It’s not all over for the sweet toothed web - Cookies and Privacy

Today I attended one of DCLG’s Local Direct Gov ‘Really Useful’ sessions on Cookies and Privacy. This was to discuss the consensus approach to the forthcoming EU Electronics Communications Directive.

Firstly thanks to Louise Russell and Sheenagh Reynolds for organising this. It was as they say, really useful. It was well attended with rep’s from the ICO’s office and GDS as well as a number of webby types from local government in London. I can hear the groans from here but Louise did explain that it was the speed at which they had organised this that let to the London focus. CLG felt forming a position quickly and sharing it more widely was the most efficient way to go so hence we have set up a Knowledge Hub group on Cookies and Privacy specifically for this.

David Evans from the ICO attended and to give him his dues he valiantly took all the obvious disgruntlement from around the table and the discussion quickly moved to a kind of debate with Daffyd Vaughan from the GDS leading the assault and David looking like a man who  was resigned to a loosing streak.

We are obviously very interested as Knowledge Hub makes extensive use of cookies and given we had seen what the effect of the ICO’s position was on their own website there was potential Armageddon in the pipeline for us. I’m glad to report that we are assured that this is definitely not the case.

It seemed to me that there was for the most part, very little appetite for the legislation on either side. The ICO are basically saying they will look to intent in terms of an organisation addressing the issue and will only act at all if there is both a direct attempt at deception and a substantiated complaint from an individual.

The salient points were:

  • that implied consent is sufficient for the time being but the picture might change as the legislation beds down (as per comments below please note this is probably not enough if you don't make the consent obvious enough) (SECOND AMENDMENT - IMPLIED CONSENT IS NOW OK. THE GUIDANCE WAS CHANGED AT THE LAST MINUTE TO ALLOW IT.)
  • appropriate solutions will be relative to the context
  • ICO will use discretion and constructive pressure but have no intention to use monetary penalties
  • they (ICO) are ‘less interested’ in session based analytical cookies
  • the legislation applies to storage and retrieval of information from users and so extends beyond cookies e.g. HTML5 local storage and Flash cookies.

 

Further reading was recommended as follows:

 

Examples of innovative approaches:

 

We finally came to the conclusion that we would address the requirement as follows:

  • We will amend T&C’s to include a section on cookies and ask users to accept these again giving explicit consent,
  • We will provide an information page on the cookies we use and what we use them for and why,
  • This page will inform users how to set their browser to dis-allow cookies and how to remove cookies.

 

Do take a look at the group. We will publish out amended terms there for comment and sharing. There will be heaps more there on corporate website solutions.

I look forward to the next fattening episode.

Mike

Security level: Public

More Blog Entries

New stuff to play with

Well it seems only a blink of an eye since I wrote the last post but so much has happened....

7 Comments

Robert Clark 7 Years Ago
Michael A good synopsis - thanks. My interpretation of what was said was that an "implied consent" was probably not acceptable unless very clearly signposted. Regards Robert
FM
Former Member 7 Years Ago
I came across this article recently that covers advice from the ICC (International Chambers of Commerce) which I thought distilled things down to a much more digestible level. http://www.pcpro.co.uk/blogs/2012/04/27/the-cookie-law-clarity-at-last-but-not-from-the-ico/
David Evans 7 Years Ago
Michael Very useful synopsis although I'm afraid Robert is right "implied consent" is not acceptable currently. This is because the evidence we've seen suggests that awareness about cookies, their functions and uses is not high enough to rely on implied consent. As, hopefully, consumer awareness increases over the next few years this position may change. Regards David
Robert Clark 7 Years Ago
My notes from the workshop - happy for it to be reposted/edited/commented upon! Workshop was hosted at the City Marketing Suite, Guildhall, London and organised by DCLG and City of London. City of London are interested in this topic as they plan to launch their new website in June. Even though there was an Agenda, it wasn’t really followed as we ended up in a round table discussion of the topics/issues. There were two main protagonists/presenters: David Evans from the ICO (not the David Evans from the ICO that has been giving presentations on this topic for 18 months), and Daffyd Vaughan from the Cabinet Office, responsible for the new Gov.uk website. David Evans started by explaining the current position: the EU Electronic Communications Directive was enshrined in regulations from The Department for Culture, Media and Sport regulation on 26 th May 2011. Organisations have had a year to get used to things, and from 28 th May 2012 (27 th is a Sunday), the ICO will start upping the ante on enforcement. Under the Data Protection legislation, they have a lot of leeway/discretion, and this is the tactic they will take over cookies/privacy issues. Only likely to look at monetary penalties if there has been deliberate attempts to avoid compliance or to deceive. They will generally take a constructive approach, making suggestions on improvement. However, this may depend on the complaints they receive and if there are any legal challenges/case law that sets precedent. The ICO will push for ‘good practice’ not ‘best practice’. David did admit that method the ICO took on their website ( http://www.ico.gov.uk ) by putting up a banner that effectively blocks access unless the user specifically agrees to the use of cookies (the nuclear option!) was not the approach that they would recommend, but one that they had to take as the regulator. Acceptance of this is stored in a cookie! David’s view was that websites may end up with two paths – one with full functionality that utilises cookies, and a path with limited functionality that doesn’t utilise cookies. To fully comply with the regs there must be explicit consent. Users should be able to make an informed choice. This information should be available across the site, not just the home page. The obvious place to have this is as part of any T&Cs, especially at sign-up. However, any change to T&Cs would have to be notified to existing users who should be given the option to opt in/opt out. Implicit consent is probably not acceptable unless clearly signposted. The ICO’s view is that this is because the evidence they have seen suggests that awareness about cookies, their functions and uses is not high enough to rely on implied consent. As, hopefully, consumer awareness increases over the next few years this position may change. The regs don’t just cover cookies, but any personal information (including HTML 5 local storage, Flash cookies, browser caches, etc). Daffyd Vaughan expressed a view that some of the alternatives (device fingerprinting, javascripting, etc) were more intrusive and therefore likely to be considered to be less acceptable. The ICO is likely to be less interested in session cookies over persistent cookies. Daffyd Vaughan reported that the position in Europe varies. Some countries don’t appear to be actively working on the directive, whilst in Germany they are heavily focussing on the use of tracking cookies. Google are working on some updated tools for webmasters – a release may be imminent. It was thought that Google Analytics may not store IP addresses in cookies, but that this information may be available in the reporting. Apparently the US Government has taken the view that IP addresses don’t identify an individual. Daffyd advised that web managers should check the Google Analytics options to switch off sharing of cookies. David said that the ICO would consider what was business critical. The legislation refers says “strictly necessary”, so shopping basket cookies would be considered business critical, but user option/experience cookies would not. There was a view that sites shouldn’t use pop-ups. There was some discussion around whether Google Analytics would be considered “business critical”. Some sites thought that it is, as it helps them shape the user experience. David’s view was that it wasn’t, as the websites could operate without Google Analytics. (As an aside, Office of National Statistics can fine government departments if they do not collect/supply statistics, but then could get censured by the ICO). It was felt that where there were links to external websites, these should clearly be indicated, so that the user is aware that different rules/policies may be in place. There was a warning that social networking sharing buttons set tracking cookies The recommendation from Daffyd was not to use these, but follow the BBC’s example and just link to these social media sites. There was some discussion that if you explicitly asked for permissions to use cookies and the end-user said “no”, then how would you store this other than in a cookie!
Michael MacAuley 7 Years Ago
Hi Robert Why not post your notes as a blog too? If it's tagged with cookies it will appear in the group along with mine. Not had enough time today to do more work on it. Any content people think is relevant can be added also. Mike
Michael MacAuley 7 Years Ago
Thanks for the correction David. I've amended the post.
Michael MacAuley 7 Years Ago
Well it looks like the ICO advice listed here is now incorrect. Cookies law changed at 11th hour to introduce 'implied consent'