Virgin Management’s Ian Barber gave a great talk on the PHP UK ‘unconference’ track this morning, discussing the implications of the European Union Cookie Law for PHP devs. When the law comes into effect on May 26, any UK website wanting to set cookies will be required to get explicit permission from all EU users or risk investigation by the Information Commissioner’s Office (ICO) and a fine of up to £500,000.

Ian went through a number of possible solutions, ranging from simple notification systems to grey-area workarounds that stay within the letter of the law while retaining some of the essential functionality of traditional cookies. Examples of the latter include JavaScript fingerprinting, which is explained nicely by the EFF’s Panopticlick demo page, and the use of ETags in existing on-site images. Both arguably comply with the law’s stipulation against placing specific tracking tools on a user’s machine, but, with no legal precedent, it’s difficult to say whether or not they’d be found to infringe in a real-world case.

Leaving the quick-fixes aside, we sat down briefly with Ian to discuss what he thinks will actually happen when the law comes into effect. The first issue was warning signs. Asked what these will look like, he was pretty clear: “You’ll see lots of banners saying ‘We use cookies!’. Some companies will go further, but it’ll be limited.” What about developers and designers who refuse to display them, for aesthetic or other reasons? “As consumers get used to the warnings, they might actually start to mistrust sites without them.” A fair point, with interesting implications for the long-term relationship between EU-based and international sites.

As far as the concrete reality of investigation and prosecution is concerned, the advantage seems to be on the side of the developers -- Ian emphasises that the ICO is very unlikely to undertake any investigation without receiving a specific complaint. While organisations such as Privacy International might try their hands at test cases, it’s also likely that they’ll pick a more favourable regulatory environment than the UK for their initial steps -- he mentions the Netherlands and Italy as possible venues.

Inevitably, the first few months of the Cookie Law are going to be a tentative game of cat-and-mouse, with developers testing the waters and attempting to shore themselves up against legal attack without really knowing how the situation will ultimately play out. It’s a brave new world out there, and until we start to see the law really being put into practice, nothing is certain.