Tuesday 19 June 2012

Cookies - what we have done and why it may change.

The regulations

Regulations changed on the use of Cookies last year and came into force on the 26 May 2012. All websites are now legally required to give the visitor a clear and easy to use opt out of all non-essential site Cookies, including analytical software. Or that’s how the web team thought the enforcer (the ICO (Information Commissioner’s Office)) had interpreted the new cookie law.
"A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device. The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects."
Page 3 para 2 from ICO’s (Information Commissioner’s Office) Guidance on the rules on use of cookies and similar technologies version 3
For more information on cookies see: http://www.allaboutcookies.org/
However, since we uploaded our solution the regulations have changed slightly and the ICO guidance says
“The use of cookies and similar technologies has for some time been commonplace and cookies in particular are important in the provision of many online services. Using such technologies is not, therefore, prohibited by the Regulations but they do require that people are told about cookies and given the choice as to which of their online activities are monitored in this way.”
Page 3 para 3 from ICO’s (Information Commissioner’s Office) Guidance on the rules on use of cookies and similar technologies version 3

Our Approach

The approach we took was to create a Cookie page and to provide check boxes next to items that used cookies if the visitor wanted to opt out, and for Google Analytics we placed a popup window at the top of our site and asked a very direct question.
“Do you consent to receiving Google Analytics cookies? We use these to aid in improving and maintaining our website."
We also placed a 'More Info' and then two buttons 'Yes' or 'No'.
By doing this we complied fully with the law and as we had done it well within the time frame, we patted ourselves on the back

The Problem

However, the majority of you have selected 'No' and so since the 2 May 2012 our visitor overview from Google Analytic looks like this…
As you can see from the graph on the 17 April we reached just over 6,000 visitors and then on the 2 May 2012 we were down to just 105. As we average just over 2,000 a day we know that the chances are that more of you actually did visit the site that day but Google Analytic isn’t showing it because many of you have selected the "No" button.

The question

Does the web team leave alone as we are clearly now compliant or do we tweak and let you know that the site uses cookies but clearly explain what they do before giving you the option to opt out?

We seriously do need a more accurate guide of how many of you are visiting our site and we promise the information that Google provides can not tell us who you are or any more information about you.

Evidence to support a change


The ICO (the enforcer of the new law) says…
“It has been suggested that the fact that a visitor has arrived at a webpage should be sufficient evidence that they consent to cookies being set or information being accessed on their device. The key here is that the visitor should understand that this is the case. It is important to note that it would be extremely difficult to demonstrate compliance simply by showing that a user visited a particular site or was served a particular advertisement unless it could also be demonstrated that they were aware this would result in cookies being set. (p8 of the Guidance).
and what they have done on their website is, as we have, a popup top banner, that says:
"The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice."
They also have a check box 'I accept cookies from this site.' and then a 'Continue' button.
This is informing visitors that the ICO site uses cookies and that by continuing to use the site you consent to these being set. The visitor is asked to accept the cookies. If the visitor does nothing the box remains and they can continue using the site without it appearing to have an ill effect on site performance. There is no indication that cookies will be ‘turned off’ until acceptance is received. If the user visits the ‘privacy notice’ page a table displays the cookies the site uses and links are provided to the third party sites to find out more, but no ‘turn these cookies off’ button is provided.

Perhaps we (the Force web team) have made it too easy and we should have explained further before offering the opt out Button.

.net magazine

.net magazine issue 229 on p64 in their article titled Don't Panic, A beginners Guide to Cookies explains the levels of compliance as...
Here’s a simple breakdown of how to go about categorising cookies:
Zero compliance risk or ‘strictly necessary’ cookies Always first-party and not persistent. These include functional navigation and user session cookies for shopping baskets.
Low compliance risk Always first-party and may be persistent. These cookies include accessibility options for visually impaired users and, arguably, analytics cookies. Medium compliance risk Usually first-party and persistent. These might be used to store personally identifiable information, or limited cross-site tracking, in order to present content based on previous visits. Another good example is the Facebook Like button.
High compliance risk Third-party and persistent. These are mainly used to track and record visitor interests without prior consent, and aggregate this data for use by third-parties, normally advertisers. This also includes cookies set through the provision of embedded content which is not ad-related, such as Google Maps and YouTube videos.
And again, as we look at what the BBC have done, the web team really is convinced that we need to make a change.


The BBC also use a popup http://www.bbc.co.uk/ and theirs says
Cookies on the BBC website
We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the BBC website. However, if you would like to, you can change your cookie settings
It also has a link to 'Find out more'. The find out more page explains exactly what cookies they use and why and groups them into ‘strictly necessary’, ‘functionality’ and ‘performance’ cookies.
Their Analytics cookies set by the BBC (“iStats”) are grouped under Performance and an opt out is provided http://www.bbc.co.uk/privacy/cookies/managing/cookie-settings.html on this page once all has been fully explained.

The web teams Conclusion

In conclusion, the web team propose that rather than ask the visitor whether they want the Google Analytic cookie, that the pop up informs the visitor that we use it and gives them the option as the BBC site does to ‘continue’ or ‘find out more’. The ‘find out more’ link will take the visitor to the Force cookie page. From here the visitor will be able to switch Google Analytics off if they still want to.

Hopefully not so many of you will opt out and we will once again be able to use our stats to inform us how many visitors the site gets and which pages are the most popular. More importantly we will still be compliant of the law.

In order to do this we will be resetting the Google Analytic cookie. And so if you opted out last time, we hope that this time you will understand why we wish you not do so and you will (with your new understanding) give us your Implied consent, in the full knowledge that if you change your mind you know how to explicitly opt out.

The web team thanks you for your patience and understanding. All other opt out cookie options will remain as they are.

Next time…

Results of the online website questionnaire.