Today I attended one of DCLG’s Local Direct Gov ‘Really Useful’ sessions on Cookies and Privacy. This was to discuss the consensus approach to the forthcoming EU Electronics Communications Directive.
Firstly thanks to Louise Russell and Sheenagh Reynolds for organising this. It was as they say, really useful. It was well attended with rep’s from the ICO’s office and GDS as well as a number of webby types from local government in London. I can hear the groans from here but Louise did explain that it was the speed at which they had organised this that let to the London focus. CLG felt forming a position quickly and sharing it more widely was the most efficient way to go so hence we have set up a Knowledge Hub group on Cookies and Privacy specifically for this.
David Evans from the ICO attended and to give him his dues he valiantly took all the obvious disgruntlement from around the table and the discussion quickly moved to a kind of debate with Daffyd Vaughan from the GDS leading the assault and David looking like a man who was resigned to a loosing streak.
It seemed to me that there was for the most part, very little appetite for the legislation on either side. The ICO are basically saying they will look to intent in terms of an organisation addressing the issue and will only act at all if there is both a direct attempt at deception and a substantiated complaint from an individual.
The salient points were:
- that implied consent is sufficient for the time being but the picture might change as the legislation beds down (as per comments below please note this is probably not enough if you don't make the consent obvious enough) (SECOND AMENDMENT - IMPLIED CONSENT IS NOW OK. THE GUIDANCE WAS CHANGED AT THE LAST MINUTE TO ALLOW IT.)
- appropriate solutions will be relative to the context
- ICO will use discretion and constructive pressure but have no intention to use monetary penalties
- they (ICO) are ‘less interested’ in session based analytical cookies
- the legislation applies to storage and retrieval of information from users and so extends beyond cookies e.g. HTML5 local storage and Flash cookies.
Further reading was recommended as follows:
Examples of innovative approaches:
We finally came to the conclusion that we would address the requirement as follows:
- We will amend T&C’s to include a section on cookies and ask users to accept these again giving explicit consent,
- We will provide an information page on the cookies we use and what we use them for and why,
- This page will inform users how to set their browser to dis-allow cookies and how to remove cookies.
Do take a look at the group. We will publish out amended terms there for comment and sharing. There will be heaps more there on corporate website solutions.
I look forward to the next fattening episode.