EU cookie legislation – a look at some of the implementations
UK Cookie legislation (DIRECTIVE 2009/136/EC) became law on May 25th 2011. This is the one where websites are meant to give you the opportunity to opt out of visiting them if they are using cookies. Cookies can be very “invasive of privacy” though in varying degrees and some potentially not at all. The law, whilst being passed with good intentions has had some unintended consequences, notably affecting some cookie functionality that is useful and likely unintrusive.
I imagine that most of us with a website use Google Analytics. We all like to look at our traffic levels – well I do anyway. There has been some confusion as to exactly what is being required of website owners – rumours for example that sites only using Google Analytics cookies would not be made to comply as GA was “beneficial and not intrusive”.
You may or may not know that I am on the Information Commissioner’s Office Technology Reference Panel. This is an expert body of representatives from stakeholder groups in information and technology related industry sectors.
The ICO, which is the industry regulator, has given the UK a year to implement the cookie directive. This year is up at the end of this month and naturally there has been press comment and a flurry of businesses making adjustments to their websites in an attempt at compliance.
One year on exactly what will the ICO do re enforcing the law. In particular whether the use of Google Analytics cookies would simply be “ignored” I raised this at this weeks ICO TRP meeting and got the following position:
- First of all the 27th May deadline for implementing the legislation is more a marker for ICO – not a hard date. This means that from this time the ICO will start looking at the subject more closely.
- In the meantime in the run up to the end of May the ICO will publish information for individuals to allow them to raise concern via the ICO website. Note the ICO has not had much activity on the complaints front in last 12 months.
- They will also be making it clear that on an individual level it is unlikely that ICO will pursue 1 cookie on 1 web page
- The ICO can’t audit every UK website but can look at trends or patterns – eg if may issues raised about specific types of cookie
- ICO will also be issuing a clarification of its line on analytics cookies – these are not exempt from the law
Firstly the ICO – as mentioned this is a straight go/no go with an explanation of cookies used if you want to take a look. This is the most straightforward implementation and probably the only one that will stand a legal test (obv I’m not a lawyer so don’t go basing any decisions on this).
Then we have the BT set up. They have very cleverly put together a slider that allows you to choose which version of the site you use and the extent to which cookies are used. Whilst this is innovative I suspect it still breaks the law as it stands because it doesn’t give you the option of not having any cookies at all, other than I guess not visiting the site in the first place! Also in writing this blog I went back to the BT website to provide readers with a link to the cookie slider popup. Because I have already been on once and selected a setting it doesn’t come up again and I find it impossible to find on their website! You might be able to find it.
Finally the BBC seems to have copped out by just taking you to a page that tells you how to delete and manage cookies. You really have to be looking for it to find the page. The Beeb also tells you what cookies it uses – the list is quite extensive. So the BBC either hasn’t worked out what to do yet or is still in the process of doing so, is just sitting on the fence (as are most websites I imagine) or has tossed a bone to the Information Commissioner saying take it or leave it.
I’m not a particular authority on cookies but technically there are two types – first party / third party. First party cookies are set by the site you visit and are often there to help with the functionality of the site. Third party are when you visit a site and another site sets a cookie (usually advertising sites). There are also persistent versus session based cookies. Persistent cookies have an expiry date, which can be years in the future. Session cookies only last until you exit the browser.
This blog uses Google Analytics and some WordPress first party cookies, and also twitter, youtube, and linkedin third party cookies.
Note if you want to find out what cookies a specific website uses in the Chrome browser go to settings – under the hood – content settings- all cookies and site data, then search for the site you want to check. If you switch to a new user in chrome before you do that then you’ll have a browser with no cookies set at all, so when you visit the site you can see if it also sets any third party cookies. You could also delete the existing list of cookies from your account and get the same result – if you can put up with that!
As a footnote the ICO seems to have recognised that it lives in a very fast moving environment and has been gearing up with internal technical expertise to be able to function effectively. It would be nice to think that government departments will follow suit. We may then be able to avoid situations where ideas that sound politically good but have serious technical and privacy implications get any further than the concept stage.