Using DNS TXT records to effect EU/UK cookie law

Posted on by

It struck me that the most logical way of expressing what policy you have for a web site for the use of cookies or personal data is to detail this policy within the DNS records that a person (or their device) must look up BEFORE they hit your site. A bit like how SPF records detail email delivery policy for your systems and recipients can use this (or ignore it) when they look at emails that are claimed to be from your domains.

The suggestions of using web page forms or pinch pages or similar requires both the site operator and the site user to do things for no logical and practical gain to either party.

So how would this work ? Well you would add a TXT record that has an expiry and for each CNAME or A record or a default, it would list either a URI to a privacy policy which would include details on cookie use and/or a set of flags on cookie use the URL of the policy is a bit like the CRL within SSL)..

The user, before they visit the web site thus has the opportunity to examine the privacy and cookie use policy without actually visiting the web site.

Actually we know anonymous web site users won’t give two flying ducks about what cookies our web sites use given they probably already use anything from ad blocking software to browsers within virtual machines, but for some bizarre reason the UK Information Commissioner’s Office (ICO) has managed to gold-plate an equally bizarre EU cookie directive.  Yes the ICO is the same group that gets everyone who handles personal data from babysitters through to government departments to pay either Tier 1 of  £35 or Tier 2 of £500 (if you have 250 or more employees and £25.9 million revenues – yes logic isn’t their strong point) but the ICO doesn’t have an online payments system nor can it take credit/debit cards so you end up having to print out the forms you just filled in online and send those with your cheque or you can use a direct debit from your bank account only they can’t actually do direct debits if you had to pay a Tier 2 £500 fee. In sharp contrast the Companies House that is the regulator and registrar for companies does everything online and you can renew your annual company registration for the grand sum of £14 online as well.