- Published on Tuesday, 10 May 2011 10:45
- Written by Bob Mitchell
Here’s my take on reading the Information Commissioners Office (ICO) document titled ‘Changes to the rules on using cookies and similar technologies for storing information’ (version 1 – pub 09/05/11)
My worries revolve mostly around the implications for our own site (scl.com) and our customers using Web Analytics solutions, most notably the Unica (now IBM) NetInsight product – but the full implications go much wider than that – including the nearly ubiquitous Google Analytics.
While I am the current UK Country Manager for the Web Analytics Association (WAA) and I don’t think that I’m saying anything particularly contentious this isn’t written from any official WAA stance.
Most of the press coverage has repeated the summary that the ICO published – but that didn’t answer all of my questions – so I read the above document in the hope of understanding things better.
(all emphasis mine)
So – this impacts http cookies, flash LSOs, HTML 5 canvas hacks and anything that persists an ID by storing it on the client. It doesn’t seem to impact the use of ‘passive’ methods based on IP address, user agent or other ‘fingerprints’ (so long as we don’t try and store anything).
The new rules state that the user … “has given their consent.”
...”consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Woo! That means that we can just take the fact that the user agent allows the cookie so signify consent. But wait:
Oh. That sucks. Still:
“You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future.“
There is one key exception – not that it will help web analytics users:
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service [explicitly] requested by the user.” (eg shopping baskets)
The guidance does acknowledge web analytics and clarifies that: “An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent.”