A year ago today I wrote a post entitled How Should UK Universities Respond to EU Cookie Legislation? The post was published a few hours before the cookie legislation was originally intended to come into force, but as I said in the post:

The good news is that the ICO has recognised the complexities in implementing this legislation. As described on the BBC Web site:

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.

The UK government also sought to reassure the industry that there would be “no overnight changes”.

A year later the legislation has now come into force – and, as reported in the Guardian a few hours’ ago “Cookies law changed at 11th hour to introduce ‘implied consent‘”. The article went on to describe how:

In an updated version of its advice for websites on how to use cookies – small text files that are stored on the user’s computer and can identify them – the Information Commissioner’s Office (ICO) has said that websites can assume that users have consented to their use of them.

The advice was only updated on Thursday, 48 hours before the deadline for implementing the new rules, and published the next day.

I have to say that I am pleased with this news. In an article entitled The new cookie laws: how aware are you? published in the JISC Inform newsletter I suggested that the priorities for institutions should be to audit their use of cookies, analyse how the cookies are being used, provide clear and prominently information about the use of cookies and “devise an appropriate mechanism for obtaining informed consent from your web site users”. In April a post on How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? surveyed the approaches which had been taken by 30 universities – and the majority seemed to have taken the approach of documenting their use of cookies and explaining the purposes of the cookies.

In some quarters it was suggested that since the legislation required users to opt-in to use of cookies, web sites would need to provide a form at the top of every page requiring users to manually verify that they were willing to accept cookies. However as I highlighted in a post on The Half Term Report on Cookie Complianceon 13 December the ICO, announced a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) in a blog post entitled Half term report on cookies compliance. And it seems that they have taken a pragmatic approach which describes realistic and implementable solutions for Web site managers.” Some time ago I came across a discussion about the cookie legislation which suggested that Francis Maude, Minister for the Cabinet Office, would be looking for a ‘business-friendly’ solution to privacy concerns. I will not be alone in thinking the a Conservative Minister talks about ‘business-friendly solutions’ this means large pay rises for senior managers along with loss of pension rights and job security for workers. However in this case, although the solution is friendly for those working in the commercial sector, it is also a desirable solution for those of us who work in the education and other public sector services. The ones who will lose out are probably those who paid attention to the scare-mongers are have implemented clunky opt-out interfaces on their web sites or have withdrawn services, such as Google Analytics, which provided useful information which can help improve the quality of the service to the user community.

Of course, the legitimate privacy concerns which led to the EU directive have not been solved. But the EU directive was a flawed approach to addressing both the complexities of online privacy and the technical challenges in implementing solutions. However standards-based solutions are currently being developed, in particular the Do Not Track standard. As described on the DoNotTrack.us Web site:

Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

As described in Wikipedia:

The do not track header is a proposed HTTP header field that would request a web application to disable their tracking of a user. The “Do Not Track” header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky. It is currently being standardized by the W3C.

In December 2010, Microsoft announced support for the DNT mechanism in its Internet Explorer 9 web browser. Followed by Mozilla’s Firefox,Apple’s Safari and Opera all later added support. It is not currently supported by Google Chrome, but will be incorporated by the end of 2012.

This will provide a standards-based way for users to manage their online privacy. Support for this proposed standard was announced recently by Twitter: as reported in the Guardian:

Twitter announced that it will officially support “Do Not Track,” a standardised privacy initiative that has been heavily promoted by the US Federal Trade Commission, online privacy advocates and Mozilla, the non-profit developer of the Firefox web browser.

The question now will be whether institutions feel this is an approach which should be deployed and, if so, how it will be implemented. Institutional responses to online privacy issues aren’t over just because a privacy policy has been published on the institution’s web site!

Finally in case people feel that they should be following the letter of the law, I suggest you take a look at the privacy policy for Francis Maude’s web site which states:

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

and goes on to add:

If you’d like to learn how to remove cookies set on your device, visit:http://www.aboutcookies.org/Default.aspx?page=1

The video clip on “How government websites use cookies” provided by Direct.gov and hosted on YouTube also makes it clear that the Government’s view is that cookies provide value to the online environment. I agree with this, and hope that the Government will be proactive in adopting the Do Not Track standard to address the still unresolved issue of online privacy. I’ll conclude with a sentence I didn’t expect to write: “congratulations to Francis Maude on the approaches taken by the Government in responding to the flaws in the EU Directive“!