European citizens may be aware of there being an EU directive on electronic privacy, and that national governments in the EU are enacting this directive in national legislation.
As a UK company, we are affected by this. We will just be reporting from the perspective of the United Kingdom, but other countries in the EU will have similar issues.
Last Monday (9th May 2011) the UK ICO ("Information Commissioner's Office", run by my name-sake, Chris Graham) released it's official interpretation and advice based on the new law, which comes into effect on the 26th May 2011. The particular interpretation is particularly strict and has received harsh criticism from many quarters, and deservedly so because the official advice is unclear in many aspects, and so harsh that the ICO itself and virtually all UK government websites currently are unable to meet it. The time for implementation is particularly short, and in many ways it is entirely unrealistic (for example, Google Analytics is outlawed by any interpretation of it).
Fortunately the ICO are acknowledging the problems:
- on some level they are apparently trying to shift some responsibility to browser makers, to implement better privacy controls in them; I believe they feel their hands are tied by the fact that there is an EU deadline on the legislative implementation, and are trying to find a subtle political solution
- they have said that there will be a grace period for transition (although specifics are not stated)
- they have said that the level of compliance will be stepped-in; initially externally-integrating services like Facebook Connect or Google Analytics would not (apparently) be considered a site's own responsibility
We have responded within 5 business days, having to make a number of changes to ocPortal changes. We have tried to make the most of this and take on the spirit of the legislation, which has some merit (automatic tracking of users across ad-networks is a real privacy issue).
In order to make implementation of the legislation/advice viable in ocPortal, without causing considerable harm to usability, we have had to make a number of our own interpretations:
- We consider cookies acceptable where cookie values are only ever set to False or True in such a way as to not pinpoint out a user. We are not considering simple False/True values as data/information as understood by the legislation.
- We do not consider 'session cookies' (temporary cookies – removed when the web browser is closed) to be stored on the user's PC, as they are as transient as any other part of a web page.
- We do not consider cached pages as something we have explicitly stored on the user's PC (even though we have advised they may be stored).
- In concordance with the ICO advice about external interfaces being under a grace-period, we are not removing Google Analytics support from ocPortal. We have set a number of Google Analytics options Google have made available to minimise cookie collection, and the onus in on Google to allow further control (or indeed to present some kind of legal challenge, which we suspect may happen, if the government don't just bury the legislation quietly).
We are not making the following interpretations:
- The ICO interpretation is very clear that we cannot put blanket advice out about cookies.
- The ICO interpretation is very clear that even essential cookies must be warned about, and the definition of essential is as strict as it could possibly be.
- We are assuming the legislation applies also to the site staff team, so we are warning about cookies set by systems such as OcCLE.
- The legislation makes no differentiation between websites owned by companies and private individuals.
We have negotiated all these issues extremely carefully, and I am pleased to say the new behaviours are inherently an improvement over the previous ocPortal scenarios. We have been careful to consider each cookie separately and find a natural non-intrusive way of advising on it (often by instead talking about whether the user wants to save a setting or not), or remove it.
We have made the following changes to ocPortal (currently available in our subversion repository, and will be included in the next release):
- A new option controls the default check-status of the 'Remember me' login feature (default config option is for it to be off). If the default check-status is off and it is checked (ticked) then a message explaining the nature of login cookies is given. We are actually quite happy that this has given us the opportunity to express the security considerations relating to login cookies.
- Guest timezone detection is now disabled by default.
- Google Analytics cookie lifetime is now minimised, by default (there is an option to control it).
- Guest sessions are now stored with real session cookies until they interact with the shopping cart (after which they are extended, to preserve the cart).
- The user's screen size is no longer detected (the rendering code that used this has been restructured to use more conventional CSS).
We will be offering our commercial services to roll out these changes to sites. As it is not viable to upgrade every site on such short notice, these changes will need to be applied manually, for whatever version's of ocPortal that are being used. Unfortunately we cannot do this work for free, as we are 'dropped in it' as much as anybody, with a short notice and (in our opinion) a very poor official legislative interpretation. We don't intend to milk this commercially either – we are taking a stance of informing our customers on the situation, and letting the customers decide how to approach it. On one hand, it is highly likely that uncountable numbers of sites, including many government sites, will fail to be able to comply to the ICO's legal interpretation. But on the other hand, there is a legal imperative by a government department. So it is up for site owners to make this call, we are just providing some background details.
This document should in no way be taken as legal advice by ocProducts.