My family uses in the internet a lot, we use it to shop online, book holidays, search for stuff and we all conduct research in various forms, as I suspect most people do.
So when speaking to some of my family the other day, I asked them about the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and to my shock horror they knew very little, in fact nothing about it whatsoever. It was understandable from my kids who are only 7 and 5, but my wife, who shops online more than I do, didn’t know anything about it.
I wasn’t actually shocked, whilst privacy is important (and it really is) most people don’t really know what the legislation is even trying to do or guard them against…I suspect most people will in fact get frustrated with simply clicking on a “accept or deny” cookie button on every website they visit.
I’m not going to get into a debate here about whether or not the legislation is actually the right thing to do, but i’ll just remind myself of one of the main intentions – this is a quote from the the Information Commissioner’s Office (ICO) website.
It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online. Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.”
So how does a web manager / website owner start to tackle this problem.
Well i’d certainly recommend following the steps suggested in the Government Digital Services (GDS) “Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites” [ pdf warning ] – it suggests starting with an audit…which is the best starting point in my opinion. One other thing i’d suggest doing is revisiting your existing privacy statement on your website.
There is an interesting and pragmatic stance being taken by the GDS as outlined in this post by Dafydd Vaughan. You can read a variety of views on the comments of this post which all contribute to a confused space…the one thing you can be sure on, is that we all have to do something pretty quickly.
But i’d thought i’d expand slightly otherwise this would be a pretty pointless post 🙂
One of the most obvious places to start is in fact the organisation’s website who have provided the guidance on this legislation in the UK – the Information Commissioner’s Office (ICO).
They have provided a method which asks you consent to the use of cookies and provides a link to their privacy notice page. [ I consented to cookies if anyone is interested 🙂 ]
I’m ok with this approach in general, although it sort of feels like an advert at the top of the page with one of those “click here to sign-up” options, but it sort of works. Other methods are being used which you can read about here. I’m not sure which is best to be honest, i think after a while a consistent approach will emerge, but it is too soon to really work that out.
When reading the ICO’s recent guidance it actually refers to the approach the ICO is taking itself and states:
Can I copy the Information Commissioner’s solution?
The Information Commissioner’s website www.ico.gov.uk uses a banner that informs users about cookies and gives them the chance to consent. Whilst we have no objection to organisations seeing if this option would work for them any solution has to be appropriate to an organisation’s own needs. We will review the use of the banner in future and may consider other options ourselves.
On the ICO’s privacy notice page – I was intrigued as to what level of in formation they provided in here – I was surprised to see that the google analytics cookie referred to – not because I don’t like google analytics, in fact i personally really like google analytics and use it myself, it’s free and provides good data on visits, visitors, devices, platforms, browsers and a range of other useful features – the reason I was surprised is that many people have been suggesting that google analytics is a target, so i was actually pleasantly surprised.
You can of course use non cookie based analytics, but some people suggest these are actually worse in some cases. I’m not going to get into detail about that here, you can read about that by searching the web.
When clicking through to the google privacy page, which the ICO websites directly links to. It is worth sharing this important piece of information, which in reading a variety of articles and blog posts on this topic i hadn’t noticed anyone picking up on.
This is a quote from the google privacy page
Google’s Use of Analytics Data
Website owners who use Google Analytics have control over what data they allow Google to use. They can decide if they want Google to use this data or not by using the Google Analytics Data Sharing Options. When these options permit it, the data is used to improve Google products and services. Website owners can change these options at any time.
So I checked in my admin settings for one of the sites I have analytics on you can specify in your analytics admin settings not to share the data with anyone, not even google – it was set by default to “do not share”.
So it would be important to know whether if you consent to cookies, how that information is being used…so in the case of the ICO website, it actually fails to tell me – the user – whether or not the information they are collecting is shared with google or simply kept private and used only for service improvement purposes – i’m assuming (not always the right thing to do) that they keep it private.
The one bit of irony in all of this is that whatever someone does, they need a cookie to save the fact that someone has either said no, or they constantly present the same message to the same user over and over again. Depending on your approach, it could be a bit like refusing site pop ups over and over again….
What we can be certain of is the next few months are going to be really interesting. i’d welcome hearing from people as to how you are planning and approaching the legislation.
A journey through life - Carl's Notepad 
Hi Carl
I started a cookies debate on Knowledge Hub https://knowledgehub.local.gov.uk/group/webimprovementandusagecommunity/forum/-/message_boards/message/7530570
Whilst being no expert on cookies I accept “something” needs to be done on local government websites and at the moment there are a load of different approaches.
For our corporate website, http://www.centralbedfordshire.gov.uk, we took the step of removing any cookies that were being used (only 1 or 2 I think). We also don’t use Google Analytics but I won’t bore anyone to death on why not (love it personally!!!).
We use eVisit non cookie analytics so I am intrigued to know how this could be worse…as it may help me rebuild the case for Google analytics.
We do have to consider our “other” websites of which its a never ending story when they pop up here there and everywhere. So, I have been hitting all the sites asking what cookies they use. At the same time, we make them clearly aware of the issue of cookies and its going to be in their court to make sure they are whiter than white! Any web company worth their salt should be aware – and be taking appropriate steps to cover the issue off.
My personal view – I switched my settings to test out for myself and it drove me nuts to have to accept cookies every two seconds!
So, I have to beat the drum internally to ensure we are compliant with something that I see as a way of life online which benefits my fast easy use of multiple websites which remember everything about me and help me spend money faster (damn you Amazon!).
Going to be really interesting to see how local gov sites change with the 26 May deadline not far away!
Cheers
Alan
Thanks for the comment, I’ll join the KHub group next week.
I don’t know why your non cookie analytic’s package would be worse, but I did read a number of posts and articles about non cookie based stats packages potentially being worse over time…but for me if we are clear as to why we are using google and we don’t share the data then I’m happy to accept a potential reduction in user stats, although we will have to wait and see on that.
There is of course the discussion i keep hearing about which is that google analytic’s maybe considered as essential but who knows. Either way as you say we ahve to do something pretty soon
There is of course the new data protection legislation which will change it all next year, so whatever we do is only temporary in my view.