Disabling the use of cookies on my website

Question

I am working on a new PHP application that will allow users to register for an account in order to use my service. I want the website to comply with the new legislation that has come to the UK to provide visitors to the site, to enable or disable the use of cookies on their first visit.

I'm not entirely sure though what the best way to implement this. If I can't store a cookie how would I keep track whether the user is visiting the site for the first time in order to display the message, or if it is not the first visit, then not display the cookie message.

Thanks for any help you can provide.

Answer 1

One should distinguish between session-cookies and other cookies:

Session-cookies will be removed as soon as the user closes the browser, they are important to get a secure session handling and will increase the privacy of the user. It would be absurd to forbid those cookies.

Persistent cookies, especially those of 3rd parties, can live a long time in the user's browser. They are often misused to collect information about the user, so the user should be asked whether he allows such cookies. Unfortunately only honest websites will ever care about this law/recommendation.

EDIT:

I found a description of exceptions in the ICO cookies guidance which seem to legitimate pure session-cookies:

There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

...This exception is likely to apply, for example, to a cookie used to ensure that when a user of a site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page. This cookie is strictly necessary to provide the service the user requests (taking the purchase they want to make to the checkout) and so the exception would apply and no consent would be required.

EDIT2:

Should you ask the user to store non-session-cookies and he doesn't allow to store them, then keep this information in your session, but ask him again when he returns with another session. It is his choice then to get this message whenever the browser was closed.

Answer 2

The law is mainly concerned with 3rd party cookies. Yours is a first party cookie and these are generally assumed to be ok. You should be fine with a notice on your site specifying that you are using cookies and if people don't like that, they should get off your site (Possibly worded more politely)

From ico's own recommendations:

First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.

Also note that it's not really a law - it's an EU directive and it's not really enforced.