(Update 27th May 2011 – The ICO are giving a 12 months grace period. Various comments seem to confirm the views I set out below – I’ll blog about it in due course)
(Update 22 May 2012 – As the 12 month’s grace period comes to an end I am increasingly concerned that the view explained below and the ideas behind our free to use cookie warning sign may not be compliant – we are watching carefully!)
After a few days of trying to get to grips with the forthcoming Cookie Directive (2 days to go!) I’m starting to feel that the directive is not as bad or ridiculous as many are claiming (as long as some common sense is applied).
I don’t think compliance needs website-wrecking retrofits. I don’t think that the directive dooms all EU websites to a competitive disadvantage. I don’t even think it’s misguided. Here’s hoping anyway.
“has given his or her consent”
It’s these six little words being inserted into the existing law that has put the cat amongst the pigeons. It is the idea of being required to get consent that is the significant change in the law. And it’s the interpretation of what consent entails that is causing the debate.
The unanswered question
A large portion of the recently published government (ICO) guidelines are dedicated to explaining theoretical ways of getting consent. Reading them leaves me with the view that there is quite a lot of flexibility in the definition of “consent”.
The guidelines contradict themselves giving us no option but to make judgement calls. Compare these two statements:
Statement 1. (Overly Optimistic)
You need to provide information about cookies and obtain consent before a cookie is set for the first time.
Statement 2. (Sensible)
One possible solution might be to place some text in the footer or header of the web page
In the case of the second statement, cookies will already have been set, thus directly contradicting statement 1.
This is giving rise to a spectrum of views as to what needs to be done. Statement 1 suggests you’d have no choice but to add a pop-up or a landing page with opt-in’s before you let people get to your website proper (if you are to continue to use say Google Analytics).
Others are using statement 2 to convince themselves that providing a small footer link to updated T&Cs is complying.
Degrees of consent
The reason I hold out hope for common sense prevailing is this statement in the ICO guidelines:
the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent
If on the other hand your cookies are more innocent (such as with the not-totally innocent Google Analytics – see previous discussion), then just letting users know you are doing so and giving them an opt-out is sufficient.
If we look at the typical process of getting agreement to terms and conditions on websites we see the following approaches:
- Page of T&Cs with “I accept” button at the bottom
- Tick box next to “I accept terms and conditions” (inc link to T&Cs)
- T&Cs listed on the web page without any “I accept” button
- Link to T&Cs without any “I accept” button
In each case the intent of doing this is to get user consent, and I suspect a lawyer would define them all as legally binding forms of consent provided they are used appropriately. The more onerous, less obvious or unusual the terms, the more likely the website owner would be required to use method 1 or 2 as opposed to 3 or 4 for that consent to be legally acceptable.
I feel the same approach can be applied to getting consent for cookie use.
The example of Google Analytics
Imagine a world where every site using Google Analytics required you to click an accept button before you proceeded to the website. It just wouldn’t happen. Users would rebel resulting in either the EU backing down or if they persisted, websites would reluctantly stop using Analytics.
As discussed previously Google Analytics cookies are naughty but not evil. I don’t think the directive seeks to stop websites using Analytics, they just want users to be made aware when they are being used and give users more control. The ICO guidelines state the following in a section that specifically discusses analytics-type software:
You should consider how you currently explain your policies to users and make that information more prominent, particularly in the period immediately following implementation of the new Regulations. You must also think about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.
i.e they are not expecting website owners, in the case of Google Analytics, to require acceptance before the cookies are set. In my humble opinion!
The Attacat approach
I see Google Analytics as a little like CCTV cameras. I’m not a huge fan but I don’t lose sleep over them. I assume it must be a legal requirement to have “CCTV in operation” signs, so that is the approach I’m going to adopt for our site: “Cookies in use”. Of course this would then link to more information and explain how to opt-out.
Does this need to take up lots of real estate on our site? That depends how safe you want to be. Little text link in the footer = higher risk, 100×100 pixel yellow notice = lower risk.
What are we doing? We are aiming for a small cookie icon and size 8 text which may or may not “float” in the bottom right of the screen on all pages. I can’t show it off yet as we haven’t developed it (but we hope to make the directive deadline (24 hrs to go))!
What if I’m wrong?
Actually it doesn’t matter! Why? Because the guidelines are not clear, the ICO will have little choice but to give non-compliant websites (that have genuinely tried to comply) an opportunity to amend their ways. I draw this conclusion from these words in the guidelines:
…if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
Answering the same questions about behavioural advertising cookies and especially affiliate cookies is nothing like as straightforward, so that’s a challenge still to be overcome.
As part of our effort to create a resource to help website owners to comply with the directive we have started to create a free cookie audit tool (feel free to test it!). We aim to evolve this into a “guide” that includes practical opinions of what can be done to have a good chance of achieving compliance (there’s no certainties!) with minimal time input from website owners.
Ultimately, if there’s interest, I’d like to think we will have a resource that will allow website owners to create and implement a compliance plan within 30 minutes.
If you’d like to help in anyway, please do get in touch. If you’d like to debate our approach, I’d love to hear from you in the comments below. If you’d like to watch the progress closely you can sign-up for updates at the bottom of this page.
The cookie warning sign we use on this site is also freely available for use but entirely at your own risk (we really aren’t sure if it will be seen as acceptable or not)