In short: if you’re a government site, you must have a stats audit, and you’re potentially about to head into a major problem with using cookies in future…

It is mandatory for Government sites to have stats audits:

In the current climate of open, transparent and accountable government, it is now mandatory for government websites to have stats audits.Adam Bailin, Digigov: Benefits of Government Website Auditing

Now there are various different ways to analyse the stats, but in order to identify unique visitors, a lot of stats thingummies will use the storing of cookies. You with me so far?

Now the EU are currently discussing exactly what to do over file-sharing. Part of this telecoms package includes this:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processingElectronic communications networks, personal data and the protection of privacy

Note that: in order to store or access a cookie, the user must already have given consent. This is not the same as the current “right to refuse” which means (as I understand it) that you’ve got to include information about what the information is used for and how the user can opt out (such as by having a ‘privacy’ page with this information linked to at the bottom of your site).

Struan from Out-Law.com was fairly clear on what he believes it means. You must provide a notice and give the user the option of giving or declining their consent before setting or accessing a cookie, with only one limited exception:

There is an exception for cookies that are “strictly necessary” to provide a service “explicitly requested” by the user. Consequently, no cookie notices are required to serve a cookie that helps a shopper get from a product page to a checkout; but notices are required for cookies that are used in traffic analysis or advertising.[...]

[...]sites can deliver cookies to a user’s computer only if the user “has given his/her consent, having been provided with clear and comprehensive information” unless, as now, the cookie is “strictly necessary” for a service “explicitly requested”.

European Commissioner Viviane Reding expressed concerns about behavioural advertising this month. “European privacy rules are crystal clear: a person’s information can only be used with their prior consent,” she said.

Out-Law.com: Online advertising is threatened by Europe’s cookie law

So if you want to use cookies for advertising (not a major thing for UK public sector sites at the moment, but people are heading down that road) or use cookies for analytical reasons, you must first give people the opportunity to decline first. That’s an active thing: you must explicitly get their consent (as I understand, for every different cookie, as you’ve got to explain what the information will be used for).

What right to refuse did I get?” our source asks of his own visit to a homepage placing a selection of cookies on his computer. “You might imagine some sort of pop-up: ‘do you refuse this – yes / no’. You could phrase that many ways but it seems to me you need to ask for a reaction before storing or gaining access to a machine.” Can you imagine a pop-up box to explain 30 cookies, or 30 pop-up boxes? [more from] Out-Law.com: Online advertising is threatened by Europe’s cookie law

And of course if you are a public sector site, you need to comply with either WCAG 1.0 or 2.0, so you simply can’t do this. WCAG 1.0 says:

10.1 Until user agents allow users to turn off spawned windows, do not cause pop-ups or other windows to appear and do not change the current window without informing the user. [Priority 2]WCAG 1.0

WCAG 2.0 is a teensy bit different. You’re not allowed to cause a “change of context” (new windows, change of focus, change of content of text on the page) unless you have informed the user first. This includes when any component receives focus (such as opening a new page):

3.2.1 On Focus: When any component receives focus, it does not initiate a change of context. (Level A)WCAG 2.0 Success Criterion 3.2.1

…or when you change anything on the page…

3.2.2 On Input: Changing the setting of any user interface component does not automatically cause a change of context unless the user has been advised of the behavior before using the component. (Level A)WCAG 2.0 Success Criterion 3.2.2

That is, every time you want to set or access a cookie, you’d need to inform the user before you pop up a window (or change the text on the current page) to ask the user if they will allow you to set or access that particular cookie.

So on the one hand you must inform the user what you will use the cookie for — and allow them the chance to withhold permission for it — before you set any cookies; and on the other hand, you can’t have any popups asking about setting cookies unless you’ve already informed the user first.

In other words, every time a user starts a new “visit” to the site (whatever their “landing” page was intended to be) you are going to have to:

• Take them to a page (or series of pages) which explains all the cookies they are likely to encounter on your site and ask their permission to set them (except for cookies essential to the user-initiated process, such as shopping baskets)
• Ensure that these permissions are recorded and stored for the remainder of that visit
• Then take the user to the page that they originally wanted to visit

I can foresee a couple of teensy problems. Firstly, if you don’t do this, you’ll be breaching EU law (?) — assuming the current telecoms bill is passed — or alternatively you can instead choose to breach accessibility requirements. On the other hand, if you do do this, you’re going to massively inconvenience, not to mention severely piss off all of your users.

And of course that’s before we start trying to work out what constitutes a new ‘visit’ for someone who has refused to allow you to set cookies…

So, in line with Struan’s objections, I’d suggest that we hope that (and maybe do what we can to help) the new telecoms bill is not passed…