Former Member 12 Years yn ôl Michael A good synopsis - thanks. My interpretation of what was said was that an "implied consent" was probably not acceptable unless very clearly signposted. Regards Robert 1 Reply as... Canslo
Former Member 12 Years yn ôl I came across this article recently that covers advice from the ICC (International Chambers of Commerce) which I thought distilled things down to a much more digestible level. http://www.pcpro.co.uk/blogs/2012/04/27/the-cookie-law-clarity-at-last-but-not-from-the-ico/ 2 Reply as... Canslo
Former Member 12 Years yn ôl Michael Very useful synopsis although I'm afraid Robert is right "implied consent" is not acceptable currently. This is because the evidence we've seen suggests that awareness about cookies, their functions and uses is not high enough to rely on implied consent. As, hopefully, consumer awareness increases over the next few years this position may change. Regards David 1 Reply as... Canslo
Former Member 12 Years yn ôl My notes from the workshop - happy for it to be reposted/edited/commented upon! Workshop was hosted at the City Marketing Suite, Guildhall, London and organised by DCLG and City of London. City of London are interested in this topic as they plan to launch their new website in June. Even though there was an Agenda, it wasn’t really followed as we ended up in a round table discussion of the topics/issues. There were two main protagonists/presenters: David Evans from the ICO (not the David Evans from the ICO that has been giving presentations on this topic for 18 months), and Daffyd Vaughan from the Cabinet Office, responsible for the new Gov.uk website. David Evans started by explaining the current position: the EU Electronic Communications Directive was enshrined in regulations from The Department for Culture, Media and Sport regulation on 26 th May 2011. Organisations have had a year to get used to things, and from 28 th May 2012 (27 th is a Sunday), the ICO will start upping the ante on enforcement. Under the Data Protection legislation, they have a lot of leeway/discretion, and this is the tactic they will take over cookies/privacy issues. Only likely to look at monetary penalties if there has been deliberate attempts to avoid compliance or to deceive. They will generally take a constructive approach, making suggestions on improvement. However, this may depend on the complaints they receive and if there are any legal challenges/case law that sets precedent. The ICO will push for ‘good practice’ not ‘best practice’. David did admit that method the ICO took on their website ( http://www.ico.gov.uk ) by putting up a banner that effectively blocks access unless the user specifically agrees to the use of cookies (the nuclear option!) was not the approach that they would recommend, but one that they had to take as the regulator. Acceptance of this is stored in a cookie! David’s view was that websites may end up with two paths – one with full functionality that utilises cookies, and a path with limited functionality that doesn’t utilise cookies. To fully comply with the regs there must be explicit consent. Users should be able to make an informed choice. This information should be available across the site, not just the home page. The obvious place to have this is as part of any T&Cs, especially at sign-up. However, any change to T&Cs would have to be notified to existing users who should be given the option to opt in/opt out. Implicit consent is probably not acceptable unless clearly signposted. The ICO’s view is that this is because the evidence they have seen suggests that awareness about cookies, their functions and uses is not high enough to rely on implied consent. As, hopefully, consumer awareness increases over the next few years this position may change. The regs don’t just cover cookies, but any personal information (including HTML 5 local storage, Flash cookies, browser caches, etc). Daffyd Vaughan expressed a view that some of the alternatives (device fingerprinting, javascripting, etc) were more intrusive and therefore likely to be considered to be less acceptable. The ICO is likely to be less interested in session cookies over persistent cookies. Daffyd Vaughan reported that the position in Europe varies. Some countries don’t appear to be actively working on the directive, whilst in Germany they are heavily focussing on the use of tracking cookies. Google are working on some updated tools for webmasters – a release may be imminent. It was thought that Google Analytics may not store IP addresses in cookies, but that this information may be available in the reporting. Apparently the US Government has taken the view that IP addresses don’t identify an individual. Daffyd advised that web managers should check the Google Analytics options to switch off sharing of cookies. David said that the ICO would consider what was business critical. The legislation refers says “strictly necessary”, so shopping basket cookies would be considered business critical, but user option/experience cookies would not. There was a view that sites shouldn’t use pop-ups. There was some discussion around whether Google Analytics would be considered “business critical”. Some sites thought that it is, as it helps them shape the user experience. David’s view was that it wasn’t, as the websites could operate without Google Analytics. (As an aside, Office of National Statistics can fine government departments if they do not collect/supply statistics, but then could get censured by the ICO). It was felt that where there were links to external websites, these should clearly be indicated, so that the user is aware that different rules/policies may be in place. There was a warning that social networking sharing buttons set tracking cookies The recommendation from Daffyd was not to use these, but follow the BBC’s example and just link to these social media sites. There was some discussion that if you explicitly asked for permissions to use cookies and the end-user said “no”, then how would you store this other than in a cookie! 3 Reply as... Canslo
Michael MacAuley 12 Years yn ôl Hi Robert Why not post your notes as a blog too? If it's tagged with cookies it will appear in the group along with mine. Not had enough time today to do more work on it. Any content people think is relevant can be added also. Mike 0 Reply as... Canslo
Michael MacAuley 12 Years yn ôl Thanks for the correction David. I've amended the post. 0 Reply as... Canslo
Michael MacAuley 12 Years yn ôl Well it looks like the ICO advice listed here is now incorrect. Cookies law changed at 11th hour to introduce 'implied consent' 0 Reply as... Canslo