accepted ways to allow cookies is with implied consent. Inplied consent is an incredibly grey area, and can mean that by simply visiting your website a user has given their consent for you to use cookies. What you absolutely need to do, in every case, is to have a separate webpage that explains about cookies, what they are, how you use them, which cookies you use, etc. You can find my cookie policy linked in every footer on this site. I'm especially proud of the procedurally generated cookie animation. You're welcome.

Everything that follows, in almost all cases, is unnecessary. Some of it is so wrong that it breaks other, arguably more important law. Banners. Big banners at the top of a page that talk about cookies and have a cross or an accept button. Unnecessary, and breaking the Equality Act 2010 if a user can't tab to the close button, especially if the banner is covering your main menu. Banners which fade out – worse than a single cookie link in your footer, because you have no idea if the user read the information and ergo, have no idea if you have the user's implied consent. Modal windows, my personal favourite, are the absolute worst thing you can possibly do to your website. Nobody cares, it makes the UI / UX awful, your bounce rate will be phenomenal, and every one I've seen hasn't been clearable with the escape key or by being able to tab to a close button, again breaking the Equality Act 2010.

What you should do

Code your cookies properly. All of the third-party ones should contain only anonymous data, and all of yours should contain only hashed keys (or flags) for use with site data safely protected on your server. With these precautions in place you really only need that cookie link in your footer. 39% of the websites in a 2015 study by the ICO about cookies achieved compliance in this way. Make sure it's accessible though – no tiny text or grey on grey! If it turns out that this simply isn't good enough for your website (which is unlikely), the worst that will happen is that the ICO will reach out to you and ask you to do something else. The great thing about that is that the ICO will also tell you exactly what you need to do to comply, which will vary by site.

Can I be fined?

Yes, although I have found no fines issued towards websites in the UK since enforcement started in 2012. It's important to understand that, in the UK at least, because there's no firm guidance (you must do this, you must do that) on exact implementation, the ICO will only take enforcement action against you if you haven't complied with their requirements after they've already spoken to you. Websites that have been fined in other member states are those which had no clear cookie policy, and whom after guidance from their country's agency still did not comply.