The cookie monster…

Cookie Monster
Cookie Monster - By dnnya17 from Flickr

Following on from my previous post about Cookies and with less than a month to go, I’d thought I’d expand some of my thinking and the “pragmatic” approach I’d like to adopt here in Devon.

Firstly I referred to the guide developed by the Government Digital Services (GDS) “Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites” [ pdf warning ] and I really suggest you download it and read it  – it is in my opinion a very helpful and pragmatic document and provides more practical help than the Information Commissioner’s website

The following quote for me represents the bigger challenge which I feel web managers also need to invest some time in…

The preferred method of compliance with the new regulations i.e. least disruptive to the user experience, would be one based on users’ “implied consent”. In this context “implied consent” can be taken to mean that a user is aware of the implications of taking a certain action and that by choosing to take such action are implicitly giving their consent to the related outcomes.

However, the ICO does not believe it is possible to take such an approach at present because “evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent”.

This emphasises the need to raise the awareness levels amongst users of government websites about the uses and functions of cookies. Consistency in the presentation of cookies-related information will help towards achieving the aim of educating users, so this document sets out a recommended template for departments’ ‘Use of Cookies’ policy

So two points come out of this which are important to acknowledge, the first being implied consent, which sounds like the most logical approach and one which will impact the end-user the least and second Awareness – yes, awareness of what cookies are, what they do and why people need to understand this as they move about the internet.  So as it states the ICO state that you can’t really do implied consent if the levels of awareness of so poor that people are clueless as to what cookies are in use on a given site.

However  – It’s worth remembering I’m trying to provide a pragmatic solution here –  my personal preference is that we in fact do adopt an implied consent model but support with communication and awareness across our site which helps to mitigate any concerns.

I’ve started to experience the “click box” approach on a few websites, the ICO’s included and it really is a nuisance and doesn’t actually demonstrate people understand what they are clicking and what that means to them and disappears once you click on it once, so it fails to address the awareness issue as well in my opinion and is really a worse approach as on return to the sites I visited there isn’t really any clear and visible links to the cookie usage and privacy policy.

So one of the things we will be doing to help with a sustained level of awareness and communication is linking to content which explains what cookies are in a balanced way – Two good examples of this are and its Cookie FAQ section and CookieCentral’s FAQ section.

In support of this we will also be linking to content which helps explain how people manage cookies within their browsers and again provides some really good resources here.

We will also be communicating that our use of google analytics as a service improvement tool will be on the basis that we do not share any data as described in my previous post

I think as a web community we really should offer a consistent approach to communicating about cookies and in my view we shouldn’t be writing or creating this individually. This should be delivered either through a consistent approach to some common and reusable content which can be syndicated or a consistent approach to linking to the same resources. What ever we do the message and awareness should be the same.


Do you accept my cookie

Privacy by Alan Cleaver (flickr)

My family uses in the internet a lot, we use it to shop online, book holidays, search for stuff and we all conduct research in various forms, as I suspect most people do.

So when speaking to some of my family the other day, I asked them about the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and to my shock horror they knew very little, in fact nothing about it whatsoever. It was understandable from my kids who are only 7 and 5, but my wife, who shops online more than I do, didn’t know anything about it.

I wasn’t actually shocked, whilst privacy is important (and it really is) most people don’t really know what the legislation is even trying to do or guard them against…I suspect most people will in fact get frustrated with simply clicking on a “accept or deny” cookie button on every website they visit.

I’m not going to get into a debate here about whether or not the legislation is actually the right thing to do, but i’ll just remind myself of one of the main intentions – this is a quote from the the Information Commissioner’s Office (ICO) website.

It should be remembered that the intention behind this Regulation is also to reflect concerns about the use of covert surveillance mechanisms online.  Here, we are not referring to the collection of data in the context of conducting legitimate business online but the fact that so-called spyware can enter a terminal without the knowledge of the subscriber or user to gain access to information, store information or trace the activities of the user and that such activities often have a criminal purpose behind them.”

So how does a web manager / website owner start to tackle this problem.

Well i’d certainly recommend following the steps suggested in the Government Digital Services (GDS) “Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites” [ pdf warning ] – it suggests starting with an audit…which is the best starting point in my opinion. One other thing i’d suggest doing is revisiting your existing privacy statement on your website.

There is an interesting and pragmatic stance being taken by the GDS as outlined in this post by Dafydd Vaughan. You can read a variety of views on the comments of this post  which all contribute to a confused space…the one thing you can be sure on, is that we all have to do something pretty quickly.

But i’d thought i’d expand slightly otherwise this would be a pretty pointless post 🙂

One of the most obvious places to start is in fact the organisation’s website who have provided the guidance on this legislation in the UK – the Information Commissioner’s Office (ICO).

They have provided a method which asks you consent to the use of cookies and provides a link to their privacy notice page. [ I consented to cookies if anyone is interested 🙂 ]

I’m ok with this approach in general, although it sort of feels like an advert at the top of the page with one of those “click here to sign-up” options, but it sort of works. Other methods are being used which you can read about here. I’m not sure which is best to be honest, i think after a while a consistent approach will emerge, but it is too soon to really work that out.

When reading the ICO’s recent guidance it actually refers to the approach the ICO is taking itself and states:

Can I copy the Information Commissioner’s solution?

The Information Commissioner’s website uses a banner that informs users about cookies and gives them the chance to consent. Whilst we have no objection to organisations seeing if this option would work for them any solution has to be appropriate to an organisation’s own needs. We will review the use of the banner in future and may consider other options ourselves.

On the ICO’s privacy notice page – I was intrigued as to what level of in formation they provided in here – I was surprised to see that the google analytics cookie referred to – not because I don’t like google analytics, in fact i personally really like google analytics and use it myself, it’s free and provides good data on visits, visitors, devices, platforms, browsers and a range of other useful features – the reason I was surprised is that many people have been suggesting that google analytics is a target, so i was actually pleasantly surprised.

You can of course use non cookie based analytics, but some people suggest these are actually worse in some cases. I’m not going to get into detail about that here, you can read about that by searching the web.

When clicking through to the google privacy page, which the ICO websites directly links to. It is worth sharing this important piece of information, which in reading a variety of articles and blog posts on this topic i hadn’t noticed anyone picking up on.

This is a quote from the google privacy page

Google’s Use of Analytics Data

Website owners who use Google Analytics have control over what data they allow Google to use. They can decide if they want Google to use this data or not by using the Google Analytics Data Sharing Options. When these options permit it, the data is used to improve Google products and services. Website owners can change these options at any time.

So I checked in my admin settings for one of the sites I have analytics on you can specify in your analytics admin settings not to share the data with anyone, not even google – it was set by default to “do not share”.

Data Sharing Settings - google analytics

So it would be important to know whether if you consent to cookies, how that information is being used…so in the case of the ICO website, it actually fails to tell me –  the user – whether or not the information they are collecting is shared with google or simply kept private and used only for service improvement purposes – i’m assuming (not always the right thing to do) that they keep it private.

The one bit of irony in all of this is that whatever someone does, they need a cookie to save the fact that someone has either said no, or they constantly present the same message to the same user over and over again. Depending on your approach, it could be a bit like refusing site pop ups over and over again….

What we can be certain of is the next few months are going to be really interesting. i’d welcome hearing from people as to how you are planning and approaching the legislation.