Cookie information

I've been around the block on this subject a few times.

This board sets a (usual) bunch of Google Analytics cookies (__utma, __utmb, __utmc, __utmz).

The following (what I would call 'site-admin') cookies are specific to the operation of the board, and seem to be based on IP interrogation:

bb_lastactivity (permanent cookie, duration 1 year)
bb_lastvisit (permanent cookie, duration 1 year)
bb_np_notices_dislayed (session cookie, deleted when quitting browser)

The above two categories of cookies are set whether one is logged in or not, i.e. it would appear they are set irrespective of whether one is a member.

The law requires cookies to be set only with a visitor's consent. This consent is required prior to the cookies being set. The consent has to be an informed one.

In respect of members, this consent can be considered granted by virtue of their consent to agreeing to the terms and conditions of the board. (That doesn't absolve the requirement to explain what the cookies do in those board terms and conditions however.) In respect of non-members, the consent cannot be considered to be so granted.

For Google Analytics cookies, the nature of what constitutes 'consent' varies across EU Member States. The UK's Information Commissioner's Office is (unofficially) receptive to the notion of implied consent being acceptable for cookies used solely for anonymised analytics purposes - although GA data does record an IP address, they cannot in themselves be used to identify anyone personally. It would seem that the board does not host any 3rd party cookies or scripts that read the Google Analytics cookies, so it is a reasonable assumption that they are being used solely for anonymised analytical purposes. Google does not share its GA site analytics data with any other party. Indeed, it is a condition of service for GA that they are not used for purposes other than anonymised analytic purposes.

That's the official Google line, but Google has got itself into hot water lately over its breaking of security features in some browsers, and it is likely that the FDA will impose a massive fine on Google as a result. Google is also in the middle of a high-stakes cat and mouse game with the EU concerning the recent controversial harmonisation of Google's privacy policies: CNIL, the French Regulator, acting on behalf of the EU, sent Google a detailed questionnaire a month or so ago. Google has responded in part, but its answers to the remaining questions have not yet been published. Crucially, Google have yet to answer the CNIL questions about whether they use GA data for Online Behavioural Advertising (OBA). The absence of ads on for3.org is not relevant in this respect. If it is revealed that Google is using GA data for any kind of OBA, then all hell will let loose, and the 'turning a blind eye' to the need for consent to GA cookies is likely to undergo an about-turn. In effect, pending Google's responses to CNIL, if consent for GA cookies is seen as mandatory under the law, it will mean the death of client-side analytics.

My current personal view is that GA cookies are in themselves benign, and I will not be seeking user consent for them on a website I run. Please note this is contrary to the strict letter of the UK law. GA cookies consent is at the bottom of ICO's agenda - it will have a lot more pernicious cookie and ad-tracking mechanisms to stamp down on. ICO's guidance note includes:


The for3.org server is based in the States, so is immune to EU law. Currently there is no requirement to obtain cookie consent outside the EU. However, my guess is if a 'webmaster/administrator' (a party having prime control over the 'content' of a site, to use a loose definition) is based in the EU, the site will be expected to comply. Where the domain is registered and where the server happens to be are likely to be secondary considerations. The ICO guidance document includes:


In other words, ICO admits it is powerless about non-EU hosting, but expresses an aspiration that non-EU hosting too will comply.

The chief focus of regulatory concern is likely to be on 3rd party behavioural/user-profiling tracking cookies, and social website interactivity. (Neither of these areas are present in for3.org as far as I can tell.) The two main factors driving ICO in the immediate post-May months will I think be a complaints-driven strategy coupled with their ongoing desparation to see a browser-based solution, the latter becoming more and more hopelessly flawed and confusing in my personal view, and it's certainly not going to roll out properly within a year or so. And please note the proposed 'do not track' schemes are only requests - it seems likely that the response from the adserver industry will be at most to cease targetting, but continue tracking.

That being said, doing nothing is not an option. What ICO is looking for in the short term is an indication that publishers are doing something, albeit imperfect best intentions, so I would suggest:

- Given that cookies are being set irrespective of forum membership, a 'Privacy and cookies policy' page should be compiled and made visible;

- A reference to the Privacy and cookies pages should be prominent on each page of the forum (in a header, typically).

- The Privacy and cookies page should detail what personal information is being held, and what each set of cookies does. (The law still expects an explanation of what the cookies do, even for members.)

- Make a reference from the Board Terms and Conditions to the Privacy and cookies policy page.

As to the consent mechanisms needed (or not) for the site cookies, those can be considered at more leisure. As indicated above, my personal view is that consent need not be obtained for GA cookies provided what they do is explained. In respect of the IP-based 'site-admin' cookies, it is a moot point whether they can be regarded (from a regulatory point of view) as 'essential to the operation of the site', and therefore regarded as immune to the need for consent. The fact that they are set irrespective of membership is unfortunate, and indicates that a consent mechanism is probably required. It would be useful to know exactly what the three site-admin cookies do, and that they weren't being interrogated by Yahoo servers (I don't think this is the case, and I can't detect any Yahoo cookies being set, but it would be good to have the reassurance). The key consideration on the site-admin cookies is whether they carry personally-identifiable information.

The only 3rd party cookies likely to be encountered in for3.org are from embedded Youtubes. In conventional embedding, Youtube cookies are set as soon as the page on which the video is embedded is loaded. If they are embedded in what Youtube call 'privacy-enhanced mode' (sic), the cookies are still set, but not until the video is actually played. This delayed cookie setting mechanism can be explained upfront on the Privacy and cookies page, and is a useful way of circumventing the need to gain consent. (Otherwise, if Youtubes are embedded normally, the only option is to insert a consent mechanism on the site/page, and to hide the video code until the consent is granted.) It would be difficult if not impossible to expect users to embed Youtubes in the privacy-enhanced mode, so it looks likely a forum-wide consent mechanism will be needed. It does however depend on the settings of a user's browser, and information on this (e.g. blocking 3rd party cookies) is probably a more pragmatic recommendation, at least in the short term. 3rd party cookies are a real pain to deal with under the new law.

Don't worry unduly about the 26 May 'deadline'. ICO has a lot more important things to take care of before it considers little membership forums like this one.

Russ

I think that would be what is called 'a comprehensive' reply. Most of it I don't understand. But, yes, I remember now there are some settings which rely on specific cookies to make the forum behave as it's meant to (in 'knowing' for instance, which threads have been read and which not).

I will refer this to our web manager

It's been an eventful few days in the cookielaw world. Whilst most of what I wrote above remains true, there has been a significant development. Two days before the deadline for commencing compliance with the law, ICO's version 2 guidance document (of December 2011) remained in place, this aligning closely with the fundamental principle of the law, namely that cookies should not be served until the user had given informed consent. The process mandated was known as 'Opt-in' ('Opt-out' being verboten).

On 25 May, one day before the compliance deadline, ICO issued version 3 of its guidelines. It embodied a complete u-turn, and signalled a green light to implied consent. At a stroke, Opt-in was still In but Out, and Opt-out was now In.

Strangely enough, some of the big publishers (FT, Mirror, BBC, Telegraph, Guardian, C4), probably acting in cahoots in order to present a united front, rolled out 'Opt-out implied consent' implementations on the same day. Needless to say, all hell let loose, many companies being understandably furious at having spent thousands on complex and user-unfriendly version 2 rollouts only to be presented with the far easier version 3 option. ICO's credibility had been consistently low throughout the process of the Directive's transposition, but now it was worse than rock-bottom.

Whilst the above opt-out implied consent implementations have the virtue of complying with a particular reading of the UK regulator's guidance, it should be noted they are completely illegal according to the letter of the law. Apart from being somewhat hilarious, no one seems the slightest bit concerned about this. Even the European Commission websites can't be bothered to comply with their own Directive. Viviane Reding, the EU's Data Commissioner, will privately be furious at such an abject political failure: the cookielaw is dead.

As far as this forum is concerned, there is no need for a continuously visible notice to members in respect of cookies: ff's sidebar note, which perhaps should be carried in Announcements, can be referenced from the forum conditions we all sign up to when we join. Non-members get issued with substantially the same set of cookies, and a simple note somewhere saying "If you continue to visit this forum, we'll assume that you are happy to receive cookies." would suffice, but I think even that is not necessary because of the nature of the cookies involved. It would help however to have a 'Privacy and cookies' page, where suitable opt-out avenues can be notified.

Russ

Russ

Many thanks for that run-through. I did pick up (somewhere) the news of the IC's last-minute U-turn. I'll probably produce a new Privacy + cookie page.

I think I might be able to add something to the 'yellow message' which says: 'If this is your first visit ... &c &c' which would be a good, visible place to put it.