https://gds.blog.gov.uk/2012/01/12/cookies-on-the-beta/

Cookies on the beta

The use of cookies on websites has become an increasingly hot topic over the past few months. A new EU law – specifically The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) – requires that websites ask for consent before setting cookies that aren’t “strictly necessary” for the operation of the website. We’ve put together this post to give you an overview of how we are approaching this law on the beta for the Single Domain.

If you’ve never come across the term cookies before, they are small text files that websites save to your computer that allows them to store and use information during your visit. Some cookies are used to store settings so that the website can remember them between loading pages (e.g. to remember items that you’ve put in your shopping basket), others are used to identify your device to the website so it can analyse how you use the site. Many cookies are harmless but some cookies are used to track you across multiple websites and target you with relevant advertising. You can find out more about cookies at http://allaboutcookies.org.

The beta of the Single Domain will be making strong efforts to ensure that visitors are fully informed of its use of cookies and give consent where appropriate. We will also provide those that use the site with clear information on where, why and how the site uses cookies. One of the ways in which we do that will be to build and improve on the information provided by the alpha and other websites.

At present there are four ways in which cookies are used across the beta:

1) Storing location information
Like the alpha, some parts of the beta will provide you with location specific information (finding your local register office for example). In these cases, this location information will be saved in a cookie so you don’t have to keep entering it every time. Before we set the cookie, we will make it clear that a cookie will be set and ask for your consent.  The location cookie won’t contain any personally identifiable information.

2) Storing usability settings
Cookies will be used to store any of the usability/customisation settings that are selected so they can be maintained across the site. We will make it clear that a cookie will be set if you use these settings.

3) Specific functionality enhancements
In some parts of the beta we may offer cookie or HTML5 local storage based enhancements to the functionality. Before we use these however, we will make it clear that these require the storage of information and ask for your consent.

4) Measuring the usage of the website
Collecting analytics and information about usage is vital to running any website. It’s a key way to make sure the product is meeting its users’ needs and understanding how it could do that better. For the beta, we will be using Google Analytics to collect usage data and will make it clear to users that we are doing so.

Cookies are an essential part of ensuring any modern website can deliver what its users need. In particular, the use of analytics is essential to our approach on the beta, making sure everything we do is driven by user needs and informed by user behaviour.

There has been a lot of discussion across public and private sector websites about how best to implement the PECR and deal with the challenges it poses to their current operation. As a government website we take very seriously our obligation to make sure that our users are well informed about how we’re using the technologies at our disposal and that has driven our thinking in developing this approach. We’d welcome your views on whether we’ve got it right and what, if anything, you’d like to see us do differently in the future?


Dafydd Vaughan is a developer at GDS. You can follow @dafyddbach on Twitter and read his personal blog.

29 comments

  1. Mark Steven

    I guess you’ll be implementing a consent solution at some point, as there’s currently nothing on Alpha that obtains consent before Google drops its Analytics cookies.

    Your approach seems sound – but you’ve not really tackled the thorny issue of what to do about analytics when it’s an opt-in solution for the user.

    Clearly, if only 10% of users opt in (as happened to the ICO), your analytics data will fall off a cliff. Google has yet to offer a server-side solution but I’d suggest that this is what most websites will need if you’re serious about analytics.

    Incidentally, we’ve launched a consent solution here, which is due to be deployed by many Government clients, and you may want to consider it: http://www.civicuk.com/cookie-law

    Reply
  2. Paul Evans (@Paul0Evans1)

    Dafydd,

    Thanks for a really useful posting. I think that government websites approach will be particularly useful to know about as it will provide a benchmark for the rest of us. At the moment there’s a crude rumour going around that ‘the new EU rules mean you can’t use Google Analytics any more’ and your approach to this.

    Are you planning to use this text as the first draft of the government websites privacy policies – and is it the case that – as long as you have a statement like this on the site – that using Google Analytics is permissible under the new EU laws?

    Reply
  3. Mike O'Neill

    What about 3rd party content receiving or even placing cookies? Facebook, twitter,linkedin buttons youtube videos etc. Publishers at least share some of the responsibility for these – how do you intend to deal with them?
    The Google Analytics __utma cookie is visitor unique and is technically a 1st party cookie in your domain. It is therefor available to your servers and to any “3rd party” script you insert. It is also obviously sent to Google. How can this comply with the law, either in the UK or elsewhere in Europe?
    The law was drafted to address 3rd party beacons and their capability to track citizens without their knowledge. It simply requires that citizens give their informed agreement. What can be the problem with this? This is an opportunity for Governement to lead the way here and in Europe.
    I can do a free comprehensive audit on your site if you want one, and we have a complete off-the-shelf solution for 1st party and 3rd party cookies etc.

    Reply
  4. Fats Brannigan

    There are a couple of websites that publish info on cookies. allaboutcookies.org is clearly flagged as being published by UK law firm Pinsent Masons. aboutcookies.org is published by some bloke who wants to make money from contextual advertising. Why do UK gov websites insist on linking to the latter?

    Reply
  5. Simon Cookson (@simonncookson)

    Thanks for the useful article on your overall approach to cookies. It will also be fascinating to see see how you tackle the question of consent. It’s relatively straight forward to provide information to visitors about what cookies you are using and why. But I am yet to see a solution to the consent question that I feel truly works for all parties – especially where Google Analytics are concerned.

    Reply
    • Mike O'Neill

      Take a look at http://cookieq.com. We have specific support for Google Analytics even when cookies are deleted ( which they are by default). We also have support fror 3rd party cookies and much more

      Reply
  6. Andrew Girdwood

    Hi, you wrote “Many cookies are harmless but some cookies are used to track you across multiple websites and target you with relevant advertising.”

    Is it not the case that relevant advertising is also harmless? In fact, advertising is essential for the existence of many websites. Given that “strictly necessary” cookies are allowed – doesn’t that mean those necessary for funding advertising cookies are also entirely permissible?

    Reply
    • Mike O'Neill

      This is not about all advertising just the behavioural advertising subset. If they feel it is harmless then people will give their consent. All that is required is that they are informed about it and given a choice.
      The creepy tracking of people without their knowledge is in danger of eroding citizen’s trust in on-line commerce. Industry needs to deal with this issue in an adult way, and Government can help by giving a lead.

      Reply
    • Mark Steven

      That’s “strictly necessary” from a user perspective, not that of a site owner.

      The grim rationale from a civil liberties point of view is that there is potential for misuse of that data at some point in a dystopian future. If you believe that Google, Facebook etc are entirely benign now that’s fine. But can you trust them for all time? Do you trust government (who ultimately can see what data they like) not to abuse your rights and freedoms?

      The liberties argument is that we should guard against putting mechanisms in place that could be used against us in the future.

      From a consumer fairness point of view, we don’t want information about our habits leaked to commercial interests who will either pester us with product offers or use the data to defraud us.

      Google might promise to play nice now, but rottenness has a way of coming about in unforeseen ways.

      Reply
  7. Darren Starr

    Dafydd,

    Thanks for your post.

    It is a time old issue that cookies while once were pretty harmless, now are used to track website visitors in an invasive way.

    Tracking people’s actions whilst on a site is fair enough, if you want to optimise your site for better usability, this information is very valuable, as is Google analytic it’s self.
    However, what become’s invasive is where you type something in a search on one website, and where ever you go in the internet with Google Ad choices displayed, begins showing you adverts relevant to that search.

    It appears that Google is particularly interested in tracking people’s movements through the internet, so much so, that they bought DoubleClick for $3.1 Billion, the ad agency famed in the online world for their tracking cookies practices.

    If we can find a happy medium that is non invasive that would be very useful.

    Thanks again,

    Darren

    Reply
  8. EUCookieBoy

    If only everyone out there in webland knew that their browser allowed them to block 3rd party cookies, and to block cookies from any domains they don’t trust.

    A few comments have asked about what mechanism Dafydd will be using to get prior consent for analytics cookies. It seems pretty clear to me from his article that he will be making it clear to users that the site will be using analytics cookies, rather than interrupting the user’s goal achievement by forcing him to stop at a traffic light and accept. He’s obviously taken the view that on the sliding scale of intrusiveness analytics cookies fall pretty low and that it’s not necessary to put in place an intrusive consent mechanism. Seems reasonable to me.

    Reply
  9. Dafydd Vaughan

    In answer to the questions about our use of analytics – we think that collecting information about how people use a website is absolutely essential to ensure it meets the needs of its users. For the beta, we will be using Google Analytics to do this and will be making it clear that the site does this.

    The aim of the amended PECRs is to reduce privacy intrusion without consent – we think that analytics cookies are fairly low down on the scale of intrusiveness. We’ve met with the ICO and DCMS and will continue to do so.

    For those asking about how we will ask consent – in most cases the cookie will be set by an action (e.g. clicking a button). We’ll be making it clear near the button that a cookie will be set by clicking it.

    Reply
    • Mark Steven

      We’re developing a modifier for the standard GA code which we’ll publish at http://www.civicuk.com/cookie-law/deployment, just as soon as it’s available.

      I was kind of hoping Google would do something themselves so we didn’t have to hack around with things to spoof Analytics. There’s still time I guess…

      Reply
    • Paul Quinn

      The easiest way to resolve problems with Google Analytics, cookies, opt ins and The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is to stop using Google Analytics.
      There are other products such as our eVisit Analyst Select Version 8 which offers similar functionality to Google Analytics but without using cookies.
      Not only does this elegantly fix these problems but as we are a UK company that operates in the UK we are in the jurisdiction of the UK legal system.
      Our hosted systems are secure but for extra comfort our systems are available for location and operation within customer’s data centres.
      Our systems are not that expensive and in some cases are cheaper than implementing opt in solutions which as previously commented don’t work anyway. We are associated members of Audit Bureau of Circulation and our systems can be used for COI website audits.

      Reply
    • Shawn Pearson

      “In answer to the questions about our use of analytics – we think that collecting information about how people use a website is absolutely essential to ensure it meets the needs of its users.”

      I couldn’t agree more but that’s not how the ICO interpreted the use of cookies for analytics under the law. They classified they as not essential to a web service and therefore requiring explicit consent from users.

      “We’ve met with the ICO and DCMS and will continue to do so.”

      And how do they feel about you, as a Government web service, not explicitly getting consent to use Google analytics?

      Reply
  10. Cookies on the gov.uk beta | Dafydd Vaughan

    [...] cookies on the gov.uk beta website. An extract is below, and you can read the full entry on the Government Digital Service blog. The use of cookies on websites has become an increasingly hot topic over the past few months. A [...]

    Reply
  11. Mike O'Neill

    The Google Analytics (__utma) cookie is no more or less “intrusive” than any other piece of inert data. It is simply a number that is unique to a visitor’s browser.
    The reason this is a data protection issue is that the value encoded in cookies can be used to key into other personally identifying information about citizens.
    The __utma cookie is unique to each visitor/target website combination. It is persistant, with an expiry time of 2 years. It is 1st party so visible to the taget website and any script that runs in the browser in the domain of the target website. It is also ubiquitous, almost 95% of public facing websites use it.
    Evey time anyone visits one of these websites an Ajax call sends the value of the cookie to Google. They can therefore see every website that everybody in the world visits, every day. You may think this ability is fine because Google is not evil in any way, and you may be right, I cannot tell. But then nor can you.
    Because it is a 1st party cookie script in other 3rd party elements can read its value.
    Lets pretend and call one of these a “snoop” button.
    The “snoop” button does not have to ever place or receive a cookie. It complies completely with the law. It simply reads the value of the __utma cookie, which you know is very easy to do.
    Google may have clauses in its contract with the web publisher that attempts to stop this, but the “snoop” company was never party to them.
    It can then make its own Ajax call to send the value, or one derived from it, to the “snoop” website. They also get to see all the websites that people visit. They are are not legally responsible,
    This is such a simple technique that soon every social networking button, embedded video or analytics widget uses it. They can all track people without hindrance and have no fears of being taken to court by the DPA.
    If your website, which aims to ultimately be the main Government website, signals to the rest of Europe that analytics cookies are fine because they are not “intrusive” then the cookie directive, and all the time and effort invested in drafting and debating it, is pointless. Is this the idea?

    Reply
    • Mark Steven

      I’m with you Mike: Analytics is potentially one of the most invasive technologies around. There’s an awful lot of trust placed in Google. It’s just as well they seem to be reasonably nice. If maintaining the worlds largest advertising monopoly can be seen as “nice”, that is.

      Reply
  12. Peter Duncanson (@peteduncanson)

    I find this law riddled with holes. Its a nonsense which is highlighted beautifully by your article.

    GA which can track just about everything a user can do on a site is considered essential so has no opt out yet storing the fact that someone would like to have their location set as “Preston” for ease of use involve a warning message and an opt out. Makes no sense at all.

    I’m also not a fan of having to educate users on what cookies are simply so they can make an informed choice about weather to accept them or not. This might be ok if we’d done it from the start but to have to retro fit/teach it for feature that users no take totally for grated as just “working” seems very odd. Like one day insisting drivers learn the inner workings of a petrol engine before they can drive to the shops. Surely they don’t care, they just want to go to the shops as they have done for years in exactly the same car.

    No one is going to implement this until the 11th hour or they will put themselves at a disadvantage to their competitors. Similar to implementing Verified by Visa (another waste of space that does not fix the issue only push it to the users responsibility), its only the pending deadline of fines and increased costs that forced companies to implement it.

    This law does not fix anything only confuse matters. Legitimate cookie use is being hampered by an ill thought out way of preventing their dodgy use by some. Having government website have a go at trying to fix the unfixable is no help either. As web professionals could you not do more to feed back to the Government that it is a nonsense? The best outcome you will get here is to create a copy that other sites will simply cut and paste to appease the law, similar to all those privacy statements we all had to do (come on, we all know none of us ever actually wrote one of those…)

    I’m not normally this grumpy but this issue really gets my back up for its stupidity.

    Reply
  13. Paul Quinn

    The easiest way to resolve problems with Google Analytics, cookies, opt ins and The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is to stop using Google Analytics.

    There are other products such as our eVisit Analyst Select Version 8 which offers similar functionality to Google Analytics but without using cookies.

    Not only does this elegantly fix these problems but as we are a UK company that operates in the UK we are in the jurisdiction of the UK legal system.

    Our hosted systems are secure but for extra comfort our systems are available for location and operation within customer’s data centres.

    Our systems are not that expensive and in some cases are cheaper than implementing opt in solutions which as previously commented don’t work anyway. We are associated members of Audit Bureau of Circulation and our systems can be used for COI website audits.

    Reply
    • Mike O'Neill

      An opt-in solution that does work, as can be seen at sites that use it already or by trying it on your own site, is http://cookieq.com. As well as managing 1st party cookies and cookies placed by 3rd party content (eg youtube videos) it also lets you carry on using Google Analytics without user interaction, ie. irrespective of whether they have opted in (to 1st party cookies).
      Contact me and I will tell you how it works.
      As for cookie opt-ins we keep track of them between visits and let visitors change their choice at any time, either by clicking a button or by visiting a central cookie management page We can also give “independent proof of consent”. If you dont like the buttons or the way the opt-in panel is rendered you can customise it or just supply your own.
      Also, because it does not require server changes it can be rolled out to cental and local government sites rapidly, at minimal cost and without expensive consultancy.

      Reply
  14. WordUp Glasgow 2012

    [...] Government Digital Service are also considering how to implement these regs, and have blogged on how the new single government domain will handle the problem. The best example in real life is South Ayrshire Council, and definitely not the [...]

    Reply
  15. Writing simply: language choices for the GOV.UK navigation | Government Digital Service

    [...] knows the subject deeply. The page on cookies, for instance, was written by Dafydd, who also wrote this blog post. All we did was add an intro for anyone who is interested in the topic but doesn’t want every [...]

    Reply
  16. Tony Gilbert

    I noticed in your cookies page on the beta you say “and we do not allow Google to use our analytics data”. How does that work? Are you just saying that you did not tick the box agreeing to share your analytics data? Or is there some way in which you are preventing Google from using this data?

    I ask because I think we all know that the main reason Google provides a free analytics tool is that it uses the analytics data collected through this tool for other research purposes and to target advertising to users.

    Am I missing something? Are you perhaps using GA Premium?

    Reply
  17. Really Useful Day | Government Digital Service

    [...] Questions from the floor included how we work across government departments to develop GOV.UK. I explained how, as a multi-disciplinary team, we have had editors and digital specialists from other departments embedded with us here. Fortunately for more technical questions I was ably supported by GDS developers Jordan Hatch and Dafydd Vaughan. They explained that we use the open source MaPit geocoding and information service from mySociety to handle location and place names on the beta. There was also an impromptu Q&A about cookie policy, ably handled by Dafydd who has written about it on this blog before. [...]

    Reply
  18. It’s not about cookies, it’s about privacy | Government Digital Service

    [...] Compliance with The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which came into effect last year has presented UK website owners with a few challenges in moving to compliance. Those of us who work on public sector websites are no exception. We wrote about some of the ways we were working towards compliance here at GOV.UK, in a previous post. [...]

    Reply
  19. bicyclerevolution

    To say that Google Analytics is “strictly required” to provide the specific service the user requests, is laughable. It’s not even “important”. gov.uk is a very simple website (which is to be applauded) and has simply no need for GA cookies.

    Allowing Google a long term cookie, which monitors users’ every move in such detail across this and most other sites, is exactly the sort of Big Brother we are writing laws to prevent.

    Google know so much about us all through these methods. There are excellent open source alternatives, where you can protect the data from going to private companies in foreign jurisdictions, and provide opt-in.

    The ICO will be a laughing stock if it does not extract fines next month from gov.uk for sticking two fingers up at privacy like this.

    Reply

Leave a comment