Monthly Archives: May 2012

The Cookie Monster is here

Cookie Monster

The UK’s implementation of EU Cookie regulations come into force this Saturday and the web design world is frantically trying to work out what to do! Firstly a bit of background into cookies and why we are where we are!

Cookies make the web go round – they’re how a website remembers who you are so you don’t have to remind it every time you load a page; they allow websites to personalise what you see; they make online shopping possible by remembering what’s in your shopping basket and they allow website owners to track the performance of sites to determine what’s working and what isn’t. Suffice to say without cookies the web would be a sorry place.

But they also have the potential to be abused. They can reduce your privacy on the web by tracking what you do on the web. By linking information together it could be possible for sites to build up a detailed profile of your online behaviour and the EU decided to act to better protect users’ privacy.

The UK’s implementation of the EU regulations is being enforced by the ICO who have issued guidance but things are never that simple! There isn’t – so far – an accepted “right” solution to compliance. The ICO themselves have taken quite a hardline approach – a bar across the top of every page asking for permission to set cookies. When this launched it had a devastating affect on their ability to analyse site usage which is vital if you’re going to build good websites.

BT and the BBC take a bit more of an opt-out approach by telling site visitors they will receive cookies unless they say otherwise.

These show the first time a visitor comes to the site and in BT’s case disappears after 10 seconds – much less off-putting and probably clearer than a simple “Do you want cookies?” prompt, but is it enough to satisfy the ICO? Only time will tell!

While the implied consent may still be unknown one thing that is generally agreed is that providing the user with more information in a form that they can understand is a Good Thing™ so that’s where we’ve started.

[I should note much of what we’ve implemented so far is based on a very pragmatic post by James Cridland of Media UK]

  1. We’ve added notices to key login pages like GO to say that you’re going to have to accept cookies if you want to log in. We’ll expand this to other services like the online shop and Rose Theatre ticket office in due course.
  2. We’ve added a Cookies page the the site listing how we use cookies and what for. I’m sure this isn’t 100% complete so if anyone would like to let me know gaps then please shout!
  3. We make a distinction between cookies which link to personal information and those that don’t.
  4. We link to instructions on how to manage cookie settings and mention “private browsing” modes in modern browsers as an easy alternative.

As James says in his post #3 is the most contentious:

ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

What does this look like? The cookie page is linked to from the header and footer of every page:

The Learning Edge landing page is a bit more explicit about how it makes use of cookies:

Depending on feedback from our users and others in the sector we may roll out some form of non-interrupting information box along the same lines as the BBC’s approach. We have also done some work on a cookie level chooser like BT have but the technical implementation across multiple in-house and third party systems is non-trivial.

If you have any feedback or questions about Edge Hill’s approach to cookie legislation compliance please leave a comment or get in touch and I’m sure there will be more changes to come!