My family uses in the internet a lot, we use it to shop online, book holidays, search for stuff and we all conduct research in various forms, as I suspect most people do.
So when speaking to some of my family the other day, I asked them about the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and to my shock horror they knew very little, in fact nothing about it whatsoever. It was understandable from my kids who are only 7 and 5, but my wife, who shops online more than I do, didn’t know anything about it.
I wasn’t actually shocked, whilst privacy is important (and it really is) most people don’t really know what the legislation is even trying to do or guard them against…I suspect most people will in fact get frustrated with simply clicking on a “accept or deny” cookie button on every website they visit.
I’m not going to get into a debate here about whether or not the legislation is actually the right thing to do, but i’ll just remind myself of one of the main intentions – this is a quote from the the Information Commissioner’s Office (ICO) website.
It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.”
So how does a web manager / website owner start to tackle this problem.
Well i’d certainly recommend following the steps suggested in the Government Digital Services (GDS) “Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites” [ pdf warning ] – it suggests starting with an audit…which is the best starting point in my opinion. One other thing i’d suggest doing is revisiting your existing privacy statement on your website.
There is an interesting and pragmatic stance being taken by the GDS as outlined in this post by Dafydd Vaughan. You can read a variety of views on the comments of this post which all contribute to a confused space…the one thing you can be sure on, is that we all have to do something pretty quickly.
But i’d thought i’d expand slightly otherwise this would be a pretty pointless post
One of the most obvious places to start is in fact the organisation’s website who have provided the guidance on this legislation in the UK – the Information Commissioner’s Office (ICO).
I’m ok with this approach in general, although it sort of feels like an advert at the top of the page with one of those “click here to sign-up” options, but it sort of works. Other methods are being used which you can read about here. I’m not sure which is best to be honest, i think after a while a consistent approach will emerge, but it is too soon to really work that out.
When reading the ICO’s recent guidance it actually refers to the approach the ICO is taking itself and states:
Can I copy the Information Commissioner’s solution?
The Information Commissioner’s website www.ico.gov.uk uses a banner that informs users about cookies and gives them the chance to consent. Whilst we have no objection to organisations seeing if this option would work for them any solution has to be appropriate to an organisation’s own needs. We will review the use of the banner in future and may consider other options ourselves.
On the ICO’s privacy notice page – I was intrigued as to what level of in formation they provided in here – I was surprised to see that the google analytics cookie referred to – not because I don’t like google analytics, in fact i personally really like google analytics and use it myself, it’s free and provides good data on visits, visitors, devices, platforms, browsers and a range of other useful features – the reason I was surprised is that many people have been suggesting that google analytics is a target, so i was actually pleasantly surprised.
You can of course use non cookie based analytics, but some people suggest these are actually worse in some cases. I’m not going to get into detail about that here, you can read about that by searching the web.
When clicking through to the google privacy page, which the ICO websites directly links to. It is worth sharing this important piece of information, which in reading a variety of articles and blog posts on this topic i hadn’t noticed anyone picking up on.
This is a quote from the google privacy page
Google’s Use of Analytics Data
Website owners who use Google Analytics have control over what data they allow Google to use. They can decide if they want Google to use this data or not by using the Google Analytics Data Sharing Options. When these options permit it, the data is used to improve Google products and services. Website owners can change these options at any time.
So I checked in my admin settings for one of the sites I have analytics on you can specify in your analytics admin settings not to share the data with anyone, not even google – it was set by default to “do not share”.
So it would be important to know whether if you consent to cookies, how that information is being used…so in the case of the ICO website, it actually fails to tell me – the user – whether or not the information they are collecting is shared with google or simply kept private and used only for service improvement purposes – i’m assuming (not always the right thing to do) that they keep it private.
The one bit of irony in all of this is that whatever someone does, they need a cookie to save the fact that someone has either said no, or they constantly present the same message to the same user over and over again. Depending on your approach, it could be a bit like refusing site pop ups over and over again….
What we can be certain of is the next few months are going to be really interesting. i’d welcome hearing from people as to how you are planning and approaching the legislation.