Thursday, May 26, 2011

Is the ICO eating its own dog food on new EU Cookie Law?


I will confess up front, I am biased when it comes to this ridiculous piece of legislation. The impact on online businesses is in my opinion a real pain in the rear, but that depends on your interpretation. So, not to bore the rare reader who comes across this post I am  not going to go into the whys and wherefores of the legislation apart from saying IMHO they swung the pendulum far too far the other way when trying to deal with cookie abuse on advertising networks. I think the issue now is more about how we handle this legislative farce from a customer experience perspective and I thought a great place to start would be the ICO website itself. Bear in mind that we probably have a reasonable amount of time to address this, but you can form your own opinion on that from the ICO announcement.

Off tack for a mo' I was pretty amused when I found this post, which for me really brought home the potential pitfalls of implementing the legislation with a mock up of the worst customer experience ever!

Now the ICO have published some guidelines (which are disappointingly high level) I thought it would be amusing to take a look at what they have done.

Step 1:

Go to their home page. Greeted by a pretty ugly message in the top of the page, but as it's an ugly website anyway, no drama. Interestingly there is one and only one opt-in message. Which reads
"On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice"



Three things caught my eye :-
  • They have chosen to already set a cookie having viewed that as "necessary" for the site function
  • There is only one message and it's not a pop-up. 
  • There is also an accessibility and usability flaw in this setup. If you have cookies disabled the message is hidden by javascript. If you have Javascript turned off (screen readers) this message is not hidden - therefore if you click accept you get into an annoying anomaly where the cookie isn't accepted and it keeps nagging you and also starting to misbehave functionally. I'm going to ignore this but it's worth thinking about accessibility in your planning.

Necessary ?

Let's deal with the "necessary" thing first. If you read the privacy policy this is a session cookie and only contains the session id. It is transient in nature and if we go to the privacy policy they explain

"This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you leave the ICO website.".

Hmmmm.

The debate for me is the key provision of the Directive which states that you can only set cookies (and that includes session cookies) without permission if it is "necessary". Specifically  the directive (4b below) says the following
  • "6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met
  • (2) The requirements are that the subscriber or user of that terminal equipment--
    • (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
    • (b) has given his or her consent.
  • (3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
  • “(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
  • (4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
    • (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
    • (b) where such storage or access is strictly necessary for the provision"
The ICO also state
"This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity".
Be aware that they are very clear in other docs that they will look closely at any interpretation of "necessary" and will use very narrow definitionwhen making an assessment.

So let's apply their own words on this session cookie. Technically the site operates without this cookie. I can browse and search with cookies turned off and there is no warning telling me that the site will not work. The key function they highlight from their micro copy is "online notification form to operate". In my view this is not the "site", this is a specific piece of functionality which only needs setting if I choose to use that function.

Necessary ? I think not.

I really had to search for this form but can't fill it in anyway (because of all the info required) so have not tested it fully to see if it will function, but what I can see is that the form is a multi page process and a session id would be handy for it's function but NOT for the entire site.

This is where their guidelines come in again.They define some suggestions of how to handle cookies in different scenarios and one of them is "Feature led consent" i.e. when the user needs to use the function tell them then. It would be a simple matter of having micro copy on the form's first page informing the user. A simple example of this approach for me would be "remember me" features on login, it won't be hard to add some simple micro copy by the tick box.

Based on the above, I think IMHO this cookie does not pass the "strictly necessary" test (although it is harmless) and ICO should therefore practise what they preach. Splitting hairs, it is possible to build a multi part form app which does not use session cookies at all. I remember in the good old days it was actually condsidered best practise to code session handling to be cookie-less (by using session id's in URL's). So being very literal, it is not "strictly necessary" to have their session cookie at all.

(The devil in me would love to start a viral complaint campaign with lots of people complaining about this cookie, but sadly with my tumbleweed zone blog it ain't going to start here.)

Take-aways

Now I have had my fun at hypocrite bashing, what can we really take away from this for our own use? I would conclude the following:-
  • It is OK to seek permission to enable multiple cookies (phew)
  • Google Analytics cookies are not strictly "necessary" (which is a real shame)
  • They actually don't declare whether they have enabled or disabled GA data sharing which is an omission we should probably deal with

Step 2: Accepting the cookie

All functions as expected. I get the GA cookies and their track of the fact that I have accepted cookies. The irony of this makes me smirk i.e. the only way they (and we) can record whether someone is opted in is to set a cookie. One thing I did note was that they only set the cookie for a year and I have seen talk on permanent cookies being frowned upon. But what is a reasonable time frame?

Summary:


I currently believe the following (but I am sure things will unfold over time):-
  • We have a year to fix this, but taking actions between now and then is wise as the ICO has clearly said that those who do nothing for a year will not be viewed favourably, compared with those who have evidence of working on the problem.
  • We would be better off to progress as far down the ICO's recommended process as we are capable. It is worth checking out this blog and it's development as a method of assessment and classification. Tim at attacat has a nice idea about a scale of "naughtiness" and they are developing some audit tools which might be useful.It is likely that along the way we will probably hit some roadblocks where 3rd party widgets and tech that we currently use have not caught up with the law, but if we can evidence that we are assessing them and contacting the providers we can be seen to be doing something. Having a documented plan might not be a bad idea either more evidence of actively addressing the problem.
  • Google Analytics cookies (in fact all analytics and tracking cookies) are definitely NOT "necessary" - which is a real bummer across many facets of online business. The fact that there is now no guarantee that our web analytics will be as empirical as they currently are is bad generally and will impact ROI measurement on stuff like banners and Adwords.Hopefully one day there will be a cookie-less way of uniquely identifying a browser but I am not holding my breath.
  • The Google Analytics beta plug-in is IMHO a real kick in the ****. Essentially, if another site does a bad job of explaining the GA cookies but links to the GA privacy policy (which displays the plugin) and a user follows these links and installs the plugin, all other sites will loose analytics (from that user) because of that site's bad customer experience. Not happy about that one at all.
  • It is OK to seek permission to enable multiple cookies.
  • Sites with alot of cookies (many top name brands) will probably need to re-build the core sites to use less cookies leaving room for the cookies they have no choice about. What I mean by this is if I were to display a list of 37 cookies in my privacy policy, I would expect the number of opt-ins to be pretty low. Cutting out non-essential cookies might make my privacy policy contains less cookies and increase opt-in.
  • We probably need to address GA data sharing in the privacy policy
  • Long term cookies, especially permanent ones will probably be frowned upon. What the optimum cookie life will be, no clue.
  • Technically I think solutions are going to take a server-side approach to do this properly which means re-engineering. Javascript based quick fix approaches will do alot, but will not do it accessibly and that has a legal implication in itself
  • I am going to set up a COO company. Instead of SEO and SMO the new trend will be "Cookie Opt-in Optimisation".;-)
BTW I'm no lawyer so the above is just opinion, therefore you might wish to seek advice just to be sure - sadly the number of so-called information emails flying around from law firms probably means that they are all ramping up to make some money from this.

No comments:

Post a Comment