Datonomy can empathise with anyone tasked with making their organisation’s website compliant with the cookie consent rules. Here we share our own experiences, review the latest guidance from the ICO and take a look at some of the compliance mechanisms appearing on other UK websites.
Stop press – revised guidance from the ICO on implied consent
The ICO marked the end of its year long enforcement amnesty by refreshing its guidance. On 25 May it launched:
- a helpful 11 minute video of Dave Evans, Group Manager at the ICO, setting out the Commissioner’s enforcement stance and guidance for businesses yet to make a start on compliance;
- version 3 of its compliance guidance for website owners; and
- advice for the public on controlling cookies.
The clear message from the ICO is that, although non compliant businesses must now take action, the emphasis should be on “good” rather than “rushed” compliance solutions.
The most important point to note about version 3 of the guidance – which is otherwise an evolution of version 2 – is the significant shift in emphasis on the validity of implied consent. Since publishing version 2 in December 2011, the ICO has warmed to the merits of implied consent as potential consent solution in the right circumstances – see pages 6-8 for the salient details which include:
“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”
The new ICO guidance also gives explicit endorsement to the approaches suggested in the very practical ICC UK Cookie Guide which came out in April.
Datonomy was of course already taking “measured and proportionate steps” towards cookie compliance before the UK deadline, so in the remainder of this post we thought we’d share our learning curve.
Compliance curve Step 1 – conducting our audit
Writing about one’s own cookie compliance is surely a hostage to fortune, given the ease with which anyone else can audit your site to find out whether you’re telling full story or not. Note for example the Collusion initiative being promoted by the Guardian Newspaper and Mozilla which encourages us to “track the trackers“. So, with some trepidation, we embarked on the audit process. What if it revealed that a modest blog site set up to highlight developments in privacy law and practice turned out to be harbouring guilty cookie secrets of its own?
To find out, we used Attacat’s Cookie Audit Tool (an extension for Google Chrome) to scan Datonomy for cookies. The resulting report details the cookies by domain, name, duration and – my personal favourite column – “possible naughtiness” on a scale of 1-5. Certain cookies – like the universally used Google Analytics cookies _utma, _utmz etc are becoming familiar. Would be-cookie auditors should brace themselves for lengthy lists of cookies, many of them identified by incomprehensible jumbles of letters and numbers.
Datonomy particularly likes the chatty and informal style of the Attacat report. An example is the “Unknown 1st party cookie” on which the Attacat Report’s “Thoughts” column recommends: “Grab a cuppa with your developer and run through the detailed log“. For any readers concerned about this one , it is indeed under investigation (over a cuppa). Social media-savvy readers who “Like” us on Facebook, share us on LinkedIn and Tweet our posts should take note that the social media/ sharing tools set by third party sites account for the vast majority of the cookies set on a user’s visit to Datonomy.
For others about to embark on a similar exercise, and at the risk of stating the obvious, in order to get a comprehensive picture it’s important to put the site you are auditing through its paces while you are running the scan, using all the potential functionality available to an end user.
Step 2 – providing you with clear and comprehensive information
Armed with a detailed audit report, the next step is to provide “clear and comprehensive” information. Datonomy has taken a layered approach, with a short notice prominently displayed at the top right of the screen linking to a more detailed table for those with the appetite for more detail.
Datonomy has always believed that good privacy practice can be creative and individual, so it has labelled its own cookie notice a little differently. Did you spot it? What do you think?
Datonomy is also a fan of the practical guidance, cookie categorisations and suggested descriptions in the ICC’s UK Cookie Guide mentioned above, including the iconography used by BT’s website to represent the four main cookie types. although it hasn’t used them, Datonomy very much likes the “cookies in use” icons available in a range of styles from the Attacat website.
Datonomy readers are probably the best judges of whether the information we’ve provided is clear and comprehensive enough. Whether, in Dave Evans’s words, the information “means something to them“. Why not post a comment (which will of course trigger a cookie) and let us know your views?
Step 3 – getting your consent
So having audited, and provided information, that just leaves the trickiest bit – how to obtain your consent to the various cookies without deterring you from visiting the site altogether.
The most creative consent mechanism we’ve seen so far is the interactive cookie control “slider” on BT’s website. The BBC website introduced a banner – style consent option across the top of its site last week, and first time visitors to the Olswang.com website are now greeted with a pop up at the bottom of the screen.
Datonomy, with more limited resources, is working with its web development colleagues and is considering customising an opt in pop up button provided by Cookie Control. However, in view of the limited intrusiveness of the cookies we deploy, and the latest guidance from the ICO on the validity of implied consent based on a “shared understanding” between us and our readers about these cookies, perhaps we don’t need to bother? There is an argument that we could rely on implied consent based on your continued and now well-informed navigation of the website. Datonomy’s readers are a well-informed and opinionated bunch, so we await your views with interest.
For those still wondering what consent solution is right for their particular website, the ICC’s Guidance, now officially endorsed by the ICO, is a rich source of practical options, for cookies of varying types. ( Sorry to mention it for a third time, but it really is one of the best things to have emerged from the cookie experience, and Datonomy can’t help thinking that if the ICC’s sensible advice had come out a year ago, there would have been less hoo-ha about compliance.)
The ICO, as well as educating users, is encouraging members of the public to report their cookie concerns, no doubt to help the ICO build a fuller picture and prioritise any enforcement action. We hope that Datonomy readers will not have any concerns about our cookies, but if you do please bring them to the attention of our blogging team.
If you have got this far, we assume you have duly noted our cookie information and we infer your consent to the cookies which will by now have been placed on your device. Alternatively, you may have taken steps to block cookies via your browser – in which case we hope your “user experience” on the site has not been significantly impaired.
Whatever your levels of cookie tolerance, though, we hope you will continue to read and interact with this blog.