BBC news website's answer to the new cookie legislation

J-Wholesale · May 24, 2012

If you're determined to go all out and follow the (confusing) directions, it's probably safe to use the BBC as a template. This only appears once at the top of their website, so blink and you'll miss it.

MH-Nick · May 25, 2012

Although I don't support the law, I don't think the BBC would be fully complying with this method, as "assuming" approval isn't the same gaining approval from the user. The law prevents the use of cookies until the user has granted it. That said, the deadline is tomorrow, so the BBC may change.

In regards to penalties, the the ICO have stated that monetary penalties can only be issued for a "serious breach that's likely to cause substantial damage to people". I don't know how they interpret that, but it could well be the majority of sites will not cause "substantial damage" with their use of cookies.

I am surprised that in that video they admit they're working with browsers yet still require individual sites to take action in the mean time.

andygambles · May 25, 2012

Add that the majority of government websites fail to comply - including the ICO who admit that they are working with their CMS provider to remove some cookies.

MH-Nick · May 26, 2012

andygambles said:
Add that the majority of government websites fail to comply - including the ICO who admit that they are working with their CMS provider to remove some cookies.

The last I checked (a few months ago) their website was compliant. Are you referring to another section that isn't?

andygambles · May 26, 2012

MH-Nick said:
The last I checked (a few months ago) their website was compliant. Are you referring to another section that isn't?

http://www.ico.gov.uk/Global/privacy_statement.aspx

4th box down.

termsandconditions · May 26, 2012

Hands up - I'm illegal already. Still trying to get my web developer to give me a straight answer on the cookies I have on my site. All I have is a couple of session cookies but which of the first three categories of naughtiness they fall into I have no idea. Aside from this, have found out the developer installed the Google Analytics cookes on my site but as I've never had a bean of data may just get them to remove Analytics altogether.

Read yesterday that ICO are planning to build some sort of informers site whereby the browsing public (or one's competitors!) can shop your site as being non-compliant. Eeek!

Posilan · May 26, 2012

http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

Cookies law changed at 11th hour to introduce 'implied consent'
Alteration to regulations may leave Britain out of step with EU law in implementation of continent-wide directives

New EU regulations on the use by British websites of cookies have been watered down by the UK's information commissioner just hours before they were due to come into force.

But they could mean that Britain is out of step with EU law in its implementation of the continent-wide directives, and lead to fights with European courts.

In an updated version of its advice for websites on how to use cookies small text files that are stored on the user's computer and can identify them the Information Commissioner's Office (ICO) has said that websites can assume that users have consented to their use of them.

The advice was only updated on Thursday, 48 hours before the deadline for implementing the new rules, and published the next day.
"This is a striking shift," said Stephen Groom, head of marketing and privacy law at the law firm Osborne Clarke. "Previously the ICO said that implied consent would be unlikely to work. Now it says that implied consent is a valid form of consent."

The use of "implied consent" shifts responsibility to the user rather than the website operator, and will come as a relief to thousands of website operators who have been struggling to comply with new EU directives which came into law a year ago.

Nuno · May 26, 2012

Does anyone know if this implied consent in the Cookie Law might be used as an argument to justify sending Newsletters without double opt in, and from there, spam?

Just a thought.

andygambles · May 26, 2012

Nuno said:
Does anyone know if this implied consent in the Cookie Law might be used as an argument to justify sending Newsletters without double opt in, and from there, spam?

Just a thought.

There is already laws covering this. No double opt in required.

ily0405 · May 27, 2012

All I have is a couple of session cookies but which of the first three categories of naughtiness they fall into I have no idea.

JElder · May 28, 2012

What are the cookies for?

ScotComp · May 29, 2012

Is there any scripts out there that allow us to offer a similar system as the BBC? I know there are loads of scripts out there that will allow the 'Yes' or 'No' options on the front page, but I think the BBC's way is far better.

andygambles · May 29, 2012

ScotComp said:
Is there any scripts out there that allow us to offer a similar system as the BBC? I know there are loads of scripts out there that will allow the 'Yes' or 'No' options on the front page, but I think the BBC's way is far better.

Implied consent is now acceptable. So no need really. Just have an obvious privacy policy on every page and detail all the cookies you set. That is my implementation anyway.

CompactLaw · May 29, 2012

Andy is right.

The guidelines were changed at the 11th hour to make consent implied.

Dramatic change, probably due to pressure from some larger websites, and the fact that very few government websites actually complied.

(We have some free background info on our website.)

But websites still need a clear Cookies Policy, Privacy Policy and the usual Terms & Conditions.

Regards

Becky

James_Hogan70 · May 30, 2012

It occurs to me, that any users disabling cookies, will - as an 'unknown' user - be served the 'cookie notification' message on every site they visit from now onwards. I wonder if webmasters have thought of that(?) Or how long they will need to display the notification for(?). I don't know the legislation intimately, but my guess will be indefinitely!

MartCactus · May 31, 2012

ScotComp said:
Is there any scripts out there that allow us to offer a similar system as the BBC? I know there are loads of scripts out there that will allow the 'Yes' or 'No' options on the front page, but I think the BBC's way is far better.

We've got something that is modelled on the BBC cookie notification, available to download free

EU cookie law compliance - free script

lynxus · May 31, 2012

James_Hogan70 said:
It occurs to me, that any users disabling cookies, will - as an 'unknown' user - be served the 'cookie notification' message on every site they visit from now onwards. I wonder if webmasters have thought of that(?) Or how long they will need to display the notification for(?). I don't know the legislation intimately, but my guess will be indefinitely!

Yep, If you disable cookies the user will be forever pestered about it.

FreelanceSoftwareDeveloper · May 31, 2012

MartCactus said:
We've got something that is modelled on the BBC cookie notification, available to download free

EU cookie law compliance - free script

Just had a look at the code and that's how I did something similar recently for an alcohol distributor that required age verification.

You can avoid having to add the html to every page by loading it from the JS file using ajax if the acceptance cookie isn't set. Does rely on JS being enabled though.

Code:

var age_check = readCookie("over18");
    
    if(!age_check) {            
        $.get("/includes/over18.php", function(html) {
            $("body").prepend(html);
            $("#yes18").click(function() {         
                createCookie("over18", true, 365);
                $("#box18").remove();
            });
        });
    }

MartCactus · May 31, 2012

FreelanceSoftwareDeveloper said:
Just had a look at the code and that's how I did something similar recently for an alcohol distributor that required age verification.

You can avoid having to add the html to every page by loading it from the JS file using ajax if the acceptance cookie isn't set. Does rely on JS being enabled though.

Code:

var age_check = readCookie("over18"); if(!age_check) { $.get("/includes/over18.php", function(html) { $("body").prepend(html); $("#yes18").click(function() { createCookie("over18", true, 365); $("#box18").remove(); }); }); }

Yes good point - you could write the html in the js - main reason we avoided that is it makes it more difficult to edit the html should people want to do that.

CompactLaw · May 31, 2012

As consent is now "implied" the regulations have effectively been made pointless.
Prior consent is not required.

A clear written cookie policy is still required.
But prompts to accept cookies are not required.

Is this script for seeking prior consent or just to ask users to turn cookies on?

MartCactus · May 31, 2012

CompactLaw said:
As consent is now "implied" the regulations have effectively been made pointless.
Prior consent is not required.

A clear written cookie policy is still required.
But prompts to accept cookies are not required.

Is this script for seeking prior consent or just to ask users to turn cookies on?

This script works like the one on the BBC news site - it merely informs users that cookies are being used, and gives a link to more info, plus a button to clear the message.

The implied consent change from the ICO still makes it clear that hiding away cookie consent in a privacy policy that might not be read is not sufficient. The change in interpretation is that you no longer have to ask for consent - you can just make clear that you are using cookies, and therefore the user's continued use of the site is implied consent.

Of course this isn't going to go to court, so I wouldn't have any concerns about "breaching" the law. But these sorts of things do worry our clients (some of whom are in regulated industries and professions where strict adherence to the law is deemed critical).

CompactLaw · May 31, 2012

Classic government fudge.
Our concern is that any kind of notification about cookies could lead to a drop in users and customers for ordinary websites.

The likes of the BBC or BT do not need to worry about that, but everyone else does.

(Some of our clients have already moved their websites to servers outside the EU, with registered offices to follow. All because of a ill-conceived regulation.)

We have spoken to the ICO several times, definitely get the feeling that enforcement is going to be very light on this. Also the bar is quite high in order to actually fine any website.

For purely commercial reasons would not be rushing to alert / panic users about cookie use.

Awkward situation though.

Cookie Consent

Essential

Analytics

Marketing

BBC news website's answer to the new cookie legislation

MH-Nick

MH-Nick

ily0405

James_Hogan70