Categories
Business online safety Regs

EU cookie legislation – a look at some of the implementations

EU Cookie Directive 2009/136/ec of the European ParliamentUK Cookie legislation  (DIRECTIVE 2009/136/EC) became law on May 25th 2011. This is the one where websites are meant to give you the opportunity to opt out of visiting them if they are using cookies. Cookies can be very “invasive of privacy” though in varying degrees and some potentially not at all. The law, whilst being passed with good intentions has had some unintended consequences, notably affecting some cookie functionality that is useful and likely unintrusive.

I imagine that most of us with a website use Google Analytics. We all like to look at our traffic levels – well I do anyway. There has been some confusion as to exactly what is being required of website owners – rumours for example that sites only using Google Analytics cookies would not be made to comply as GA was “beneficial and not intrusive”.

You may or may not know that I am on the Information Commissioner’s Office Technology Reference Panel. This is an expert body of representatives from stakeholder groups in information and technology related industry sectors.

The ICO, which is the industry regulator, has given the UK a year to implement the cookie directive. This year is up at the end of this month and naturally there has been press comment and a flurry of businesses making adjustments to their websites in an attempt at compliance.

One year on exactly what will the ICO do re enforcing the law. In particular whether the use of Google Analytics cookies would simply be “ignored” I raised this at this weeks ICO TRP meeting and got the following position:

  • First of all the 27th May deadline for implementing the legislation is more a marker for ICO – not a hard date. This means that from this time the ICO will start looking at the subject more closely.
  • In the meantime in the run up to the end of May the ICO will publish information for individuals to allow them to raise concern via the ICO website. Note the ICO has not had much activity on the complaints front in last 12 months.
  • They will also be making it clear that on an individual level it is unlikely that ICO will pursue 1 cookie on 1 web page
  • The ICO can’t audit every UK website but can look at trends or patterns – eg if may issues raised about specific types of cookie
  • ICO will also be issuing a clarification of its line on analytics cookies – these are not exempt from the law

They are also going to do some work on implied user consent. This is where by using a particular web page it is clear that by implication you are consenting to the use of cookies (I forgot to write down an example). Implied user consent a difficult thing to gauge.

It is very important that everyone get this right – ICO included. When ICO themselves asked visitors to their website to agree to the use of cookies before allowing them to proceed the site the traffic levels dropped by 90%!!! This is embarrassing for an industry regulator but commercial suicide for a business.

This prompted me to look at some major websites to see how they have implemented the regulation.ICO website popup re cookies

Firstly the ICO – as mentioned this is a straight go/no go with an explanation of cookies used if you want to take a look. This is the most straightforward implementation and probably the only one that will stand a legal test (obv I’m not a lawyer so don’t go basing any decisions on this).

Then we have the BT set up. They have very cleverly put together a slider that allows you to choose which version of theBT cookies message seen on first visit site you use and the extent to which cookies are used. Whilst this is innovative I suspect it still breaks the law as it stands because it doesn’t give you the option of not having any cookies at all, other than I guess not visiting the site in the first place! Also in writing this blog I went back to the BT website to provide readers with a link to the cookie slider popup. Because I have already been on once and selected a setting it doesn’t come up again and I find it impossible to find on their website! You might be able to find it.BT cookies slider - allows you to customise which cookies are used during your visit

Finally the BBC seems to have copped out by just taking you to a page that tells you how to delete and manage cookies. You really have to be looking for it to find the page. The Beeb also tells you what cookies it uses – the list is quite extensive. So the BBC either hasn’t worked out what to do yet or is still in the process of doing so, is just sitting on the fence (as are most BT cookies slider showing minimum cookie setting websites I imagine) or has tossed a bone to the Information Commissioner saying take it or leave it.

I’m not a particular authority on cookies but technically there are two types  – first party / third party. First party cookies are set by the site you visit and are often there to help with the functionality of the site. Third party are when you visit a site BBC cookies "information"and another site sets a cookie (usually advertising sites). There are also persistent versus session based cookies. Persistent cookies have an expiry date, which can be years in the future. Session cookies only last until you exit the browser.

This blog uses Google Analytics and some WordPress first party cookies, and also twitter, youtube, and linkedin third party cookies.

Note if you want to find out what cookies a specific website uses in the Chrome browser go to settings – under the hood – content settings- all cookies and site data, then search for the site you want to check. If you switch to a new user in chrome before you do that then you’ll have a browser with no cookies set at all, so when you visit the site you can see if it also sets any third party cookies. You could also delete the existing list of cookies from your account and get the same result – if you can put up with that!

Timico uses cookies for the essential running of the site, analytics, providing live chat functionality, and for downloading whitepapers. Of those we have no plans to do anything about the live chat and essential cookies because they’re necessary to the running of the site.

We are just updating our privacy policy to make it clear that we use analytics cookies. Also our whitepaper download form has been updated to ask the user if they want their details remembering. If they choose not to then no cookie will be set, but they’ll have to complete the form every time they want to download any other whitepapers on our site.

As a footnote the ICO seems to have recognised that it lives in a very fast moving environment and has been gearing up with internal technical expertise to be able to function effectively. It would be nice to think that government departments will follow suit. We may then be able to avoid situations where ideas that sound politically good but have serious technical and privacy implications get any further than the concept stage.

Trefor Davies

By Trefor Davies

Liver of life, father of four, CTO of trefor.net, writer, poet, philosopherontap.com

8 replies on “EU cookie legislation – a look at some of the implementations”

Interesting post 🙂

Re. BT ‘popup’
If you clear your BT cookies and refresh the BT home page you can force the popup cookie option to redisplay. It looks like it’s set to disappear in 10 seconds! BT advertisers are good with their weaselly words and it looks like the same clever minds have been tasked with their ‘cookie law’ implementation 😉

Did you see the link at the very bottom of bt.com: “Change Cookie Settings”? This brings up the slider again… Or have I misunderstood you 🙂

Just thought I should point out a factual inaccuracy.

You stated: When ICO themselves asked visitors to their website to agree to the use of cookies before allowing them to proceed the site the traffic levels dropped by 90%!!!

This is not technically true. The site’s analytics lost the ability to record traffic and therefore the available data showed 90% less traffic since offering the opt-out, this does not represent a 90% customer drop, but rather only a 10% opt in.

Hey Rich/tref

That 90/10 split assumes the traffic remained constant of course, I suspect it may have risen, given the amount of discussion around the cookie law, and so that “10%” of original traffic might even represent a smaller slice of a larger pie.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.