It’s been nearly a year since Ben last blogged on the EU cookie regulations and there’s been a significant amount of discussion on the subject since. I attended the ABC’s “Interaction 2012” last week where Dave Evans, Group Manager for Business & Industry at the Information Commissioner's Office (ICO), presented a candid presentation titled “Cookies: View from the ICO”. I’ll be discussing some of the interesting points that Dave made during his presentation whilst also providing a quick update on the topic in general.
A quick disclaimer before I go any further: Periscopix are not solicitors and this blog post is in no way intended to serve as legal advice. This post is merely intended to relay some of the points made during the ICO’s presentation and to provide some further guidance regarding potential solutions that have started to emerge.
And so to begin…
Despite a significant amount of resistance (see http://nocookielaw.com/) it’s clear that the directive now commonly known as the ‘EU Cookie Law’ is not going away. The latest round of written ICO guidance(1) was issued in December and it is worth recapping the key points from that document.
Essentially the document states that those setting cookies must:
tell people that the cookies are there,
explain what the cookies are doing, and
obtain their consent to store a cookie on their device.
Additionally the guide advised that the only exceptions to the law were cookies:
for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
i.e. cookies that are strictly necessary for the site to function e.g. those used for shopping carts.
What is the latest ‘View from the ICO’?
Having attended Dave Evan’s presentation there were two things that struck me:
Dave appears to be a very pragmatic man, looking to take a pragmatic approach to enforcing this law.
The cookie law landscape is still very much in flux.
I appreciate that this doesn’t give a great insight, so here are some bite sized chunks…
No silver bullet
The ICO will not be providing a ‘one size fits all’ solution that ensures full compliance. They expect site owners to assess and implement solutions on a case by case basis, ensuring the best fit with the technologies being used and the cookies that are being dropped.
Browser based permissions are not sufficient (not yet anyway!)
The variation in user and browser capabilities means that, for the time being, this is not an acceptable solution. The law states that consent from the browser depends on a user having taken some form of action. Unfortunately, a survey completed by PricewaterhouseCoopers LLP (PWC)(2) indicated that 37% of users were still unaware of how to manage cookies on their computer which is 37% that would not (by the definition above) have granted consent for cookies to have been dropped.
As browser technologies and user understanding increases this view is likely to be re-visited, however it does pose the question: why is more not also being done to educate users in how to amend their browser settings? Surely an educational ad campaign on the BBC or splash pages on the leading browsers could help to rapidly reduce this 37% and help to improve peoples’ understanding of cookies?
Analytics cookies are not exempt
Contrary to recent rumours, it was confirmed that analytics cookies are not exempt from the law. However, the ICO advised that this is not the same as saying that the law requires an opt-in model. It should be noted that regardless of whether consent is opt-in or implied it should be obtained prior to an implicated cookie being set. This guidance is included within the ICO’s December communication, although a note was also included that states that if this is not possible then the time between the cookie being set and a notice being served must be minimised. The solution implemented on the BT.com site appears to be applying this second approach.
Further guidance to follow
In anticipation of a multitude of questions regarding what constitutes implied consent and how this approach could be implemented, Dave advised that the ICO will be issuing further guidance before the 26th May. This additional guidance will also include more information regarding the ICO’s priorities for enforcing the legislation.
Not in the slide pack
For anyone interested, the ICO’s ABC Interaction slide pack can be found at http://www.abc.org.uk/PageFiles/1487/David.pdf. In addition to the detail within the slides, Dave advised that:
The ICO appreciate that implementing robust and workable solutions takes time and are happy for solutions to be worked into already planned development cycles (within reason). Consequently whilst they will be ‘expecting more’ from site owners with regards compliance from the 26th May, an immediate cutover may not be required.
The ICO confirmed that whilst it is probably easier for the content publishers to inform users of a cookies’ use, it is the party setting the cookie that is ultimately responsible for gaining consent. This means that publishers and 3rd parties will need to work together to deliver workable solutions and that there is likely to be a raft of contract re-writes to set out each sides responsibilities.
So what should we be doing?
As detailed in the ICO most recent guideline, the first point of call is to complete a cookie audit for your site. This will provide a clearer picture of the cookies that are being set and their associated risk. There are several plugins to help with this such as attacat for Google Chrome and Firecookie for Firefox and the data gathered can be used to author a more detailed privacy policy (see the BBC for an example http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml).
Once this is complete, it’s time to start looking at and implementing a solution. Whilst it may well be worth waiting until the ICO’s implied consent guidance is available before reaching a final decision, a number of companies do have solutions available. To help, we’ve put together a quick guide on four solutions that we have looked at: Optanon, CookieQ, Cookie Control, Wolf Software and OKcookie (thanks to the support teams at each of these vendors for their speedy responses):
Click image to expand.
Pin the above image on Pinterest:
In summary
There are still lots of gaps and unknowns regarding the law and the ICO are aware of this. However, they are working closely with industry and their European colleagues to establish examples of best practice with which they can drive adaptation forward. In the end I am still hopeful that a healthy balance can be struck that both ensures people’s privacy is respected and avoids a 90% loss in measured site traffic. Until then, let’s see what’s in the forthcoming ICO guideline...
References:
Guidance on the rules on use of cookies and similar technologies
PwC Internet Cookies final