- +44 1293 403636
- This e-mail address is being protected from spambots. You need JavaScript enabled to view it.
- Follow us on Twitter
- Google+
SCL Blogs
Bob Mitchell
Technical Account Manager - wrangler of things, projects and people.
Contact me:
bob dot mitchell at scl dot com
Twitter: @boborama
LinkedIn: bobmitchell
Google+: +boborama
Using cookies in the UK
- Details
- Published on Tuesday, 10 May 2011 10:45
- Written by Bob Mitchell
Here’s my take on reading the Information Commissioners Office (ICO) document titled ‘Changes to the rules on using cookies and similar technologies for storing information’ (version 1 – pub 09/05/11)
My worries revolve mostly around the implications for our own site (scl.com) and our customers using Web Analytics solutions, most notably the Unica (now IBM) NetInsight product – but the full implications go much wider than that – including the nearly ubiquitous Google Analytics.
While I am the current UK Country Manager for the Web Analytics Association (WAA) and I don’t think that I’m saying anything particularly contentious this isn’t written from any official WAA stance.
Most of the press coverage has repeated the summary that the ICO published – but that didn’t answer all of my questions – so I read the above document in the hope of understanding things better.
(all emphasis mine)
“These changes apply to storage or gaining access to information stored, in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information.”
So – this impacts http cookies, flash LSOs, HTML 5 canvas hacks and anything that persists an ID by storing it on the client. It doesn’t seem to impact the use of ‘passive’ methods based on IP address, user agent or other ‘fingerprints’ (so long as we don’t try and store anything).
The new rules state that the user … “has given their consent.”
...”consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Woo! That means that we can just take the fact that the user agent allows the cookie so signify consent. But wait:
“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. [ ...] for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”
Oh. That sucks. Still:
“You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future.“
There is one key exception – not that it will help web analytics users:
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service [explicitly] requested by the user.” (eg shopping baskets)
The guidance does acknowledge web analytics and clarifies that: “An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent.”
Based on this I think that our own use of cookies on www.scl.com needs to be eliminated and other, passive, methods used until visitors hit a site feature where they’re fairly committed already. Furthermore I can see no effective way to make Google Analytics compliant right now.
Mark Walker
Posted at 2011-05-10 10:37:00
Bob
Good points but what are your thoughts on this new ruling being 'un-enforceable'? I've heard several web analytics guys suggest we just do nothing as GA (for example) is so common there is no way to bring everyone to heel.
Reply to comment
Bob Mitchell
Posted at 2011-05-10 10:45:00
It's not so much unenforceable (that's easy enough, the ICO has a number of methods to force compliance) as unlikely to be enforced.
Just like the laws covering email signatures.
That doesn't mean that we shouldn't attempt to comply wherever possible. Or does it?
Reply to comment
Adam Tudor
Posted at 2011-05-10 11:02:00
I expect the browsers to respond to this, and though there might be a point in time where consent has to be provided across major sites, I think (and hope) the browsers to make changes to their programs so that cookie consent can be allowed from within the programs across website as needed. I'm not sure what they mean by "not sophisticated enough", maybe they just want a dialogue box to ask users commit to cookie storing on all websites when your browser loads?
It seems to be simplest solution to the issue. It will be very interesting to see how this progresses and is policed in the future.
Reply to comment
Bob Mitchell
Posted at 2011-05-10 11:10:00
Adam - we can only hope so - but that's going to be years away - and even then you're still meant to get consent for people that haven't pre-flagged consent.
The technical solution to this in browsers isn't going to come from the UK or the EU - it'll probably come from the US - where there seems to be more industry heat, but less actual legislation right now.
Sadly the US efforts mostly seem focussed on the Advertising industry rather than #measure.
This isn't going away for ~10 years.
Reply to comment
Neil Williams
Posted at 2011-05-13 10:24:00
I believe that the comment "most browser settings are not sophisticated enough to allow you to assume that the user has given their consent" is related to the "Do Not Track" feature now part of Firefox 4.
Reply to comment
Bob Mitchell
Posted at 2011-05-13 10:52:00
I just found that setting - Options->advanced->general 'tell websites I don't want to be tracked' (In FF 4.0.1 win32) - I hadn't ever bother to figure-out where it was buried before (why isn't it under 'privacy'?)
I think we could take the presence of the setting to mean something, but I don't think that the absence of it could be used to imply informed consent.
While some browsers have that feature it is also going to get set by other 'anti-everything' applications (ABP does it by default) - perhaps the user is just wanting to block ads, but is happy to be 'tracked'.
And anyhow, how should we interpret it? Not set cookies? Record the fact that they don't want to be tracked and not load them into your WA solution? Allow this to be overridden by a subsequent opt-in on a form?
The do-not-track header is interesting, but until consensus is reached as to its meaning I don't think we can really do anything with it.
Browser controls for cookies have been with us for ever - the technical solution (at least the framework) has already been given (P3P anyone?) - this is a social / education issue.
I feel another article coming on.
Reply to comment