EU Cookie Directive - How can I Interpret the Info Regarding Cookies On My Site?

Hi There

I have been reading the details and requirements surrounding the new legislation. I need to perform an audit of the cookies on my website.

I’ve installed the Firefox Add On “View Cookies” and now have a report of the cookies on my website. The trouble is, I don’t know how to interpret the information.

For example one of the cookies has the following information

name - ‘160c2a202840ace3fe3051d34babbeae’
value - ‘4omjl6ee2lkeqq85n2l80btk70’
domain - the root of the website
path - /

and it is a session cookie.

How can i work out what the cookie is being used for and where the code that creates the cookie is situated?

Thank you in advance for your help

Didcot84

Whoever developed the site will be able to track down all the sources of cookies, they can audit everything installed and work from there.

It’s a good thing to find out exactly what your site is putting onto people’s computers, however at this stage I wouldn’t get massively concerned about the new cookie directives, it’s still very unclear how it’s going to be ‘policed’, nor is it clear exactly what must be done on each site to ‘comply’. My feeling is it’s there to catch the big offenders, there’s no intent to go after small businesses and personal sites who are clearly not purposely engaging in any malicious activities.

Of course, I could be wrong…IANAL etc etc.

Hello shadowbox

The thing is, I am one of the developers of the site! The site is a Joomla website with several extensions installed. I’m just not sure how to pinpoint the source of the cookies from the information that I originally sent through?!

I agree with your views on the law, the trouble is that I’ve been asked to audit the site. I can list the cookies, but not where they come from and what they’re for.

Thank you in advance for any further help.

lol, just saw this on the bbc web site:

Regarding locating the source of the cookies, perhaps download the entire site into something like Dreamweaver and run a site-wide code search to locate instances of ‘setcookie’ or similar functions for any scripting languages used.

Hello Shadowbox

First of all apologies for the delay, I was snowed under on Friday. I actually wrote out a response and thought that I had sent it, but obviously I didn’t.

May I just ask one other question? How would I be able to know the purpose of a cookie?

Thank you again for your help

If it’s not obvious from the cookie name (they’ll often have names like ‘cart_session’ or ‘customer_login’), I guess you’re going to have to root around the software to work it out. Also navigate round the site and use all the functionality, but after each ‘action’ keep rechecking what cookies have been added or updated using a browser extension that allows viewing of cookies.

This is one of the reasons why this legislation is a load of badly thought out codswallop. Rather than just work with the few browser manufacturers to develop an in-browser solution and basically put the onus on them to implement by a certain date, they’ve decided in their wisdom to put all the onus, stress and costs on 1000s of small businesses.

Thanks Shadowbox

That has been really helpful.

That has helped me to piece everything together. Where I work we’ve just been asked to audit our sites, awaiting further information.

Hope that your day goes well, you’ve set me on my way

Didcot84

[font=verdana]Without trying to hijack someone else’s thread (it is closely related) …

How are website owners supposed to deal with third party cookies? For example, if you have Google Analytics or Adsense, how do you control whether those services use cookies? I don’t set any cookies on my website, but I’m aware that these other services do … what can/should I do about that? I assume ads can still be served without cookies, but they will just become less focused on the user’s past browsing and more focused on the page content.[/font]

I don’t think a webmaster can stop Google installing third party cookies on his visitors computers. That’s the way these services work, and it’s up to the visitor to block 3rd party cookies in their browser settings. So what this means, I guess, is that you have to gain their permission and if they say no, you either deny their entry to the site, or somehow disable ad serving for them personally. Which I assume, would require you install a ‘remember me’ cookie on their computer. Which you’ll probably have to get their permission for as well… This is an issue you see on the ICO site. There’s no ‘I do not accept cookies’ option, because that requires setting a cookie to remember your choice. So if you do not click ‘I accept’, you get asked the same question on every page.

And last I looked, all major browsers already have 3rd party cookie disabling as an option in their settings page, so again, it’s beyond me why the onus falls on the sites when the tools are already there in the browsers.

The main point, for me, in purely practical terms, is that ‘Dave’ Evans, one of the bureaucrats in charge of this mess at the Information Commissioners Office (ICO) categorically states in his (deeply patronising) official video (link below) that he can’t envisage the ICO ever enforcing a financial penalty, because the first stage in enforcement (following a complaint) would be to discuss with the website owners what their plan is to achieve compliance and agree a way forward.

http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

In practical terms, this means it’s realistic to do nothing, nothing at all, other than maybe tidy up the Privacy Policy page that no one ever looks at. That is all I have done, with the agreement of my clients: made sure we explain in general terms what cookies are used, and provided a link to the Google Analytics Cookie page. If the ICO get in touch - and I doubt that will happen - we have made a basic start and can then take it from there.

If I understand correctly, there are 27 countries in Europe and only three, including UK, have done anything about complying with this misguided legislation. More fool us! Of all the important things a government can spend time on during these troubled times, they choose to waste time and money on this! The chap in the video has spent EIGHTEEN MONTHS coming up with virtually nothing, him and a small army of nine-to-fivers, no doubt.

I believe putting a permission pop up on a small business website will come to be seen as weak, spineless behaviour - bowing down in the face of bad law and faceless, pointless, unelected bureaucracy. The real motives of the mysterious bureaucrats who started all this are far from clear. It will irritate hundreds of millions of people, for no clear benefit. And what will they come up with next, if they get away with this?

The lunatics are taking over the asylum and the way to stop them is to not cooperate in letting them do it.

We have to IGNORE this stupid thing to make it go away! That seems to be - rather subtly - what even the government department in charge of it is quietly doing. Let’s not spoil it by putting silly little pop ups everywhere.

Paul