UK Web Focus (Brian Kelly)

Innovation and best practices for the Web

How Should UK Universities Respond to EU Cookie Legislation?

Posted by Brian Kelly on 26 May 2011

Confusions Over Cookie Legislation

The EU’s Privacy and Communications Directive comes into force at midnight tonight (26 May 2011).  This requires user’s consent before using cookies – the text files which are used for various purposes including storing browsing information.

The UK Government’s Information Commissioner’s Office (ICO) have provided guidelines on how Web site providers can implement such legislation.  However, as pointed out by the JISC Legal service, differences in interpretation of the legislation by Ministers, the  Internet Advertising Bureau and the ICO have led to uncertainties as to what needs to be done.  The JISC Legal post concludes by highlighting such uncertainties:

This does leave website operators with a tricky decision:

  • make changes to their websites now in order to implement a belt-and-braces, but clumsy, can-we-use-cookies explicit permission each time a user visits;
  • wait until the government’s guidance on interpretation emerges, and take a view then as to whether to implement an explicit each-visit permission question;  or
  • hope that browser suppliers make the necessary changes soon enough such that website operators need do nothing.

Perhaps we should be looking to the ICO to see how it has implemented the legal requirements on its Web site. As can be seen from the following image the ICO’s Web site has introduced a new text area at the top of every page which requires users to click on the accept box.

I think it is clear that this is a very flawed solution. Not only is it very ugly, but it also appears to force users to accept cookies (not the message “You must tick the ‘I accept cookies from this site’ box to accept” was displayed after clicking on the Continue box without selecting the option to confirm acceptance of cookies.

The Guardian has pointed out significant flaws in the legislation on its Technology blog:

One problem sites are wrestling with if the ICO insists on enforcement is a catch-22 where if people choose not to accept cookies, then sites will have to keep asking them if they want to accept cookies – because they will not be able to set a cookie indicating their preference.

What, then, is to be done?

A Year’s Grace

The good news is that the ICO has recognised the complexities in implementing this legislation.  As described on the BBC Web site:

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.

The UK government also sought to reassure the industry that there would be “no overnight changes”.

This provides the UK higher education sector with an opportunity to develop and implement appropriate and implementable solutions. We are seeing the Government providing indications that is looking to see “business-friendly solutions” being developed. Ed Vaizey, the Communications Minister, has suggested that the EU directive is  “a good example of a well-meaning regulation that will be very difficult to make work in practice“.  Perhaps this is an example of Government policies being in alignment with those working in higher education who wish to continue to make use of Web technologies to deliver a wide range of services.

How should the sector proceed?  I feel it would be a mistake for Universities to work on their own in attempting to implement individual solutions based on institutional interpretations of the EU directive  and trying to second-guess what may be deemed to be acceptable practices.

I am in agreement with those who suggest that the opt-in/opt-out requirement should be provided by the Web browser rather than on every individual Web site. It should be noted that Microsoft’s IE 9 and the latest version of Mozilla’s Firefox offer settings to protect users from services which collect browser data. In addition Google is working at integrating so-called ‘Do Not Track‘ technologies into their Chrome browser.

In addition to such developments to Web browsers it may be appropriate to explore the potential of machine-readable privacy policies such as W3C’s P3P standard which I discussed in a previous post.  Although this standard has seen little usage since it was first published in 2002 the EU legislation might provide the motivating force which can encourage greater take-up.

At UKOLN’s IWMW 2011 event, which will be held at the University of Reading on 26-27 July, Dave Raggett will be giving a plenary talk on Online Privacy in which he will describe his EU-funded Privacy Dashboard work.  The event might also provide an opportunity for those working in Web-management who have a good understanding of the implications of privacy policies on the services they provide to agree on a sector-wide approach which can be deployed in a year’s time.

There is a slot which is currently vacant at the event of the event.  There is therefore an opportunity for a small group of University Web managers using the next two months to develop a proposal on how the sector might implement the cookie legislation in a year’s time.

Some thoughts on what could be addressed:

  • Why cookies are needed and what concerns they raise. A briefing paper explaining these issues to policy-makers and end users.  The briefing should have a Creative Commons licence which can help to demonstrate the efficiency savings being made across the sector by avoiding duplication of such work.
  • Documenting ways in which widely used applications and technologies currently use cookies (e.g. Google Analytics, CMS systems, portals and other personalisation tools, etc.). Documentation of the implications of users opting out of use of cookies in use of these applications
  • What privacy policies should cover and possibly provision  of privacy templates.
  • Policies on preferred browsers and education on use of privacy preferences.
  • Potential of use of machine-readable policies such as P3P.

I welcome your comments and feedback.


14 Responses to “How Should UK Universities Respond to EU Cookie Legislation?”

  1. Whilst my initial reaction was that this should be something dealt with by the browser too – I’ve since tried to think a little more around the complexities of this.

    One of the things that the legislation is trying to address is that there are different uses for cookies – some of which reveal more personal information than others. By contrast, current browsers allow only one type of automatic filtering: for third-party cookies, which is fairly crude and can be gotten around by websites proxying cookies for third-parties anyway). The only alternative is an “ask me” option, where the user has to make a decision about each and every cookie via a not-very-informative dialog box which interrupts the viewing of the page and soon gets annoying.

    So it does kind of make sense for websites to provide a little more information about how the cookies will be used. Typically this has been done via privacy policies – but no-one reads those. The alternative suggested by the ICO is for a bunch of text which the user should read and agree to before a cookie is set. This is the most comprehensive – but still not the greatest experience (no-one wants to have to read that much before using basic webpages).

    Mozilla have started to explore how to codify different uses of private data via a set of icons: – but that’s still work in progress.

    Alternatively, perhaps there should just be some reasonable set of rules about how data should and shouldn’t be used (eg no sharing with third parties, max retention limit, etc) – and then we wouldn’t need to ask the user at all. That would, however, cause a lot of trouble for the online advertising industry.


  2. Its interesting to read how the BBC are addressing this issue. In How BBC Online will meet changes to UK cookie laws they say

    Today we’re publishing an updated list of the main cookies in use across BBC Online and what each is used for. It also tells you how you can control cookies by setting your computer, mobile or other device to notify you when a cookie is issued, or to opt out of cookies altogether.

    This advice is akin to accessibility instructions found on many sites e.g. change text size by …

    It’ll be interesting to see how this area develops


    • It strikes me that there are many parallel with Web accessibility. When SENDA legislation came into force there was a feeling that this meant that there was a legal requirement to enforce WCAG conformance – despite the fact that in 2003 only 3 University home pages conformed with WCAG AA and in 2004 this had only risen to 7 – see findings.

      We subsequently learnt that WCAG simply documented a set of technical guidelines – and that these guidelines were flawed an not universally applicable. In addition we discovered that the emphasis of the accessibility of the digital resource was misplaced – various guidelines could not be implemented if non-UAAG browsers were used. We needed a more realistic approach – and we have seen that in last year’s release of BS8878.

      I think we need to avoid repeating mistakes made in the past. Let’s look at what realistic approaches may be deemed appropriate (and the Government has hinted that this is an approach it favours). And also lets explore which approaches can be taken beyond the Web site – such as providing user education, encouraging use of browsers which support privacy standards and providing policy statements in machine-readable formats.

  3. Brian
    I’ve been having a look at the legislation and guidance with my maths graduate hat on (the law graduate hat is lying down in a darkened room!) and my current theory is that there are three classes of cookies – those without which the site won’t work, those that are mainly “for” the user and those that are mainly “for” the server. I think/hope the first two of those are relatively straightforward to achieve compliance, but the third one is a lot harder (as the ICO site demonstrates). Draft analysis is on my blog, and comments (and counter-examples) would be very welcome.

    It’s a very long time since I was involved in the nuts and bolts of web servers (P3P is still a promising new technology, as far as I remember!), but feel free to get in touch if it would be useful to compare notes.


  4. The ICO has provided some extremely clear guidance, both in general and specifically about current browser support (i.e. far from good enough to support the Directive). They even say that sites shouldn’t feel compelled to copy their implementation.

    It would probably be a mistake for almost anyone to do anything relating to third-party cookies until Google actually make a statement about the effect this legislation will have on Google Analytics. I think only two EU countries have implemented the full Directive, so it would be interesting to see what they’ve done with these kind of tracking services.

  5. Specifically, changes to their site here: and stuff about browsers in here

  6. […] is a good summarising piece here:… written by Brian Kelly from UKOLN, and he must be right because he has a […]

  7. […] programme for the event has been finalised in light of various recent announcements (such as the Cookie legislation and the requirement for Universities to publish data related to the services they provide) we are […]

  8. […] Issues To Be Thinking About Now.  Since every University will this year have to be considering how to respond to the new cookie legislation, this will be of interest to […]

  9. […] in May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The context to this post was the EU’s Privacy and Communications Directive which officially […]

  10. […] nouvelle, l’arrivée cette fonctionnalité est liée à un partenariat commercial entre Automattic, la société éditrice entre autres de et Askimet, et Federated […]

  11. […] 26 May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The post was published the day before UK government legislation based on the EU Directive […]

  12. […] year ago today I wrote a post entitled How Should UK Universities Respond to EU Cookie Legislation? The post was published a few hour’s before the cookie legislation was originally intended to […]

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: