The UK Cookie Law – <place your own bad pun here>
Many of you will be aware on the 26th of May the law that applies to how cookies and other ‘cookie-like’ objects are stored on users’ devices changed. Whilst the Information Commissioners Office has indicated that there will be a one year grace period before enforcement begins, it seems wise to start addressing this issue now so that a) you’ve got time to test and implement your chosen solution b) you can’t say I didn’t tell you so when they slap a £500 000 fine on you.
What do the new regulations say? Well essentially whereas cookies could be stored with what I, as a non-lawyer, would term implied consent, i.e. the cookies you set are listed along with their purpose and how to opt out in some interminable privacy policy on your site, you are now going to have to obtain a more active and informed consent to store cookies on a user’s device.
I’m not going to use this post to debate the rights and wrongs of this (there are plenty of forums out there doing just that), and anyway the last time I was trusted to administer a website you did it in vi (or emacs if you were that way inclined). I’m far more interested in making life as easy as possible for our customers.
Solving this problem means you are going to have to first capture the cookies that your site is using, and then build a mechanism to allow users to grant consent. Whilst you could implement this in your application server code I bet you can guess where I think it makes sense to address this. I’ve started mucking about with some iRules to capture and log cookies as they are set and to produce a consent page and (guess what) cookie based method of recording who has authorised cookie use for future reference.
I’d be really interested in your views on this, so leave a comment.