To comply with the new cookie's rules I have Added a "Cookies Policy" to my sites but I need to add a bar to either the top or the bottom of the page to allow visitor to accept or decline cookie.

Any help will be appreciated

the new cookie's rules

What new cookies rule?

What new cookies rule?

At a guess, I'd say that there's one about having to have the person browsing accept or decline the cookie. No idea why though :p

From May 2011 a new privacy law (http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx) came into effect across the EU. The law requires that websites ask visitors for consent to use most web cookies.

From the ICO's video in that report, the fact that a user has cookies enabled in their browser is "implied consent" enough that you need not worry too much about the law.

A suitable option would be a paragraph in your "About Us" or "Contact Us" pages that explains that the site uses cookies.

Sample:


Cookie Policy:

This website uses cookies to streamline and personalise your experience with us. In order to comply with European Law, we need to make you aware of this. We do not store any confidential information about you or your usage of the site within any cookies and any information we do hold is protected, as usual, under the DPA. If you have any concerns about our cookie policy, please contact us at webmaster@company.com. You can review the guidelines on cookie usage at http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx. If you do not wish cookies to be stored within your browser, please disable this option within your browser's settings.

From the ICO's video in that report, the fact that a user has cookies enabled in their browser is "implied consent" enough that you need not worry too much about the law.

A suitable option would be a paragraph in your "About Us" or "Contact Us" pages that explains that the site uses cookies.

Sample:

Cookies are what make the web go round in my opinion, so if users started declining cookies which they had no idea what they do, they'll most likely start complaining that the site doesn't work, So I agree with apache that it would be simpler just to tell the user that the site uses cookies and to take it or leave it.
But if you really wanted accept or decline buttons, you could just go something like:
(JavaScript)


function acceptCookie()
{
//write the cookie
}

(HTML)


<button onclick="acceptCookie()">

Bernie

Cookies are useful for anonymous users.

They mean that user settings can persist through sessions. But on sites where users can log in, cookies are less needed.

In the age of SocialConnect and OpenID, cookies will become less needed as these Connect enabled sites allow for fast and simple registration to sites. Once the user is logged in, the database engine can kick in and personalise the site as cookies once did. SessionID cookies and other similar uses will not be affected.

I think, after reading through the legislation, that I'm actually in favour of this change. Placing a paragraph such as above somewhere on the site (not in a privacy policy) is acceptable enough to comply and it's hardly any trouble. Personally I hope things like robots.txt and humans.txt follow suit.

Let's face it, just like robots.txt, malicious sites will simply ignore the rules. Net Neutrality will always win out, thankfully, but this brings a certain level of standardisation that is needed to push forward the new technologies. Cookies have long been used to do what, realistically should have been handled by a simple database driven site.

It's kind of like the question of whether we should continue to support IE 6, 7 and 8 or whether we should take that particular horse out to pasture and shoot it in the face. Net Neutrality needs to be protected at all costs, but the internet does need to move forwards. That's my tuppence on it anyway. :)

Cookies are useful for anonymous users.

They mean that user settings can persist through sessions. But on sites where users can log in, cookies are less needed.

In the age of SocialConnect and OpenID, cookies will become less needed as these Connect enabled sites allow for fast and simple registration to sites. Once the user is logged in, the database engine can kick in and personalise the site as cookies once did. SessionID cookies and other similar uses will not be affected.

I think, after reading through the legislation, that I'm actually in favour of this change. Placing a paragraph such as above somewhere on the site (not in a privacy policy) is acceptable enough to comply and it's hardly any trouble. Personally I hope things like robots.txt and humans.txt follow suit.

Let's face it, just like robots.txt, malicious sites will simply ignore the rules. Net Neutrality will always win out, thankfully, but this brings a certain level of standardisation that is needed to push forward the new technologies. Cookies have long been used to do what, realistically should have been handled by a simple database driven site.

It's kind of like the question of whether we should continue to support IE 6, 7 and 8 or whether we should take that particular horse out to pasture and shoot it in the face. Net Neutrality needs to be protected at all costs, but the internet does need to move forwards. That's my tuppence on it anyway. :)

Quite true apache, but one must wonder, whether this kind of legislative change, artificially pushing progress will be brought in by other countries rather than just the eu.

The EU is hardly a country. This law is currently in act for 27 countries, spearheaded by the UK.

I admit that it will make the WebDev community think harder about how they code their sites, but is that really a bad thing?

The problem with cookies is that it relies on the end-user having some technical knowledge. To most internet users, cookies are things you buy from supermarkets and eat five at a time even though you only meant to have one. Cookies in internet terms can be used for good, or bad and both methods use the same techniques.

There is currently no way, other than a seriously paranoid anti-malware program or simply disabling cookies to stop those tracking cookies that perform the malicious acts. This act will go some way towards coming to a stage where those cookies can be kept to a minimum, by punishing those that abuse the system. Something like that will not lead to a lack of net neutrality, nor lead to any privatisation of the internet.

If we, as the WebDev Community, can form a de facto standard on what should and should not be cookied, we can help further the cause. Realistically, only truly anonymous sites need to rely on cookies. Anything that uses a database engine or any form of user authentication can transpose a lot of what their cookies hold into the database. Even an anonymous site that uses any form of OpenID or SocialConnect can use a backend database to do a lot of what cookies do now. Admittedly, it;s only now that databases have become stable and compact enough to use as an engine for a site that this is possible.

Cookie audits should become a part of every company's standard maintenance of their website. It should be part of the regular Systems Analysis that goes into the running of the company. Anything that doesn't essentially rely on cookies should be handled by the back end of the site. This is the same for intranets as well. Intranets shouldn't really have any need for cookies but they have been used for a long time as a shortcut or jury rig for jobs that should really be handled elsewhere.

The EU is hardly a country. This law is currently in act for 27 countries, spearheaded by the UK.

I admit that it will make the WebDev community think harder about how they code their sites, but is that really a bad thing?

The problem with cookies is that it relies on the end-user having some technical knowledge. To most internet users, cookies are things you buy from supermarkets and eat five at a time even though you only meant to have one. Cookies in internet terms can be used for good, or bad and both methods use the same techniques.

There is currently no way, other than a seriously paranoid anti-malware program or simply disabling cookies to stop those tracking cookies that perform the malicious acts. This act will go some way towards coming to a stage where those cookies can be kept to a minimum, by punishing those that abuse the system. Something like that will not lead to a lack of net neutrality, nor lead to any privatisation of the internet.

If we, as the WebDev Community, can form a de facto standard on what should and should not be cookied, we can help further the cause. Realistically, only truly anonymous sites need to rely on cookies. Anything that uses a database engine or any form of user authentication can transpose a lot of what their cookies hold into the database. Even an anonymous site that uses any form of OpenID or SocialConnect can use a backend database to do a lot of what cookies do now. Admittedly, it;s only now that databases have become stable and compact enough to use as an engine for a site that this is possible.

Cookie audits should become a part of every company's standard maintenance of their website. It should be part of the regular Systems Analysis that goes into the running of the company. Anything that doesn't essentially rely on cookies should be handled by the back end of the site. This is the same for intranets as well. Intranets shouldn't really have any need for cookies but they have been used for a long time as a shortcut or jury rig for jobs that should really be handled elsewhere.

Yes apache, I know what the eu is, and have been there multiple times.
A a thought, a standard could be brought in about the use of cookies, web wide. However, statistics show that over 50% of websites use cookies, and with over 7 billion websites currently, a lot of website owners may not be so keen to give up their cookies to go and get rid of them in order to make their website nice and neat for people like us to admire, just as many people may not want to go to the hassle of validating their pages just to please people like us.
Bernie

Ironically, the only way I can think of to make site wide the acceptance/denial of cookies, would be to set a cookie as to the user's preference.

Ironically, the only way I can think of to make site wide the acceptance/denial of cookies, would be to set a cookie as to the user's preference.

quite true, maybe you could have an accept or decline bar for the cookie to store the choice of the user for the accept or decline bar to store the cookies. :p
bernie

Or maybe, you could have an accept or decline bar to check whether you can have an accept or decline bar to see whether you can put a cookie to hold the users choice about whether or not they accepted the use of cookies.

Now I've confused myself... :D

But to the question - If the user has got cookies enabled, that (in my opinion) is enough to give you permission to store cookies.

Or maybe, you could have an accept or decline bar to check whether you can have an accept or decline bar to see whether you can put a cookie to hold the users choice about whether or not they accepted the use of cookies.

Now I've confused myself... :D

But to the question - If the user has got cookies enabled, that (in my opinion) is enough to give you permission to store cookies.

then again, like apache said, most web users just want to eat cookies, and therefore probably don't know enough about the whole thing to want to disable cookies.

Then you could just put a warning on your site "This page uses cookies to store information on your computer".

Then you could just put a warning on your site "This page uses cookies to store information on your computer".

nice, because that's totally not what we've been saying the whole time

Reading those rules:



Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.


If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.


Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user's input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customization cookies, eg language preference cookies to remember the language selected by the user.


Seems pretty clear to me that a cookie about cookies would be a user interface customization cookie and therefore exempt from any more stringent informed consent. Merely having cookies turned on would be enough to indicate that the user is willing to accept a cookie that holds their preference(s)* about accepting or rejecting other cookies.

That opens the door to a bar that sets site wide acceptance/denial of cookies. There should also be a link at the bottom and/or top of every page to a preferences page so that the user can change their preference at any time. The initial cookie preference(s)* could be set from the bar from any page. Once set, this bar would no longer need to be displayed on any page. Part of setting the bar would be an explanation of the link to the preferences page.

*I wrote 'cookie preference(s)' because there are various levels of cookie acceptance that could be set.

Making the bar and preferences page would be relatively easy then. At least from my point of view at least as regards writing the code. But the exact wording would depend upon what additional cookies might be set if the user gives permission.

So, pctecmech, what sorts of cookies does your site set?

you could even take it down to the browser level, with the opening of the browser causing a prompt to ask whether you want cookies on or off, or whether you give consent for cookies.

I think this all boils down to the same as the "no js" debate... If a user does not have Javascript enabled then they are going to be used to not being able to use 99% of all websites in the world. Or at least, not properly. That's their choice. We, as web developers should not need to take human ignorance into that much consideration while writing sites. If a user doesn't have Javascript enabled then more fool them, and tough luck viewing the site properly. If a user doesn't have cookies enabled then, again but to a lesser degree, tough luck.

On April 8th 2014, Microsoft will finally end support for IE6 and that will be one archaic technology we won't have to kowtow to for the sake of the ignorant user. It will be a glorious day for the Web Dev community and a landmark day for the development of the internet as a whole.

I know this may sound a bit harsh, I kind of mean it to be but with a rather large plum in my mouth. As I say, for users that don't have cookies enabled, they expect to have pretty poor experience using the vast majority of websites that they go to. For everyone else; they give implied consent and as mentioned above, a paragraph saying that you store cookies on their browser to improve their experience is good enough. You shouldn't need to store a cookie with their cookie preferences, because the "opt-out" method is to disable cookies as a whole for the browser.

I think this all boils down to the same as the "no js" debate... If a user does not have Javascript enabled then they are going to be used to not being able to use 99% of all websites in the world. Or at least, not properly. That's their choice. We, as web developers should not need to take human ignorance into that much consideration while writing sites. If a user doesn't have Javascript enabled then more fool them, and tough luck viewing the site properly. If a user doesn't have cookies enabled then, again but to a lesser degree, tough luck.

On April 8th 2014, Microsoft will finally end support for IE6 and that will be one archaic technology we won't have to kowtow to for the sake of the ignorant user. It will be a glorious day for the Web Dev community and a landmark day for the development of the internet as a whole.

I know this may sound a bit harsh, I kind of mean it to be but with a rather large plum in my mouth. As I say, for users that don't have cookies enabled, they expect to have pretty poor experience using the vast majority of websites that they go to. For everyone else; they give implied consent and as mentioned above, a paragraph saying that you store cookies on their browser to improve their experience is good enough. You shouldn't need to store a cookie with their cookie preferences, because the "opt-out" method is to disable cookies as a whole for the browser.

They're finally killing ie 6? Yaaaaaaaay!
Sorry, alli heard was cutting support for ie6.
However, then we come back to the point that there may be no need for this legislation at all, if all that is going to happen is a couple of sites putting paragraphs warning about the use of cookies on the site. However, only about half of the websites on the web currently use cookies, and therefore your browsing experience will be diminished by half.

Having browsed without cookies before, I can safely say, no sane person would do that just to stop malicious cookies.

If you read it, the EU legislation isn't to stop cookies. In fact there's a large category of cookies that are exempt from notification. I don't think the legislation requires an opt out option. Isn't that just something the site designer could add? I believe notification could take the form of, just that - a notification of the sort of cookies that will be set. I think it could be a sort of take it or leave it thing:


If you continue using this site and have cookies enabled, personal information may be saved to your computer. If you would prefer not to participate in this, please direct your browser elsewhere or disable its cookies. Disabling cookies will result in certain features of this web site not being available.

But if you were to offer an opt in/out 'Cookie Bar', I can see no way of doing it at the moment that wouldn't require adding something to the code that creates every cookie of a certain category (tracking, sensitive info, etc., whichever ones the legislation deems invasive/potentially dangerous enough), to check the user preference as set by the bar/preferences page before proceeding.

The legislation seems a bit misguided to me. The EU has no jurisdiction over sites outside its borders. It's the responsibility of users to protect themselves from malicious cookies. This legislation may give some users a false sense of security.


About IE 6, its use has already declined to the point that it no longer merits any support from web designers in all but the most unique/extreme sorts of situations.

See:

http://www.w3counter.com/trends

That graph shows the share of all IE declining. Scroll down to see the relative share of the IE versions within that declining demographic. That graph shows that out of all IE in use, 6 is minuscule and shrinking. So it's a rapidly dwindling amount of a dwindling overall family of browsers. (6% of 28.8% as of last May 2012 for less than 2% overall share)

But I'm not too comforted in that. IE 7 and 8 are hassle enough, and look to be around for a good long time. Users of the XP OS cannot update to IE 9. They can go to Opera, the Fox or Chrome (there are others, but they're not statistically significant). And Chrome looks to be where most are going for now, rivaling and soon to surpass IE if trends continue, make sure your code works in it.

I've never been keen on Chrome. I like menu bars. I installed Chrome once, saw it had no menu bars and that you couldn't add menu bars at all and promptly uninstalled it and since then I've pretty much forgot it existed. I'll only ever use Chrome if they have an option to turn the standard look menu bars on.

That law seems incredibly misguided and I think it is clearly based on a misunderstanding of the web. Cookies are data stored on the user's own computer to track information. This means that if the user is aware of them the user can control them. They're also not entirely reliable (sometimes they just go away for one reason or another).
The law seems to explicitly allow session ID cookies, and then it also doesn't seem to say anything about session data (unless I missed a section, I skimmed it quickly).

A smart malicious web designer would use a session to store such data because then it is on the server and unavailable for the user to change-- and very easy to send on to third parties.

The only difference with cookies is that some users would know how to delete, block or disable them. The rest can be replaced server side. If no consent is required for that, then the cookies law is irrelevant. It just makes things harder.

Personally I don't really mind. I only use cookies for session IDs and do the rest in sessions. It's easier, and one of the reasons is that the user has no control over it. They should rethink this if it's about privacy...



I suppose the one advantage that cookies have over sessions is that sessions expire after a single browsing session, at least usually. HOWEVER, it would be very easy to change sessions to become something more like longer lasting cookies-- set the session ID cookie to a longer expiration time (just like another kind of cookie) and then (here's what might be hard for the average user, but not for the web in general) tell the server to wait much longer before deleting the session data-- keep it open for weeks, months or even years.

From what's been said in this thread, I think we can all agree that it's a pretty dumb law in general and doesn't get to the heart of what is wrong. It would be better as a guideline rather than a statute law. Now, anyone who copy-pastes a cookie enabled script from a website such as this or any other script repository is committing a criminal act without even realising it. Are they going to put emphasis on communities such as this to educate the masses or put disclaimers on everything?

As a case study of how to manage this law on an enterprise level, I've been looking into the BBC. They have a comprehensive policy on cookies at http://www.bbc.co.uk/privacy/ which includes a Cookie Settings page where you can enable or disable some of the cookies, part from the essential ones and gives a full detailed list of what everything does. I'm friends with one of the BBC R&D team in Manchester who's also big in the hacker community up here; they've been doing a lot of work to spearhead various ways of educating the average internet user on what goes on behind the scenes.

The main consensus seems to be: Have the info available for those who want to read it. Don't bombard people with technical jargon straight away, instead, give links for further information which goes into more detail and the technicalities of it all. For those who don't want any information, don't ram it down their throats; just make sure things work for the de facto default browser settings and let them be. Basically, "everything ON as standard".

How does that solve the cookies in a script if that really is a problem? You can't turn them off except with a cookie. The new law seems to suggest that you can't use JS cookies ever again, because there is simply no way to avoid sending them except by ironically storing a cookie not to. Or I guess you could have them disabled by default and have a way to turn them on. But that's an awful idea for practical reasons.

And I don't see why it should be a problem. For example turning a menu on or off via a cookie does NOT seem to be anything related to the spirit of the law. The law may be written in a way so that they can prosecute those who don't comply and do bad things-- ads for example, and worse things of course.

I think they should refine the law as to what kind of cookie, rather than restricting the whole community because of the select few who may use them badly.

Bernie, did you read the article? They have specified what types of cookie are exempt.

Bernie, did you read the article? They have specified what types of cookie are exempt.
Are we talking about the same article? I'm not seeing that

From http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx:



Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.

First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.

From http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx:

That explains it, I was looking at a different one :p

That one was linked on the first page of this thread. The video on that link gives you a better insight into what's happening. He also explains in the video that it's set up more as a "task-force for better practice" than a hard done law. They won't have much power of punishment. They will pretty much only be able to "rehabilitate" offenders back into the web community. I think if this really wants to get off the ground though that they should be educating the users first and foremost. As soon as a massive surge of people start complaining that this cookie's doing that and so on, this bill will take flight. Until then, it's just flat.

That one was linked on the first page of this thread. The video on that link gives you a better insight into what's happening. He also explains in the video that it's set up more as a "task-force for better practice" than a hard done law. They won't have much power of punishment. They will pretty much only be able to "rehabilitate" offenders back into the web community. I think if this really wants to get off the ground though that they should be educating the users first and foremost. As soon as a massive surge of people start complaining that this cookie's doing that and so on, this bill will take flight. Until then, it's just flat.

thanks for the link apache, the problem with all these kinds of things are the real amount of power legislation has over the internet. The only real, big hit effect on any internet site by real world legislation was the FBI taking down megaupload. Honestly, i'm not sure how much 'rehabilitating' would help.

This is less about Net Neutrality and more about good business practices. This isn't targeting the unscrupulous companies that do bad, it's about creating a level playing field for all and giving some form of legal precedent to punish companies who abuse the weakest link in any security chain; human stupidity.

This is less about Net Neutrality and more about good business practices. This isn't targeting the unscrupulous companies that do bad, it's about creating a level playing field for all and giving some form of legal precedent to punish companies who abuse the weakest link in any security chain; human stupidity.

my point is though, the punishment won't work

I've never been keen on Chrome. I like menu bars. I installed Chrome once, saw it had no menu bars and that you couldn't add menu bars at all and promptly uninstalled it and since then I've pretty much forgot it existed. I'll only ever use Chrome if they have an option to turn the standard look menu bars on.

I felt the same way at first. However, I see it as part of my mission to test in the most commonly used browsers. As a result, over time, I've come to appreciate Chrome's speed, stability, and even its versitility from a developer's point of view. Sure menus are lacking, but everything you ever wanted them for and more is still available and easy to access once you get used to how.

From the stats I linked to in my previous post it seems that a large number of users either don't miss all that 'under the hood' type of thing that traditional menus offer a gateway to, or find it easily enough when they want it. (Hint: Click on the little wrench icon in the upper right corner.)

Also, for more direct access to numerous high level info/settings screens there are shortcuts like:

chrome://plugins

that may be typed directly into the address bar.


As a case study of how to manage this law on an enterprise level, I've been looking into the BBC. They have a comprehensive policy on cookies at http://www.bbc.co.uk/privacy/ which includes a Cookie Settings page where you can enable or disable some of the cookies, part from the essential ones and gives a full detailed list of what everything does. I'm friends with one of the BBC R&D team in Manchester who's also big in the hacker community up here; they've been doing a lot of work to spearhead various ways of educating the average internet user on what goes on behind the scenes.

The main consensus seems to be: Have the info available for those who want to read it. Don't bombard people with technical jargon straight away, instead, give links for further information which goes into more detail and the technicalities of it all. For those who don't want any information, don't ram it down their throats; just make sure things work for the de facto default browser settings and let them be. Basically, "everything ON as standard".

The BBC has taken a logical and thorough approach here. However, allowing users that much control requires the level of programming that I referred to in my previous post. Each time the BBC's cookie setting code starts to execute for any single cookie, it must consult the saved user preferences in order to know whether or not it's allowed to set that particular cookie.

If all cookies are set via a master routine for the site, this isn't too onerous. But it requires a level of organization, a unified approach to setting cookies, that's unusual in most web site's. And that can be hard for a site administrator to set up if the site already has many and varied scripts with individual cookie routines.

I've never been keen on Chrome. I like menu bars. I installed Chrome once, saw it had no menu bars and that you couldn't add menu bars at all and promptly uninstalled it and since then I've pretty much forgot it existed. I'll only ever use Chrome if they have an option to turn the standard look menu bars on.

I like chrome, it's fast and it has good developer tools and customisation.