2011 EU Cookie Legislation - Opinion of a UK Web Developer

Written 13 years ago by Mike Cardwell

If you are not familiar with the new EU legislation which came into law yesterday on Friday 26th May, you can read the UK‘s ICO release about it here.

Traditional high street shops, don’t tag or fingerprint you, as you walk through their front door. They don’t secretly assign you a unique identifier, so they can recognise you on subsequent visits, and start building a profile on your movements and behaviour. They don’t share this knowledge with other shops in order to build a fuller profile. They would like to, but the technology doesn’t exist to do it en masse, yet. Some of them use various systems like club card and loyalty schemes to track their customers (not visitors), but these are opt-in, limited services.

Why should the web be any different? Just because we can do these things without our visitors knowledge, and just because we have been doing it for the last decade, does that mean we should continue? Just because it is the status quo, does that make it automatically right? In this author’s opinion, any tracking of user behaviour should be opt-in by default, with generally agreed exceptions/allowances to make it practical. It should not be a free for all where people can do whatever the technology allows (EverCookie?). This is the current situation we find ourselves in.

If you’re a web developer like me, and the recent EU legislation on cookies and related technology makes your life more difficult, so be it. If it makes it slightly more difficult for EU companies to compete with non-EU companies, so be it. There will be a significant cost for organisations to upgrade their websites to comply with this new legislation. But there is also a significant cost to allowing organisations to profile users unchecked, allowing them to create massive databases of private information, shared, bought and sold by companies concerned only with profit. Although many people don’t recognise it, privacy has value, and compromised privacy costs both money, and freedom.

I myself have had to make several modifications to this very website in order to deal with the new legislation. They are mostly cosmetic, and I may be able to find alternative solutions to make some of them work again in future. Here is what I’ve changed:

  1. If the referer header a visitor sent when visiting my site, was external to my site, I stored it in a long term 12 month cookie so I could refer to it on other parts of my site. I have disabled this now. I no longer set any cookies on this website.

  2. When detecting that a visitor comes from a HackerNews or Reddit page, I display a link to my relevant profile in the top left of the navigation bar. Previously, I stored this information in local storage so that I could add that link to every subsequent page the visitor views. I can no longer store this information, so it only appears on the first visited page.

  3. When detecting that a visitor comes from a GMail or YahooMail page, I override their clicks on mailto links, and forward them to their relevant webmail’s compose message page (example jQuery code). I can still do this for the first page a visitor comes to, but I can’t store this information in their browser any longer, so it doesn’t happen for subsequent pages/visits.

  4. When using the comment form on any of my articles, I used local storage to remember your name/email/website so it could be automatically filled in during subsequent comments. I no longer do this.

I do not have the problem that many people are currently worried about, which is the use of Google Analytics. I have always prefered to use server side web stats packages, over embedding remote, untrusted javascript in my websites, and sending all of my traffic statistics to an untrusted third party. The only time I embed remote content in pages on this website, is when it is essential for a demonstration. For example, my Abusing HTTP Status Codes to Expose Private Information article embeds an image from, and two scripts from and

Yes, this legislation makes it more difficult for me to build websites. And yes, I do care enough about privacy to accept these changes and work with them, for the benefit of the end user.

How to Be Invisible: The Essential Guide to Protecting Your Personal Privacy, Your Assets, and Your Life The Right to Privacy

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.