Who’s afraid of the Cookie Monster…? – facing up to the ICO requirements

In IT circles at the moment, there is a frantic buzz as companies scramble to show compliance with the so-called “Cookie Directive” – implemented in May 2011, the Information Commissioner’s Office (ICO) of the UK gave an initial indication that they would allow a 12-month “grace period” for organisations to bring their websites in line.

That grace period ends on May 26th, and in true Agile/Lean/Just-in-time style, this means that many of these organisations are now looking to show that they are complying with the new requirements.  The threat of fines up into 6 figures might have something to do with it – this new “cookie monster” has potentially very sharp teeth!

The aim of the “Cookie Directive” was to reflect a European Union requirement (the ePrivacy Directive) that all sites which use technology such as cookies must only do so on the basis of having collected “informed consent” from visitors to the site.  The two key points from this are:

1) the requirement that users must be presumed to have refused permission unless they explicitly “opt in” – in contrast with previous legislation that allowed sites to presume they had received permission unless they explicitly “opt out”

2) the requirement that users can only be presumed to have given “informed consent” when they understand what they are doing.

The first requirement, in combination with the ICO’s advice that it is not acceptable to rely on browser settings alone (at least for the moment – there is talk that this may be revised as the big browsers release new versions reflecting the requirements…), is meaning that organisations have to think actively about how to go about gaining consent in an explicit manner.

The second requirement, by contrast, is making organisations work out how to state clearly, and in language comprehensible to non-technical website users, what cookies they have and what they do with them.  This is having the beneficial side-effect of educating site owners as to what they are actually using cookies for (and perhaps introducing them to what they could be using them for…).

The loose nature of the guidance provided thus far by the ICO has led many organisations to start looking down the path of “implied consent” – namely that the user, by virtue of their actions, can be judged to have given consent without explicitly ticking a box.  Whilst the line of argument around browser settings has been closed off, at least for the moment, there is some thought going into an approach involving flagging up visibly and clearly to a user that a site uses cookies, with the opportunity to get complete details, and then including a message along the lines of “By continuing to use the site, you consent that you accept our use of cookies as described”.

Whether this is classed as compliant by the ICO is one of many questions that remain to be answered, but as noted by Dave Evans, their Group Manager for Business & Industry, in an interview with EConsultancy.com:

“We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action … not all cookies are equal, and our enforcement approach will bear this in mind”

As with so many things in life, there are as many possible approaches as there are people looking at the challenge, but the International Chamber of Commerce (ICC) offers some interesting guidelines into cookie classification and suggested approaches to consent in their ICC UK Cookie Guide – the suggested approach to generating an “industry best practice” in there offers hope that once some approaches are shown to be compliant and work well, users will be able to expect some level of similarity in experience, all of which helps with the aim of them being more informed when making their decisions.

In the meantime, we can all exercise our creativity in working out how to provide the necessary information and gather consent from users, without excessive adverse effects on user experience.

A few examples of how it has been done so far:

– The ICO’s own site has a fairly basic interface

– Fife Council have a rather robust approach to highlighting the content inline, but their header bar gives fairly clear information as to what cookies they use and what the options are

– As might be expected of a large corporate entity, BT have a fairly graphically involved explanation of what is used.

2 thoughts on “Who’s afraid of the Cookie Monster…? – facing up to the ICO requirements

  1. Chris Dawson (@tallhat) May 14, 2012 / 4:05 pm

    any specific thoughts on google analytics cookies? – this seems like a very grey area at the moment. there’s also the wording about ‘essential’ v ‘non-essential’ cookies i believe?

    • patkingsbury May 14, 2012 / 4:58 pm

      GA cookies are indeed something of a grey area – though not generally on account of the “essential” vs “non-essential” divide. Most people would admit that, however useful they are to site owners, they do not fit the definition of essential. However, they do fall into the gaping divide that concerns what to do with “third party” cookies.

      Third party advert cookies are the principle target of the legislation, and are quite clearly covered. But where do third party cookies such as GA, which are usually used only for “first party” purposes, fit into this? Going by what Dave Evans at ICO has written, it doesn’t sound like they are planning on frog-marching anyone off for retaining these tracking cookies, but assuming people are planning to comply with the ruling in full, the probable effect is that organisations will go down the route of implied consent – along the lines of:

      “We use GA cookies on this site, this is what we use them for, and this is how you turn them off. Click here for more info. By continuing to use the site without changing settings, you consent to the use of these cookies. Click here to hide this notice in future” (with links as appropriate to privacy policies, cookie info pages, etc)

      What appears to be forming up as best practice on Essential cookies is to identify what these are and what they do, without giving any kind of control. Non-essential cookies that no longer serve a useful purpose are generally being removed, and this clearing up of the cookie detritus of sites is a happy side-effect of the audit process. Non-essential cookies that a site does wish to retain look likely to be made optional, possibly categorised into different groups, and the user then gets the option to confirm what, if any, they wish to retain.

      Handling this discretionary issuing of cookies is where the more intricate parts of the technical challenge comes in, especially when looking to deal with cookies issued by 3rd-party sites (social media sites seem particularly keen on carpeting users with cookies whenever anyone touches them…!)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s