The IWMW 2012 event took place on 18-20 June.  One of the most popular of the parallel sessions sought to explore ways in which institutions should be Responding to the Cookie Monster. As described in the abstract:

Are our desires to develop user-focussed and personalised Web services in tatters in light of UK legislations which requires providers of Web services to ensure that users have opted in to use of cookies? After all the evidence from the experiences of the ICO (Information Commissioner’s Office) web site seems to suggest that users won’t opt-in and without web analytics and storing user preferences in would appear impossible to develop such services?

This interactive workshop session will explore the background to the legislation and the guidance issued in December 2011 by the Information Commissioner’s Office.

The session will address some of the key points from the guidance document, including the need for auditing cookie usage and ensuring users are informed in a clear and understandable fashion of why cookies are being used.

This session will provide an opportunity for participants to describe approaches being taken locally and explore best practices which may be used within the sector.

This was popular not only in terms of the large numbers of people who booked for the session but also going the evaluation received for the session, with the session receiving an average score of 4.09 on a scale of  1 = poor to 5 =excellent.  The comments made on the session included:

  • Being relatively new to the sector, this is the point at which it dawned on me that there’s a huge support network for HEIs. I’d heard of JISC and UKOLN before but didn’t appreciate that when it comes to sector-wide issues – cookie law being a case in point – there’s a heap of work being done by some very knowledgable people which negates the need for us to reinvent the wheel in isolation.”
  • Made me all warm and tingly…
  • Claire is an inspiration for women working within a male dominated industry and I will certainly be watching that space to keep up with the Cookie Monster developments.
  • Very interesting hearing from JISC Legal and from other institutions about their approach.

The session was facilitated by Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford and John Kelly, Principal Legal Information Specialist with JISC Legal. Prior to the IWMW 2012 event I had worked with Claire and John in order to help develop and share best practices for responding to the ‘cookie’ legislation.  This work included writing posts on this blog on:

together with an article published in JISC Inform in Spring 2012 which asked The new cookie laws: how aware are you?

The work included analysis of the emerging cookie policies and approaches which were being taken initially across the 20 Russell Group universities, which was subsequently extended to other institutions who were willing to update a Google Spreadsheet with links to their cookie policies.

The blog posts which were published between December 2011 and May 2012 sought to make others aware of the advice and guidelines being developed by the ICO and suggest how the guidelines could be interpretted by those working in the higher education sector.  It was suggested that providing a clear policy on how cookies are being used could be an appropriate response to the legislation, and that institutions may not be required to deploy an opt-in widget across pages on institutional web sites.  A few days before the legislation was implemented the government confirmed that such implied consent would be acceptable.

Looking at the cookie policies for the institutions for which links to their policy pages had been provided it seems that all 29 institutions appeared to have taken this implied consent approach. If you view the following pages you should not be presented with a ‘cookie alert’ widget which, it seems, causes annoyance to users who encounter them:

AberdeenAbertayAberystwythBathBirminghamBirkbeckBradfordBristolCambridgeCardiffCranfieldEdge Hill – EdinburghGlasgowKing’s College LondonLeedsLiverpoolLSEManchesterNottinghamOxfordSheffield – Sheffield HallamStaffordshoreUCLAN  – UCLUWE – WarwickYork

What, then, have we learnt 28 days after the session on Responding to the Cookie Monster took place? I would suggest the following points should be considered, even if they may appear to be counter-intuitive:

  • It can be risky to implement policies based on a worst case interpretation of legislation.
  • Implementing expensive technical widgets which turn out to be inappropriate may lead to risks that the tabloid press issue FOI requests for the costs of implementing such solutions.
  • It can be advisable to follow approaches taken by one’s peers, rather than developing an implementation plan in isolation.

Might, then, the cookie monster have turned out to be benign, but, just as with the Y2K bug, the costs in developing a solution turning out to be the true monster! Wikipedia suggests that the ” total cost of the work done in preparation for Y2K is estimated at over US$300 billion” – although there is a dissenting view. In comparison a Wired article published in April 2012 suggested that Compliance with EU cookie law could cost the UK £10 billion.

I’ll conclude by making a point I’ve made previously: there are legitimate needs to address online privacy concerns. However the cookie legislation was a fundamentally flawed approach at addressing such concerns: in many respects cookies provide benefits to end users and the cases which users object to (searches for content being reused in adverts hosted on other web sites which share advertising services)  tend, in any case, not to be used across institutional web sites.

It would appear that the Do Not Track standard will provide an appropriate technology for legislations to adopt. Institutions should ensure that they gain an understanding of the standard and how it can be used, in particular, develop a browser upgrade plan to ensure that browsers managed within the institution support this standard. The comment described above is worth repeating: “there’s a heap of work being done by some very knowledgable people which negates the need for us to reinvent the wheel in isolation” – so let’s ensure that even more institutions follow the approaches taken by those listed above and have a common approach to addressing legal drivers for the provision of online technologies.

I’ll conclude by providing a link to a YouTube video entitled “The Cookie Law – 28 Days Later” which  gives a similar view of the flaws of the cookie legislation: