How Should UK Universities Respond to EU Cookie Legislation?
Posted by Brian Kelly (UK Web Focus) on 26 May 2011
Confusions Over Cookie Legislation
The EU’s Privacy and Communications Directive comes into force at midnight tonight (26 May 2011). This requires user’s consent before using cookies – the text files which are used for various purposes including storing browsing information.
The UK Government’s Information Commissioner’s Office (ICO) have provided guidelines on how Web site providers can implement such legislation. However, as pointed out by the JISC Legal service, differences in interpretation of the legislation by Ministers, the Internet Advertising Bureau and the ICO have led to uncertainties as to what needs to be done. The JISC Legal post concludes by highlighting such uncertainties:
This does leave website operators with a tricky decision:
- make changes to their websites now in order to implement a belt-and-braces, but clumsy, can-we-use-cookies explicit permission each time a user visits;
- wait until the government’s guidance on interpretation emerges, and take a view then as to whether to implement an explicit each-visit permission question; or
- hope that browser suppliers make the necessary changes soon enough such that website operators need do nothing.
Perhaps we should be looking to the ICO to see how it has implemented the legal requirements on its Web site. As can be seen from the following image the ICO’s Web site has introduced a new text area at the top of every page which requires users to click on the accept box.
I think it is clear that this is a very flawed solution. Not only is it very ugly, but it also appears to force users to accept cookies (not the message “You must tick the ‘I accept cookies from this site’ box to accept” was displayed after clicking on the Continue box without selecting the option to confirm acceptance of cookies.
The Guardian has pointed out significant flaws in the legislation on its Technology blog:
One problem sites are wrestling with if the ICO insists on enforcement is a catch-22 where if people choose not to accept cookies, then sites will have to keep asking them if they want to accept cookies – because they will not be able to set a cookie indicating their preference.
What, then, is to be done?
A Year’s Grace
The good news is that the ICO has recognised the complexities in implementing this legislation. As described on the BBC Web site:
UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.
The UK government also sought to reassure the industry that there would be “no overnight changes”.
This provides the UK higher education sector with an opportunity to develop and implement appropriate and implementable solutions. We are seeing the Government providing indications that is looking to see “business-friendly solutions” being developed. Ed Vaizey, the Communications Minister, has suggested that the EU directive is “a good example of a well-meaning regulation that will be very difficult to make work in practice“. Perhaps this is an example of Government policies being in alignment with those working in higher education who wish to continue to make use of Web technologies to deliver a wide range of services.
How should the sector proceed? I feel it would be a mistake for Universities to work on their own in attempting to implement individual solutions based on institutional interpretations of the EU directive and trying to second-guess what may be deemed to be acceptable practices.
I am in agreement with those who suggest that the opt-in/opt-out requirement should be provided by the Web browser rather than on every individual Web site. It should be noted that Microsoft’s IE 9 and the latest version of Mozilla’s Firefox offer settings to protect users from services which collect browser data. In addition Google is working at integrating so-called ‘Do Not Track‘ technologies into their Chrome browser.
In addition to such developments to Web browsers it may be appropriate to explore the potential of machine-readable privacy policies such as W3C’s P3P standard which I discussed in a previous post. Although this standard has seen little usage since it was first published in 2002 the EU legislation might provide the motivating force which can encourage greater take-up.
At UKOLN’s IWMW 2011 event, which will be held at the University of Reading on 26-27 July, Dave Raggett will be giving a plenary talk on Online Privacy in which he will describe his EU-funded Privacy Dashboard work. The event might also provide an opportunity for those working in Web-management who have a good understanding of the implications of privacy policies on the services they provide to agree on a sector-wide approach which can be deployed in a year’s time.
There is a slot which is currently vacant at the event of the event. There is therefore an opportunity for a small group of University Web managers using the next two months to develop a proposal on how the sector might implement the cookie legislation in a year’s time.
Some thoughts on what could be addressed:
- Why cookies are needed and what concerns they raise. A briefing paper explaining these issues to policy-makers and end users. The briefing should have a Creative Commons licence which can help to demonstrate the efficiency savings being made across the sector by avoiding duplication of such work.
- What privacy policies should cover and possibly provision of privacy templates.
- Policies on preferred browsers and education on use of privacy preferences.
- Potential of use of machine-readable policies such as P3P.
I welcome your comments and feedback.