(Added) A version of this blog post has been published by Society for Computers & Law.
The grace period in the UK for complying with the EU cookie law expired towards the end of May 2012. When even UK government sites are behind in complying, how are organisations meeting the challenge - or are they? For instance, KPMG reported on 6 June that, of the 55 major UK organisations whose websites they analysed, 80% were not compliant, which in KPMG's view meant "gaining users’ consent and giving them the option to change cookie settings".
On the basis that top London technology law firms and data protection law experts might be more motivated than most to be seen to be compliant, I investigated their websites - 29 firms in total. I also had a quick look at some data protection regulators' websites.
I have not yet analysed the content of those firms' cookie or privacy policies, just their chosen compliance mechanics, although the adequacy of information given in those policies of course affects compliance.
Embedded at the end of this blog is a table of the results, for ease of reference. However the full webpage, setting out how top London IT law firms are complying with the cookie law, will be more easily usable - the table can be viewed horizontally in full there, and includes further notes on abbreviations, methodology etc.
The following are some key points and lessons learned that may be drawn from the survey results.
Immediate session cookies
Almost all of the firms involved set at least one session cookie immediately on visiting their site, reflecting the dependence of many sites on cookies. This was so even for firms with explicit consent mechanisms.
Lack of cookie notice, and cookie minimisation
Lack of clear links to privacy or cookie policies may not necessarily indicate non-compliance.
The firm concerned might have chosen not to set many cookies in the first place, eg only a few session cookies, and so may have decided that it didn't need a cookie notice.
Methods of compliance
Most of firms involved simply displayed a link marked "Cookie Policy" or similar.
6 firms (ie 21% of those surveyed) used "pop-up" messages. Only 2 of these firms (7%) centred their messages in the middle of the webpage; the other 4 firms (14%) displayed their messages at the bottom of the page. In 2 cases, the message was not even "sticky", ie it did not follow the viewer, but disappeared from view if they scrolled down the page (perhaps an inadvertent coding issue).
9 firms (31%) included "Cookie" or "Cookies" in a link, of which 4 (14% of all firms surveyed) highlighted the link using a different colour, symbol or uppercase. 3 of those firms positioned the Cookies link at the top of their webpages, 2 included the link both at the top and bottom, and the rest at the bottom only. In other words, only 5 firms (17%) had a clear Cookie link at the top of their webpages. One firm had an interesting hybrid solution with a short notice and cookies policy link at the bottom of its webpages, plus a button to disable cookies from the site.
The other 14 firms (48%) only displayed a "Privacy Policy", "Privacy Statement" or similar link at the bottom of their webpages, without specifically mentioning "cookies", or else (in 3 cases, ie 10%) displayed no privacy policy link on their home pages at all.
Compliance mechanics - types and effectiveness
Even firms with "pop-up" messages set session cookies automatically, on arrival at the website.
Most pop-up messages stated that use of the site (and/or clicking elsewhere on the page) would be taken as consent or result in their use of cookies, ie implied consent.
1 firm simply stated in its message (with a cookie notice link) that clicking elsewhere on the page would be consent, and activated cookies on the visitor so clicking. Its "Cookie Consent Tool", while separated from the notice, did allow users to accept particular cookies in a granular fashion (although only one was listed, ie Google Analytics).
Only 2 firms offered Yes/No options, ie the option to refuse. Selecting the No option resulted in a cookie being set, to record the refusal. One provided a "What happens if I say No?" message, and the option for the visitor to record their preference permanently.
3 firms offered no "No" buttons, but simply displayed one button with "Yes" or similar, so that therefore clicking the button would be consent - ie "OK hide this message", "If you are happy with cookies please click 'Proceed'" (with a Proceed button), and "I consent to cookies from the site" (with a Continue button).
These messages might suggest that cookies would be set only if the visitor clicked Yes or Proceed etc, but in fact cookies other than necessary session cookies (notably Google Analytics and AddThis), could still be set automatically, even before the visitor had consented. Indeed, in one case, all the Proceed button seemed to do was to get rid of the cookie message; cookies were set anyway, whether the visitor clicked the button or not.
Of firms choosing to provide a consent mechanism, in fact only 2 firms correctly stopped all cookie-setting scripts from running unless and until the visitor clicked Yes, Proceed or the like. It is not clear whether this reflects defects in their implementation, or deliberate decisions on their part.
Only 1 firm made it impossible (if Javascript is enabled) to click through to other parts of its site without clicking Continue, ie explicit consent to cookies was effectively made a pre-condition to allowing visitors to use the site. (With messages at the top of the bottom the site is still usable without clicking anything. This centred modal message is in my personal view the best way to ensure clear explicit consent, nudging the visitor to click Continue or Close without interfering too much with usability or the user experience; that method is also used by the Financial Times.)
While 1 firm offered a "disable cookies" button, clicking it did not seem to stop Google Analytics from setting cookies nevertheless.
The above therefore indicates that even firms which appeared, from their messages, to prevent cookies being set until the user had consented, nevertheless set non-necessary cookies, so their mechanisms may not work as effectively as might initially seem to be the case.
Implied consent
The above suggests that most of the firms surveyed decided to rely on notification or implied consent only (nearly 80%, more if you count the firms that seemed to use explicit consent mechanisms but set non-necessary cookies anyway!). This may be a sensible pragmatic decision, as recent research by tag management firm Qubit, reportedly based on over 1/2 million user interactions since the grace period ended, has indicated that:
- explicit consent - specifically asking users to agree to enabling cookies - resulted in only 57.2% consenting, ie some 43% rejecting cookies
- implicit consent - notifying users about cookies and giving them the option to disable them - produced 99.7% (implied) acceptance
- notification only - ie a simple notice about cookies - resulted in 99.9% "consent".
Analytics cookies
Google Analytics was by far the most popular web analytics service, used by 25 of the firms ie 86% (see the preponderance of yellow highlights in the table).
Only 4 firms (14%) didn't use it, apparently using their own solutions or IBM-owned unica.com, the second most popular analytics/marketing service (which some other firms used in addition to Google Analytics).
Google Analytics scripts set cookies as standard, and technically Google Analytics cookies are first party rather than third party cookies, although it is not clear whether regulators view them as first or third.
I have not yet checked what information the firms concerned have provided in their cookie policies regarding their use of Google Analytics, and in particular to what extent they have disabled sharing of their analytics data with Google. In my view that would be an important disclosure to make.
Blogs or sub-sites hosted by a third party
A few firms had blogs or sub-sites hosted by a third party service.
Free external blogging platforms often set several cookies, and it is generally impossible for the blogger to control what cookies are set. This is only within the control of the platform, who may provide bloggers with such control if they wish (but invariably they don't). The blogger's only choice is as to which platform to use, and personally I feel that the main responsibility for compliance here ought to be on the blogging platform rather than the blogger.
A firm's cookie or privacy policy may not flag all cookies set by blogging platforms; arguably it should. I didn't check all the notices involved, or locate all externally-hosted blogs used by these firms, but it seemed there was a risk that information about such cookies could be omitted from the firm's policy/notice.
Other third party services, including social media buttons
Several firms ran social media sharing scripts, notably AddThis (with a couple of ShareThis users) and Twitter.
These externally-created scripts often set cookies. However, firms did not necessarily prevent such scripts from running until the visitor had consented - even firms that displayed a specific cookie message.
While I have not checked the content of all these firms' cookie or privacy policies yet, I would hazard a guess that not all firms will have disclosed the setting of these social media cookies.
Yet these cookies can potentially be as privacy-invasive as behavioural advertising cookies are generally considered to be. Recall for example the debacle regarding the NHS's insertion of Facebook Like code on their site, enabling Facebook to track people across sites.
Again, this raises the issue of responsibility for third party scripts which a site or blog includes on its own webpage. Personally, I believe the main responsibility should lie with the third party service that produces the script and controls the script's functions, including the cookies it sets and reads. This is particularly so in the case of individual bloggers or SMEs with little IT expertise, who would not be in a position to evaluate the purpose or effect of the third party script that the third party markets only as a tool to help the blog or site add sharing buttons that make it quicker and easier for visitors to share or publicise the site.
From the site's viewpoint, it is possible to include social sharing buttons without running the service's scripts (and setting their cookies). A couple of the firms surveyed in fact did so.
As for other third party web services, several firms included Google Maps or Google Custom Search on their sites. The Google code may allow Google to set cookies.
Again, have these firms prevented the Google scripts from running until the visitor has consented (if choosing to offer an explicit consent mechanism)? Can they implement these third party services in a way that doesn't set Google cookies? (at least one of the firms involved had, but others hadn't). Firms using Google services need to consider this issue, but it seems not all have.
Checking the whole site and sub-sites
Consistency matters. If a site chooses to include a cookie message, or pause setting of cookies until consent is given, it needs to check that all its pages and sub-sites include it.
As flagged above, this wasn't always the case, eg a firm's sub-site might set Google, Google Analytics or AddThis cookies without any cookie message, and indeed even if the visitor had clicked No to refuse consent!
While I didn't go into this level of detail in the table, HR and PR/marketing departments' pages, in particular, seemed to be the main sub-sites that set cookies without messages or consenting button clicks, particularly through including social media sharing buttons.
We don't yet know what view the ICO will take of these various mechanisms and their effectiveness (or not), but I await with great interest reports on the responses to the ICO's letters to various organisations on their cookie law compliance (see the list of organisations and link to letter).