Complying or Not? 16 brands and their approaches to the EU cookie directive
2 days on from the beginning of the enforcement of the EU cookie law, and 4 days on from them being ‘watered down‘ (to include implied consent as a valid form of consent in some limited circumstances), how are some popular websites looking in terms of complying? (after all there is the small issue of a £500,000 fine if they arn’t…)
Sites that have applied the law, it would appear, to the letter…
ICO (Information Commissioners Office)
Starting with the website of the company charged with regulating everyone else on the new EU cookie law – setting the example surely?
- Full opt-in approach
- Banner stays at the top until you action it
- Their privacy notice explains what cookies they use and their purpose
- Cannot disable specific cookies on the ICO website – links to the individual links and explanations of how to do it.
- It’s a user experience nightmare
- Does is really educate users?
- Even they seem to have problems keeping up with their cookies as we saw a little Twitter cookie sneak in whilst surfing their site with our audit tool at one point
- Full opt-in approach – We ran the Attacat cookie tool on it and there are in fact no cookies tracked until you accept the pop-up.
- There is also a list of the main cookies used on the site
- But not a very user friendly explanation of cookies and really just the bare bones of what is required.
- Their pop up information does however stay up for the duration of the time on the site until you click that you accept
- All in all seems a pretty compliant!
- Along with the age consent you are agreeing to cookies being stored – a wise way of doing things if you already have to have a pop-up.
- They give you information about the types of cookies that they collect and an explanation of how to use your browser settings to disable cookies and a link to opt out of being tracked on Google Analytics.
Complying well but not super clean!
The following sites may not be strictly compliant but in our humble opinion have done enough that the ICO will not wish to force them to do more.
- Mostly opt-in BUT during an Attacat test before getting consent the BBC website had already set the S1 “analytic” cookie on the main page – so maybe not as clean as they seem (but in lines with revised guidance)
- Loads of info a really good site in terms of going above and beyond in terms of ensuring people understand what cookies are.
- Using the word ‘continue’ unlike most other website where you must ‘accept’ their agreement – making cookies perhaps seems a more positive thing?
- The provide comprehensive information about what cookies are and the types of cookies.
- Gives you the choice to enable or disable functionality, performance and online behavioural advertising cookies
- Also gives you the option to opt out of specific cookie set by the BBC and their supplier including SageMetric cookies, double click cookies and Google Analytic cookies
- Information for their international users
- Delayed cookie setting approach – you have 12 seconds to back out!
- Seems to have been held up as a great example of a company (broadly) following the new law
- Already set to ‘allow all cookies’ it is up to the user to ‘opt out’ or change settings.
- Stays up for 12 seconds before disappearing: settings can then be changed with the famous slider tool at the bottom of the page – means you can decide how cookies are tracked.
- They record no cookies while the pop is there as soon as it disappears they assume you have consented to allow all cookies and recording begins.
- Slider tool clear and easy to understand and lets you choose what type of cookies BT set, strictly necessary and performance, functional or targeting.
Great Ormond Street
- An implied consent approach that sees cookies being set as you land but with only relatively un-invasive cookies, such an approach, whilst breaking the law is unlikely to be enforced according to the new guidance.
- Message stays at the top of each page until it is accepted.
- Good explanation of each type of cookie used by them.
- No opt out on the website but links for each type of browser to an explanation of how to manage your cookies.
- Same as the BBC – uses the word ‘continue’ and not ‘accept’
- Their hospital site has the same banner and layout.
- They use Google Analytics
Spotify (landing site)
- Another example of a site using Google Analytics going for an opt-out and prominent notice approach
- But no explanation of how to delete cookie or how to disable them being stored – not much help especially when comparing them to other policies seen.
Complying but a bit dodgy!??
These are sites that have made effort but we suspect might be asked to do more by the ICO. Why? Because they carry adverts powered by third parties.
- Pretty small unobtrusive easy to miss banner.
- This is an implied consent example – the ICO state that this can only be done if your users understand that this means cookies will be set, and it must be informed consent.
- The Guardian set 1st and 3rd party cookies unless you do something about it.
- What the Guardian does have is a very good clear page (with a graphic well worth copying) as a link from their cookie info page on how cookies on their page are used by them and third parties.
- There is information about the types of cookies they use and how to manage them however this is just in the form of a link to the partners website where you can then opt out, there is no way to opt out of specific tracking on their own website.
- Unlike the BBC this banner stays at the top until you take action on it.
- You can choose for them to remember your preferences by setting a permanent cookie.
- The cookie information page in the website has an in-depth amount of information about the cookies used
- Is this the worst wording of any consent box out there?
- Another media site not getting opt-in for advertising cookies
- There is no choice to block cookies before they start being used on the Channel 5 site.
- Through the ‘corporate information’ pages there are links to block certain cookies and change your settings.
- Channel 5 description of Cookies in not overly user friendly but the information is easy to find and they are simply using implied consent.
- Attacat Cookie Tool test showed that 73 cookies were set after just two pages without any consent having been given!
- They are using the AdChoices (self regulatory program) icon to signify use of behavioural advertising
- But….one of the nicest cookie controllers we’ve seen implemented. Very easy to change by cookies by clicking on the cookie consent box to turn off certain cookies and it explains what they are used for in good clear detail.
Sites that are taking a high risk approach to the legislation?
- Only “consent mechanism” appears to be a small link at the top of the page – whilst this may be OK if they just used analytics cookies…
- They are using remarketing (you will start seeing John Lewis adverts on other sites once you have visited) which is considered to be highly invasive and therefore likely to require “meaningful consent”
- Excellent cookie information pages but no control mechanism
the social networks
I include Facebook, Twitter etc in this category as an example of the many organisations offering functionality for third party websites (think share buttons and widgets) that place cookies and do little to help websites that use these functions to understand how their users may be impacted.
the ad networks
Doing their best to self-regulate with an easy opt-out out and increased notification, the industry continues to fall short of genuine consent IMHO. Personally we would like their approach to succeed in getting past the law makers but are worried that it won’t.
the affiliate networks
I’m not convinced the general public will be that thrilled to find out that the exchange of commissions is common practise on the internet. The networks may drop cookies with time but the law makers probably won’t drop the privacy concerns.
So moving on to what is going on with Cookies around Edinburgh websites!…
- An interesting site because it crosses domains (from Edinburgh Castle and Historic Scotland)
- Opt-out approach method with prominent pop-up. Using a lot of third party cookies for functions including Google Maps and a lot of tracking cookies from advertising networks
- Pop-up that disappears after around 12 seconds but reappears on each new page – Clicking “I am happy with this” really should say “OK, stop irritating me now” as all it does is prevent the pop-up reappearing (we think!).
- We put these sites in the category of “may be asked to do more”
- Very similar to Edinburgh Castle – both using Civic Cookie consent tool
- Seemingly no advertising network cookies but do have cookie setting YouTube videos.
- Our verdict – could do more without impacting the visitor experience but likely to be low on the ICO’s priority list!
- No cookies set before you have accepted – but able to do nothing until you have (and of course a cookie is set to say you’ve consented ;))
- Google Analytics is the most invasive cookie we found.
- Have implemented a cookie free Twitter feed
- Our verdict: strictly compliant but misses the spirit of the directive and adds nothing to the user.
… but who is correct!??! Do you agree with our quick assessments?