- A small sweet cake, typically round, flat, and crisp
- A person of a specified kind
- a tough cookie with one eye on her bank account
- A packet of data sent by an Internet server to a browser, which is returned by the browser each time it subsequently accesses the same server, used to identify the user or track their access to the server
The Scale of Cookie Naughtiness
Cookies (of the data variety) come in a lot of shapes and sizes. They can be totally innocuous or really pretty evil. Some are essential to the running of goody-two-shoe websites, others are essential for tracking an individuals every move across the internet to allow advertising to be tailored to them. It’s this second kind that the Directive seems to be really aiming at, but it does seem that some more innocent cookies may also be being deliberately targeted by the legislation or are simply being caught up in the cross-fire.
How naughty is naughty?
Our audit tool rates cookies on a blissfully unscientific scale of 1 to 5.
We tried to imagine the most evil 1984 type applications that know:
- where you live,
- that you are female,
- have prostrate problems,
- are called Ryan,
- bought a Bros record in a weak moment in 1987
- have “had a drink” with someone called “Imogen”
- have £2.33 left in your bank account; and
- are about to run out of cat food
And all this so they could give you a £0.50 off voucher of Welshkitty Chicken-flavoured pet food. We decided we would give them a score of 5. We have little doubt that the Cookie Directive is requiring these guys to get fully informed consent.
At the other end of the scale are cookies that are the really “strictly necessary” cookies (you know the ones that bring teacher an apple). The Commission has issued some pretty clear guidance on what they see as strictly necessary (gathering website usage info isn’t one of them). We give these a score of 1. You don’t need to do anything about these.
In between is everything from cookies that save you logging in on every visit, track your use of a website anonymously, add social information to your website, or even serve you up relevant advertising in an ethical manner. We score these with 2’s,3’s and 4’s with the idea that 4’s push the boundaries more than 2’s. Hands up though, scoring is very haphazard and is inevitably going to cause some debate/ruffle feathers.
Is it fair to describe cookies as “naughty”? Probably not, it’s deliberately meant to be tongue-in-cheek. However anything with a score of 2 or above, does, in our opinion, mean that you are required to get user consent. Quite how you get that consent is another very grey area of the directive. We are suspicious that very lame efforts could be acceptable (or would at least show you are trying to comply which seems to be the all important strategy).
We’ve discussed the scale in relation to the almost ubiquitous Google Analytics here.
In the reports the audit tool spits out, we have a “Possible naughtiness” score. The operative word here is “possible” i.e don’t take our word for it – we aren’t lawyers. As explained above the scoring is haphazard. Just because we suggest something may have a score of 1 doesn’t guarantee you don’t need to get consent. Phew, has that solicitor left now? Good…
We aim to add detailed information about commonly used cookies in due course to allow you to make informed decisions. If you’d like to contribute, please let us know.