Wednesday 4 April 2012

Cookie latest: Keep calm and carry on

It’s official. I heard it myself on Monday afternoon directly from the Minister, Ed Vaizey, and the Information Commissioner, Christopher Graham.

They were both headlining a big cookies event, at the offices of the Department of Culture, Media & Sport. The DCMS is a pretty posh venue to use – I mean, who else can announce, without a smirk on their face, that no fire drills are expected during the event, but if one is activated, everyone should pop outside and regroup just across the road, in the middle of Trafalgar Square!

Anyway, back to the plot. The key messages were pretty clear. The Minister, after apologising for the blocked men’s loos, was keen to point out that that, we are talking about something which has turned into law, so businesses do have to find an effective and common-sense way of implementing it without causing too many problems for themselves or their customers. Customers need not be overwhelmed with choices or information they didn’t want (and therefore probably wouldn’t read). But, information ought to be available for those (those happy few) who wanted to read all about it.

Ed Vaizey
also pointed out that “consent” did not actually mean prior consent, and explained that the word “prior” had deliberately been removed from earlier drafts of the legislation, presumably to make this clearer. That view will probably cause some healthy discussion among the most dedicated of data protection professionals – but for me I’ll wait until the courts issue their own determination. Ed Vaizey was also keen to ensure that the digital advertising community (the UK has the second largest online advertising market in the world) should not discourage innovation, but it should still respect privacy concerns. Targeted advertising needs to be done right. We have to find solutions which engage users, and other speakers outlined their cunning plans to find solutions to give users more opportunities to exercise their options.

While the audience were probably encouraged by Ed Vaizey’s remarks on the (absence of a) requirement for prior consent, they were probably less encouraged by his view that analytics cookies were not those which looked as though they fell into the Strictly Necessary category (ie the category for which no kind of consent is required from the user). Christopher Graham shared the same view on the need for consent for analytics cookies, despite the French Data Protection Authority holding a different view. But the Commissioner did announce that the Article 29 Working Party was likely to issue an opinion which touched on this point at some time in the future. Presumably, all of the regulators will be locked in a room, and they’ll only be let out when they disagree with the French.

Presumably the CNIL will be persuaded to change their minds – perhaps after the forthcoming French Presidential elections, when the votes of French web masters will matter less.

Christopher Graham was also quite frank about the practical issues facing those who have already tried to comply with the rules – and really wasn’t suggesting that web masters follow the “clunky banner” approach initially adopted by the ICO. But, the ICO was one of the few organisations that really had to comply from day one. Otherwise, Christopher Graham would have had to report himself – to the ICO. So a quick and dirty solution was absolutely necessary.

But let’s be clear. He’s a regulator and the Minister (while not apologising to anyone for creating it) pointed out to us all what the law is. So, we need to be seen doing things to comply. We are not going to be permitted to slope off behind the regulatory bike sheds for a quick smoke, hoping to evade the entire exercise. It’s not like a school sport’s afternoon. The European Commission would really have a sense of humour failure if that were to happen.

So, we need to be doing stuff. In media speak, we need a narrative. Web masters need to decide how to comply in a responsible and proportionate way, and then they need to provide (or be capable of providing, should the information request come) assurances that the good work that has started will continue. Otherwise, the game’s up.

But, we must also watch the Commissioner for his actions as well as his words. We’re probably lucky that analytics compliance is probably not at the top of the Commissioner’s agenda, right now. If he loses sleep at night, it must be about the much more harmful activities that he and his team are currently preventing and detecting.

There is a shining star, and I’m determined to mention them today. If you want to see how this cookie stuff can be done sensibly and proportionately, take a squint at what our chums at British Telecom have achieved. Their website ( really does set the standard. It makes you proud to be British. No wonder they were allowed to become a sponsor for those summer games that are being held in London over the summer. I’m not sure if I’m allowed to mention the Olympics, so I won’t.

If I were a betting data protector, I would expect to see increasing numbers of folk pointing to the BT website soon and asking when all proper websites will be like that.

Another issue that came up (as it always does), is about how sensible web masters can provide information to users in ways that encourage them to want to know what’s going on, and even offer their consent (whatever that means).

Georgina Nelson, the great privacy lawyer from Which? Made the very sensible point that no-one wanted to read a privacy policy that was even longer than Hamlet. Yes, I agree. But how do we develop a language that is sufficiently engaging for web users? Well, as I’ve demonstrated on previous occasions, the Bard I ain’t. I did think setting a cookie policy as a sonnet. But I ran into trouble cramming it all into 14 lines. I didn’t even bother trying to set it as a Haiku, which is a Japanese lyric verse which contains just three unrhymed lines of five, seven, and five syllables.

In desperation, and in honour of Georgina, I’ve written a cookie policy in the form of three limericks – totaling some 15 lines. I’m not sure just how (un)compliant the ICO feels it is, but I would be very happy to publish anyone else’s efforts!


If you want to know what we do with your data
We will tell you a little bit later
We use cookies to find stuff
Of which you can’t get enough
And targeted adverts to tell it to you straighter

We actually think you would want to consent
To see our web site as it was really meant
Just configured for you
With a background in blue
And a special discount on your favourite scent

To those who say “Oh my
Those consent rules - how do you comply?”
With simple writing and prose
We explain what we think everyone knows
So your approval we can mostly imply