The Cookie Monster is here

Cookie Monster

The UK’s implementation of EU Cookie regulations come into force this Saturday and the web design world is frantically trying to work out what to do! Firstly a bit of background into cookies and why we are where we are!

Cookies make the web go round – they’re how a website remembers who you are so you don’t have to remind it every time you load a page; they allow websites to personalise what you see; they make online shopping possible by remembering what’s in your shopping basket and they allow website owners to track the performance of sites to determine what’s working and what isn’t. Suffice to say without cookies the web would be a sorry place.

But they also have the potential to be abused. They can reduce your privacy on the web by tracking what you do on the web. By linking information together it could be possible for sites to build up a detailed profile of your online behaviour and the EU decided to act to better protect users’ privacy.

The UK’s implementation of the EU regulations is being enforced by the ICO who have issued guidance but things are never that simple! There isn’t – so far – an accepted “right” solution to compliance. The ICO themselves have taken quite a hardline approach – a bar across the top of every page asking for permission to set cookies. When this launched it had a devastating affect on their ability to analyse site usage which is vital if you’re going to build good websites.

BT and the BBC take a bit more of an opt-out approach by telling site visitors they will receive cookies unless they say otherwise.

These show the first time a visitor comes to the site and in BT’s case disappears after 10 seconds – much less off-putting and probably clearer than a simple “Do you want cookies?” prompt, but is it enough to satisfy the ICO? Only time will tell!

While the implied consent may still be unknown one thing that is generally agreed is that providing the user with more information in a form that they can understand is a Good Thing™ so that’s where we’ve started.

[I should note much of what we’ve implemented so far is based on a very pragmatic post by James Cridland of Media UK]

  1. We’ve added notices to key login pages like GO to say that you’re going to have to accept cookies if you want to log in. We’ll expand this to other services like the online shop and Rose Theatre ticket office in due course.
  2. We’ve added a Cookies page the the site listing how we use cookies and what for. I’m sure this isn’t 100% complete so if anyone would like to let me know gaps then please shout!
  3. We make a distinction between cookies which link to personal information and those that don’t.
  4. We link to instructions on how to manage cookie settings and mention “private browsing” modes in modern browsers as an easy alternative.

As James says in his post #3 is the most contentious:

ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

What does this look like? The cookie page is linked to from the header and footer of every page:

The Learning Edge landing page is a bit more explicit about how it makes use of cookies:

Depending on feedback from our users and others in the sector we may roll out some form of non-interrupting information box along the same lines as the BBC’s approach. We have also done some work on a cookie level chooser like BT have but the technical implementation across multiple in-house and third party systems is non-trivial.

If you have any feedback or questions about Edge Hill’s approach to cookie legislation compliance please leave a comment or get in touch and I’m sure there will be more changes to come!

6 thoughts on “The Cookie Monster is here

  1. A thoughtful and very honest approach. Did you consider using Blackboard’s new cookie declaration – appears on login – or did it not fit your needs?

  2. We considered the Blackboard Building Block but IMO it’s a little too heavy-handed and an informed-implied-consent approach seems a better approach.

  3. Implied consent is still informed consent. So if the website is using cookies, the user isn’t consenting to them unless it’s clear from what they are doing that cookies would be involved – which I would guess isn’t the case with analytics and, depending on how well you know your users to understand the way the internet works, probably isn’t the case anywhere. Simply including a link to a privacy and cookies page is not getting consent by any reading of the guidance. Implied consent means that by visiting and continuing to use your site, the user knows what they are getting into. You are assuming that they are going to, of their own volition, go and read a page that hasn’t in any particular way been highlighted to them.

    I’ve had a look at the pragmatic post to which you linked. It seems to be saying that because ICO are unlikely to prosecute, you don’t really need to mention analytics. Cridland calls it a liberal reading, though I’d suggest it was basically dishonest*. As JISC say, (http://www.jisclegal.ac.uk/ManageContent/ViewDetail/ID/2051.aspx), “the use of Google Analytics without prior explicit consent [is] likely to be non-compliant, but not the focus of enforcement. As a priority, you should ensure that information about the use of website cookies at your college or university is clear and prominent.”

    * Cridland’s reading extends to Facebook and other social media cookies. I’m not sure there are any less anonymous cookies on the internet.

  4. This is our first attempt at doing something and I’m sure we’ll be doing more in future. Currently we’re focusing on cookies which track personally identifiable information – those used in logging in to our systems. Many other cookies – including those which are “bad” like Facebook – either don’t track personal information (Google Analytics) or aren’t our cookies (Social Media sites).

    While I’m not claiming we’re 100% compliant, it’s more than others in the web and Higher Ed community are doing and as I said in the JISC podcast, the best approach for us all to take will be the one that users understand and provides them with a real understanding of how their information is being used. That could be banners that flash up on first use, it could be the ICO’s draconian approach of blocking all cookies without explicit consent, or it could be that browsers solve the problem for us. Doing nothing clearly isn’t an option, but doing the wrong thing is just as damaging.

Comments are closed.