I’ve just paid a visit to the ICO website to gain more information on the new laws that have come into play in respect to the use of cookies in the EU. I have to say that after reading the advice_on_new_cookie_regulation.pdf that I have been left with more questions than answers.
The ICO web site has an opt in, in the header of their site stating “The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.” With a checkbox "I accept cookies from this site".
Something I find interesting about this opt in is the fact that they’ve already dropped a cookie on me, so it’s not really an opt in, it’s an opt in mixed with an opt out “One of the cookies we use is essential for parts of the site to operate and has already been set.” The cookie that the ICO set is an ASP.NET_SessionId cookie and this is not essential to the running of their website, contradictory to their explanation this cookie creates a session id to the use of their website by a unique visitor authenticating the session and attributing the use of their site to an identified machine.
The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for
the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
So given this information the ICO website itself is not 100% compliant to the letter of the law.
So what about other government sites? Are we to look to them for guidance on best practice? How are the government enforcing the law on their web properties?
www.cps.gov.uk/ – drops 4 cookies _utma _utmb _utmc _utmz and a Google cookie
www.direct.gov.uk/ – drops 7 cookies _utma _utmb _utmc _utmz directgovCSADBID directgovCSAuvt and usy46gabsosd
hmrc.gov.uk drops 3 cookies WT_FPC usy46gabsosd and a Webtrends tracking cookie
(BTW - _utma _utmb _utmc _utmz are Google Analytics 1st party cookies)
In fact looking at all the UK government sites I could find I have not seen one that’s compliant with the new EU law. None of their sites inform me that I am going to be cookied and non let me opt out. So I can only conclude that at this stage looking to the government for answers and ideas of what to implement and how is an utter waste of time. So if the UK government is not compliant with the law then I can only ask the question “do they take this change seriously?” and the only conclusion I can draw from their action is that they don’t or else they would have been first to implement changes. How can a government expect business to be compliant if they don’t even follow their own guidelines?
www.europarl.europa.eu/ – The European Parliament site dropped 5 cookies onto my browser and none with consent, these are the same people who made the law or am I totally missing the point here?
It would be great to hear your points of view on EU cookie legislation; what, if anything, you’re doing to implement the changes in law on your websites and any ideas or suggestions you have on the subject. If we can’t look to the government for advice and examples of best practice then we have to look to the industry for advice and self regulation.
