Cutting down on cookies: practical tips

The Government Digital Service’s Implementer Guide for the new cookie rules recommended that site owners should audit their sites, and look to reduce ‘unnecessary and redundant cookies’. With or without the new rules, it’s still sound advice. So I thought I’d share a couple of things we’ve done for clients, which might be helpful to other people.

It’s easy enough to look at the cookies being dropped by your own site, but life becomes a lot more difficult when it comes to third party services. You might not realise it, but every time you embed a YouTube video on a page, you’re exposing your users to YouTube cookies. And if you’ve included Twitter’s excellent profile widget on your site, guess what? – it’s dropping cookies too.

Both services would probably argue that any user tracking is ultimately for users’ benefit: and in fact, unlike many in the web industry, I have some sympathy for that argument. But I’m not entirely comfortable with government websites acting as (unwitting?) conduits between users’ personal web histories and third-party services.

YouTube

YouTube offers a seamless solution: a parallel domain, youtube-nocookie.com which gives you the exact same YouTube playback function, but tighter controls over cookies. If you’re ever embedding a clip manually from youtube.com, you’ll see an option to ‘Enable privacy-enhanced mode’: tick this, and you’ll see the embed code’s reference to youtube.com change to youtube-nocookie.com. Easy as that.

(The name is slightly deceptive: it doesn’t completely eliminate the use of cookies. YouTube’s help pages indicate: ‘YouTube may still set cookies on the user’s computer once the visitor clicks on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode.’)

On a couple of client sites with large quantities of videos, FreeSpeechDebate and the Government Olympic Communication site, we use a WordPress custom post type to simplify the process of adding YouTube content. All they need to do is paste the URL of the clip’s page into a WP editing screen, and we extrapolate all the rest: embed code, thumbnail image, dimensions and so on. The videos are then included automatically at the top of the appropriate page.

As seen at goc2012.culture.gov.uk

We’ve now altered that functionality to serve all videos from the youtube-nocookie.com domain; and also to include the youtube-nocookie.com domain in the embed code we offer. A fairly simple case of find-and-replace, initially in the page template’s PHP, and subsequently also in javascript if users want to customise the dimensions.

Twitter

Avoiding Twitter’s cookies has been slightly trickier. Our solution has been to move clients away from the official Twitter widget, instead deploying my colleague Simon Wheatley’s well-established Twitter Tracker plugin (downloaded well over 10,000 times), which we’ve adapted to permit cookie-free usage.

Twitter Tracker adds two new WordPress widgets: one showing Twitter search results for your chosen term or hashtag, the other displaying all tweets by a given user. It includes local caching of the data, minimising traffic to Twitter and (in all likelihood) rendering the pages much faster – for the loss, admittedly, of a ‘real time’ view, which may or may not be important to you.

However, because the widgets call users’ profile images live from twitter.com, cookies were still being dropped. So there’s now a ‘partner plugin’, called Twitter Tracker Avatar Cache, which – as the name suggests – downloads any Twitter profile images and saves them locally within WordPress. No need to call them in from twitter.com, and hence no cookies. (For those who don’t want this extra functionality, the base plugin will continue to work as it always has.) It’s available now from the WordPress plugin repository: find it via the ‘Add New’ screen in your WordPress admin interface.

For most people, this will probably seem like overkill – and in fairness, it probably is. But for quite a few of our clients, it’s been a helpful way to avoid some of the more sensitive issues around cookies and usage tracking, without compromising on site functionality.

That’s the way the cookie rules crumble

New EU rules relating to the use of cookies on websites came into effect in May 2011, but the UK Information Commissioner gave everyone a year to work towards compliance. In practice, of course, that meant everyone ignored it for 51 weeks, then panicked.

Along with much of the European web industry, I spent last week fielding calls from clients, asking whether their site was compliant with the rules – or perhaps more accurately, whether they were facing a £500,000 fine, like they’d heard on the news.

As ever with these things, it boiled down to choosing a role model, and copying what they were doing. The Government Digital Service and DCMS (as lead department) were both taking an ‘implied consent’ approach, with pages listing and justifying the use of each individual cookie; and the BBC, initially, were doing likewise. That was good enough for most people.

(Late in the week, the BBC actually changed tack, and introduced a new ‘explicit consent’ approach. Thankfully, most of my contacts had bought into ‘implicit consent’ by then.)

And then, outrageously late in the day – a scorching hot leave-work-early Friday at that, the ICO cracked.

Posting on their corporate blog, Dave Evans announced that their guidance had been updated to ‘clarify’ that implicit consent was a valid form of consent, as long as you were ‘satisfied that users understand that their actions will result in cookies being set.’ In other words, implicit consent with appropriate information was absolutely fine.

It was the only sensible outcome. Constant popups or warning banners would have killed the concept of cookies, which are used – in the vast majority of cases – to make things easier for users. It would have undermined most websites’ traffic analysis. And besides, with third-party services from sharing to embedding now common on every web page, I’m not convinced any technology could have successfully blocked every attempt to drop cookies anyway.

It hasn’t been an unhelpful exercise. I broadly agree with the principle of cutting down on ‘unnecessary’ cookies, and in this past week, as a result of the fuss, we’ve made changes in how we do certain things. (Blog post to follow.) If it has made online giants like Google, Twitter and Facebook think again, and be more transparent about their use of cookies (and other tracking technologies), then that too is a good thing.

Common sense would seem to have prevailed. Hurrah. But I’m sure a lot of people are less than happy at the ICO’s handling of this.