I’ve been keeping an eye on this topic myself, specifically trying to spot new & useful information from authoritative sources. The main area that’s of concern for all our customers is the grey area of Analytical cookies.
These two might be of interest:
1. It’s not about cookies, it’s about privacy – That’s from the Government Digital Service who look at websites like direct.gov.uk. It looks at the subject with some common sense and raises an interesting point that focussing on cookies may push sites into tracking users in other ways; using super cookie methods that the user cannot detect or control/disable as they can with standard cookies, which would be more intrusive.
Interestingly the GDS has taken a stance that analytical cookies are ‘minimally intrusive’ and (most importantly) ‘essential’ – which is a different line to the ICO. There’s a link to a PDF with guidelines at the end for government departments and other public sector bodies:
“Use of web-analytics/metrics: The use of metrics are integral are to departments’ being able to provide the best possible user experience in order to encourage citizens to use more cost-effective channels for accessing government services. They also allow departments to assess and demonstrate whether the digital services they offer provide “value-for-money” as demonstrated by the recent National Audit Office (NAO) report.
Consequently, collecting these metrics are essential to the effective operation of government websites, at present the setting of cookies is the most effective way of doing this. The ICO guidance supports this view as it states ’...it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action’”
2. EU cookie legislation – a look at some of the implementations – That’s new as of Friday, written by one of the Information Commissioner’s Office Technology Reference Panel:
_”+ First of all the 27th May deadline for implementing the legislation is more a marker for ICO – not a hard date. This means that from this time the ICO will start looking at the subject more closely.
- In the meantime in the run up to the end of May the ICO will publish information for individuals to allow them to raise concern via the ICO website. Note the ICO has not had much activity on the complaints front in last 12 months.
- They will also be making it clear that on an individual level it is unlikely that ICO will pursue 1 cookie on 1 web page
- The ICO can’t audit every UK website but can look at trends or patterns – eg if many issues raised about specific types of cookie
- ICO will also be issuing a clarification of its line on analytics cookies – these are not exempt from the law”_
It’s certainly a topic where the regulation and solution is still evolving. Personally I wonder if this might end up in the same situation as the DDA subject from a few years ago; the end result being that the worst offenders get a letter asking them to clean up their act, but for the rest of us who follow good practices there’s nothing to worry about.