# 2011 EU Cookie Legislation - Opinion of a UK Web Developer

If you are not familiar with the new <abbr title="European Union">EU</abbr>
legislation which came into law yesterday on Friday 26th May, you can read the
<abbr title="United Kingdom">UK</abbr>'s [ICO](https://ico.org.uk/ "Information
Commissioners Office") release about it
[here](https://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf).

Traditional high street shops, don't tag or fingerprint you, as you walk through
their front door. They don't secretly assign you a unique identifier, so they
can recognise you on subsequent visits, and start building a profile on your
movements and behaviour. They don't share this knowledge with other shops in
order to build a fuller profile. They would like to, but the technology doesn't
exist to do it en masse, yet. Some of them use various systems like club card
and loyalty schemes to track their customers (<span
style="font-style:italic;">not visitors</span>), but these are opt-in, limited
services.

Why should the web be any different? Just because we **can** do these things
without our visitors knowledge, and just because we **have** been doing it for
the last decade, does that mean we should continue? Just because it is the
status quo, does that make it automatically right? In this author's opinion, any
tracking of user behaviour should be opt-in by default, with generally agreed
exceptions/allowances to make it practical. It should not be a free for all
where people can do whatever the technology allows
([EverCookie?](https://samy.pl/evercookie/)). This is the current situation we
find ourselves in.

If you're a web developer like me, and the recent EU legislation on cookies and
related technology makes your life more difficult, so be it. If it makes it
slightly more difficult for EU companies to compete with non-EU companies, so be
it. There will be a significant cost for organisations to upgrade their websites
to comply with this new legislation. But there is also a significant cost to
allowing organisations to profile users unchecked, allowing them to create
massive databases of private information, shared, bought and sold by companies
concerned only with profit. Although many people don't recognise it, privacy has
value, and compromised privacy costs both money, and freedom.

I myself have had to make several modifications to this very website in order to
deal with the new legislation. They are mostly cosmetic, and I may be able to
find alternative solutions to make some of them work again in future. Here is
what I've changed:

1.  If the referer header a visitor sent when visiting my site, was external to my site, I stored it in a long term 12 month cookie so I could refer to it on other parts of my site. I have disabled this now. I no longer set any cookies on this website.

2.  When detecting that a visitor comes from a [HackerNews](https://news.ycombinator.com/) or [Reddit](https://pay.reddit.com/) page, I display a link to my relevant profile in the top left of the navigation bar. Previously, I stored this information in local storage so that I could add that link to every subsequent page the visitor views. I can no longer store this information, so it only appears on the first visited page.

3.  When detecting that a visitor comes from a [GMail](https://mail.google.com/) or [YahooMail](https://mail.yahoo.com/) page, I override their clicks on mailto links, and forward them to their relevant webmail's compose message page. I can still do this for the first page a visitor comes to, but I can't store this information in their browser any longer, so it doesn't happen for subsequent pages/visits.

4.  When using the comment form on any of my articles, I used local storage to remember your name/email/website so it could be automatically filled in during subsequent comments. I no longer do this.

I do not have the problem that many people are currently worried about, which is
the use of [Google Analytics](https://www.google.com/analytics/). I have always
prefered to use server side web stats packages, over embedding remote, untrusted
javascript in my websites, and sending all of my traffic statistics to an
untrusted third party. The only time I embed remote content in pages on this
website, is when it is essential for a demonstration. For example, my [Abusing
HTTP Status Codes to Expose Private
Information](/Abusing_HTTP_Status_Codes_to_Expose_Private_Information) article
embeds an image from mail.google.com, and two scripts from www.facebook.com and
twitter.com.

Yes, this legislation makes it more difficult for me to build websites. And yes,
I do care enough about privacy to accept these changes and work with them, for
the **benefit** of the end user.