Meeting at Cornerhouse, Manchester about the forthcoming EC website cookie regulations, February 24th, 2012
A new EC law regulating use of website cookies becomes enforceable on May 26th, 2012. It means that, as web site operators, cultural institutions need to provide information for web users about site cookies used, and they need to obtain consent from readers before a cookie is set on a user’s computer for the first time. The new law will be policed by the Information Commissioner’s Office [ICO] and they have the regulatory power to levy fines of up to £500k.
In February, Manchester-based web developers, Reading Room, held a seminar about the implications of the new law for website owners and developers. RR have worked with ICO as their web contractors and also on technical advice regarding the new law. The lunchtime session was attended by David Evans from the ICO, who talked about the official position, as the deadline for compliance gets near.
Gary Bryne introduced Reading Room Manchester and told what a cookie is: a simple bit of info stored on a user’s computer to record website use, or various other kinds of info; the user’s computer gives the website back the cookie when the user revisits the site. Cookies have been around since the mid-90’s, though they’ve only been an issue for privacy campaigners in the last few years, since the rise of web 2.0 and social media, amongst other things, according to Reading Room.
So where are cookies used? Pretty much everywhere on the web, but typically, in sites with log-ins; where e-commerce sites have ‘shopping carts’; and in places like Amazon, where cookies are used increasingly to predict user choices based on previous visits.
What’s changed since the beginning of the web? Surely that simple, original, HTML vision is still how the web works? Well, no, not any more. The web has changed vastly. Cookies oil the wheels of web 2.0, tracking your pathways from place to place, helping sites work quicker for you, making them more accessible, allowing fewer clicks to get you where you want to go.
But back in those early days, it could be said, cookies were created naively, and they were often sprinkled all over web sites – most websites don’t realise how many they have. Even the ICO didn’t know how many they had themselves.
David Evans introduced the background to the new cookie laws. So why should we care about cookies? In fact, it’s because of new EC digital regulations that came into law in May 2011 – a year ago. The ICO has been talking about this for two years and now it’s got urgent, after a year’s grace period for industry to accommodate the law, according to Evans.
“My work revolves around privacy,” said Evans. “Websites today create and capture a lot of info. There was a perception that privacy was being abused. But cookies are often necessary to the digital industries.”
“The content economy needs to draw in revenue. Advertisers wanted to build revenue. Publishers and networks wanted to target ads and earn more revenue. It’s about making meaningful connections, via cookie use, to target ads better.”
And so collecting info using cookies was the start of this. They’re used to profile the interests of web users and build a picture of associative connections. A few years ago, after the first curve of web 2.0 happened, people got fed up with inaccurate profiling through places like Amazon. You know the kind of thing:people who bought this – xxxxx – also bought these – xxxx. “Ironically,” says Evans, “The same people who object to inaccurate profiling, are often the people who object to cookies being set on websites and their movements being tracked.”
So for Evans and the ICO, the new EC law isn’t actually a negative or repressive rule; it’s possibly an helpful opportunity to ensure that people are aware of, and comfortable about, what you are doing on your site to collect user information.
And as he says, people have repeatedly expressed that they want more meaningful content online. Paradoxically, according to Evans, 75% of Americans say they would not consent to being tracked online – but then who would say yes when asked that question?
The new law
This says users have to give consent before collecting cookies, but this can be given in a number of ways, including what ICO call ‘implied consent.’ ICO say there are a number of ways this consent can be given. Browser tools or tabs are mentioned as a key way for cookie permissions to be requested. This might mean a pop-up box appearing when you visit any new site asking a simple one-off question about permission to use ways to remember your visit to a site.
Browser settings are another option as a cookie control; here a pop-up box might ask users to attend to their own browser settings, for instance, by clicking cookies ‘off’ in the Tools/Options menu. At the moment, and since the web started, browsers are the way most users choose or reject cookies, if they’re bothered by them.
It’s the developer or publisher’s responsibility to sort cookie access, so the key question for developers and publishers of websites is this: what have you done to ensure consent is given? According to Evans, it’s more than that though. This could be a chance to develop a positive outcome; why miss an opportunity to be more open with your users about how you provide the services they want?
David Evans: “The old EC law was about cookie notification in the T&C’s. This law is different, it’s clearer, more prominent, in easier terms.” According to Evans, the first step is to get fully involved. Work with your developer or webmaster to do a cookie audit. “At the ICO we found out we set seven – and we didn’t know what they all did!” he said.
So it’s clearly important to know what your site is doing. The simple steps described at the Reading Room meeting was this: follow ICO advice; audit, prioritise, and review. Another message was about having a planned approach; in the first instance, look for quick wins. Update existing privacy policies and cookie info, and make the info more prominent.
See how other people do it; check where else you get online consent and how you get it. Can you adapt other routes or techniques? Look for help; industry-led initiatives that have had ICO input already will not go far wrong.
Evans: “Tell people what you’re doing. We’re not really concerned about neutral cookies, but if you’re gathering secretly, a big database of info about the public, we’d be keen to stop that.”
ICO are aware of digital sector anxiety about cookie warnings scaring off web users. Evans advises publishers to consider what you call cookie warnings; what else can you call them? It might be that other buttons or functions involving user-choice can be construed as consent. For example, consider using log-in accounts or registration; consent can then be given as part of the log-in. However, it wouldn’t be good practice to bury or disguise a notice of cookie setting.
What to do – the ICO view
1. Look for help from other organisations: the International Chambers of Commerce are researching options, amongst others
3. Developing an incremental approach is probably the right way
4. Recognise challenges of implementing these requirements in your strategy
5. At this stage, ICO expect orgs to set out a realistic plan to achieve compliance
6. The warning period is nearly over; after it, ICO may have less patience about implementation
7. Guidance on ICO website is clear and allows flexibility
8. It’s about thinking of your own ways to do this – not relying on ICO to recommend ways to run your own businesses
There will be revised guidance in the run up to the end of the 12 month period in May 2012. ICO will notify areas of priority where they care about things, and some notion of where they won’t be looking so hard. “In summary – we all need to be much better at telling people how our websites work!” said David Evans of the ICO. “Get out there, assess what is intrusive, and do something about it.”
Frequently asked questions
Q: Is everyone taking it seriously? Reading Room: none of the big media or business sector players are actioning responses yet. The BBC point people to a cookies policy page, and describe to people how to opt out by changing browser settings; this was described by David Evans as a minimalistic approach. Across Europe, no-one seems to be really being creative or consistent about responses . In Germany the approach taken by regulators is that prior consent has to be given explicitly to cookies, but in France and Spain a much more relaxed view is being taken.
Q: What are the barriers to compliance?
• There’s a lack of awareness everywhere, whether site users or publishers
• Ugly cookie notifications are not wanted by most commercial or business users
• Could splash pages warn about cookies? RR: ICO asked for a splash page. We said, don’t think you want that. It would have led to a repeating experience every time the user visited ICO site.
Q: What are the essential cookies allowed by EC law? David Evans, ICO: CMS cookies and e-commerce cookies. OK, so what are the non-essential cookies? DE: Google Analytics tracking – but ICO are likely to be lenient about this. With preferences for site users; forms on sites – user should be advised beforehand
Q: what are the preferred solutions?
• Implied consent – e.g. by clicking a button or tab that opens up a site section, shopping basket or facility like a user-registration panel, consent for the site to drop cookies on the user’s device is assumed to have been given. Implied consent is enshrined in English law
• Not exempt? Prior consent via permission tab, etc.
• In-page consent – simple yes or no box when sending in form
• Pro-active advisement – make it clear and simple early on in a site that cookies are being used
Q: Who is doing it well?
• Cookie Collective – looks good and makes consent a feature
• Pro-active advisement – Reading Room have developed a small animated flash object that can be put on any site, like an open source button. Look here for a demo: http://weusecookies.biz/
Q: What should we do, in simple terms?
• A cookie audit
• Update Ts&Cs with cookie info
• In-page prior consent
• Implied consent
• Pro-active advisement
• Test the ideas with users, they will know what works best
Q: How likely are fines?
DE: “ICO can levy fines up to £500k. But damage, harm to individuals, a provable case where malice or mischief is proven, are hard to evidence and prove. It’s difficult to see how we might get into a situation where a £500k fine is levied as a result of continued and personally damaging activity as a result of cookie use on websites.”
Q: What are Google doing?
DE: They are doing some work, but they are a worldwide company, and EU territorial law doesn’t necessarily have primacy internationally
Q: What happens with third party content on a website like ads served by a third party? DE: ICO would come to the site owner, not the ad server.
Q: Who can guide culture sector organisations?
DE: ICO are the people to give guidance for third sector and charity and culture orgs. The message? Get info out there, nobody quite knows what compliance looks like. There are people offering services as cookie auditors – be very circumspect about this – it could be another web2k situation.
Q: What about sites based outside the UK?
Territoriality is complex. It’s about complying with UK law, so UK law applies here. Where is the company usually based?
References and further reading
Reading Room cookie law blog post with links to presentations from the Manchester seminar – http://blog.readingroom.com/2012/02/24/we-need-to-talk-about-cookies-resources/
ICO presentation about cookie law – http://blog.readingroom.com/wp-content/uploads/2012/02/ICO_We-need-to-talk-about-cookies.pdf
ICO index page on cookie law – http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
ICO official guidance on meeting the law: [.pdf] http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx
Excellent summary and guidance for HE/FE sector and GLAMs from UKOLN’s UK Web focus dept, written by Brian Kelly – http://www.jisc.ac.uk/inform/inform33/CookieLaw.html
Plain language guidance from Brian Kelly about earlier research – http://ukwebfocus.wordpress.com/2011/12/15/the-half-term-report-on-cookie-compliance/
Great plain language article by Dafydd Vaughan on the GDS website – http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/
Good basic guidance – http://www.cookielaw.org/
News release from ICO on progress across web sector – http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx
The JISC view – http://www.jisclegal.ac.uk/ManageContent/ViewDetail/ID/2051/What-does-the-new-cookie-legislation-require-us-to-do.aspx
How industry sees it – http://www.searchengineworkshops.co.uk/blog/google-analytics/cookies-and-google-analytics.html