Privacy and Cookies
Today I want to introduce some changes we are making on ´óÏó´«Ã½ Online so that it is easier for you to manage the cookies we use. This is in response to changes in the regulations about cookies which my colleague Kate Leece last blogged about in May 2011.
She explained how the regulations were changing and the steps we were taking to meet the new rules. The UK implementation of the new regime is led by the Information Commissioner’s Office (ICO) and .
The principle behind the changes is that users of websites should be given more information about the cookies set on their computers or other devices by those websites, and the means to set their own preferences.
At the same time, both regulators and publishers are keen to find a way to do this that is not intrusive and does not unduly disrupt a user’s normal experience of a site. We have made a number of changes to the ´óÏó´«Ã½ website to ensure that we give users more control over the types of cookies they accept.
Our cookies pages have been rewritten and given a separate link from the bottom of every page.
We have built a newÌýfeature which allows you to turn off any of the three classes of cookies on the ´óÏó´«Ã½â€™s website, which are not in the category of "Strictly Necessary Cookies", as explained in the section on different types of cookies below, if you wish to do so. This functionality will be on the international website bbc.com soon.Ìýis also available on the international website, bbc.com.Ìý
The new feature enables users to turn off cookies that are not strictly necessary
The pages also explain how users can .
From today users of ´óÏó´«Ã½ Online will be presented with a banner telling them about the use of cookies and how they can change their settings at any time, on first use of their chosen browser (e.g. Internet Explorer, FireFox etc).
At the present time it is not technically possible for us to allow you to carry your settings with you between your browsers and devices so you will need to change these settings from each browser you use.
Ìý
Users will be offered three options:
- to find out more about cookies
- to change their settings
- or to continue their journey, either by clicking on Continue or by clicking elsewhere on the page
Users who subsequently decide to change their settings can do so at any time by clicking on the link to Cookies in the footer of every page.
TheÌý ICO’s guidance defines four different types of cookie:
Strictly Necessary Cookies, few in number, are those which are essential to enable you to move around the website and use its essential features. Without them a user’s normal expectations cannot be met. One example is the cookie that allows you to automatically sign in to the ´óÏó´«Ã½ website for a service which you have previously registered for.
The second category is Functionality Cookies. These cookies allow the website to remember a user’s preferences in terms of look and feel, language or location. One example is to enable you to set your preferred location to receive your local news and weather forecast.
Performance Cookies collect information, usually anonymised, about the areas of the site visited by a user, frequency of visits and any errors experienced, inter alia. This information helps publishers to improve their services by helping them to understand user behaviour and experience in the mass.
Finally, Advertising Cookies gather information which helps to ensure that the advertisements served to a user are relevant. In the ´óÏó´«Ã½â€™s case these only apply to users who access our services from outside the UK via the ´óÏó´«Ã½â€™s international site, bbc.com, which is advertising funded. This data is also anonymised. There is more on thisÌýon our cookies pages.
Ian Hunter is Managing Editor, ´óÏó´«Ã½ Online
Other useful links:
Correction (cookie management on bbc.com) 11:38 Fri 25 May
Comment number 1.
At 24th May 2012, Gareth Adams wrote:It's an interesting approach and mostly makes sense. However it seems that the latest guidance (taking the April document from the ICC[1] as 'latest') indicates unambiguously that users must *opt-in* to the category 4 (advertising/tracking) cookies
"What is absolutely clear is that whatever mechanism is used, the user should be given a clear, informed choice."
I'm clearly not a lawyer, but a banner which disappears after first use and is tricky to find subsequently doesn't seem to me to offer a clear and informed choice.
Now this is all a bit of a moot point because ICO have said they aren't likely to fine anyone for non-compliance even if anyone does complain (which in itself is unlikely, because nobody who actually understands cookies really has a problem with how they're being used). But it seems strange that the ´óÏó´«Ã½ have gone to the trouble of implementing this far without addressing the opt-in issues which form the heart of the new cookie laws.
[1] - Part 4, Category 4
Complain about this comment (Comment number 1)
Comment number 2.
At 24th May 2012, Russ wrote:It is a principle of the PECR that a user's consent to cookies is an 'informed opt-in' process, i.e. that cookies are not set before consent is given, and that the user is given information on what those cookies do before consent is given.
Why have you chosen to break the law?
Russ
Complain about this comment (Comment number 2)
Comment number 3.
At 24th May 2012, _Ewan_ wrote:Of the so-called 'strictly necessary' cookies, only one (IDENTITY_SESSION) actually is; the others should clearly be in the optional category.
Complain about this comment (Comment number 3)
Comment number 4.
At 24th May 2012, DBOne wrote:If you select 'find out more' then it assumed you accept the cookies - surely the cookies information pages should be accessible without using a cookie to allow informed consent?
Complain about this comment (Comment number 4)
Comment number 5.
At 25th May 2012, cherub007 wrote:I didn't even see the banner and had no idea the ´óÏó´«Ã½ had taken any action about cookies until I found this blog on Twitter. While I do think this is silly legislation that serves no real purpose, I don't think the ´óÏó´«Ã½ solution comes even close to abiding by the principle that users must now give 'informed' consent to cookies.
Complain about this comment (Comment number 5)
Comment number 6.
At 25th May 2012, Ian Hunter wrote:Thanks for these comments. Our approach seems to us, and of course we have taken legal advice, to meet the terms of the new regulations in a sensible way. There is more debate here: /news/technology-18194235 Do note today's (25 May) updated guidance from the ICO to the effect that "implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for "doing nothing"". More on this here
Complain about this comment (Comment number 6)
Comment number 7.
At 25th May 2012, lucas42 wrote:I think this is the wrong approach to cookies. Control of which cookies are allowed should be done in the browser in a consistent manner. This inconsistent site-by-site approach is a recipe for disaster.
If I open up a program which is configured in such a way that making a HTTP request to a URL results in the copying of the contents of the Set-Cookie header onto my hard-drive, then that is me giving consent. I don't want to have a pop-up on every site I visit explaining what a cookie is.
The ´óÏó´«Ã½ should be at the forefront of pointing out how ludicrous these regulations are.
Complain about this comment (Comment number 7)
Comment number 8.
At 25th May 2012, Russ wrote:Leaving aside for one moment the clear breach on several counts of the actual law (please note I am not trying to defend the law, and my personal views on it are immaterial here), how did the ´óÏó´«Ã½, who rolled out this opt-out implementation on 24 May, and which would have been illegal by any reading of ICO's version 2 guidance, know ICO was going to do a u-turn on implied consent in its version 3 guidance, only issued on 25 May?
Russ
Complain about this comment (Comment number 8)
Comment number 9.
At 27th May 2012, _Ewan_ wrote:The problem (I think) isn't the notice handling, it's the mischaracterisation of the cookies as 'Strictly necessary' - for example:
"Unique identifiers set for each unique browser to allow log analysis to determine the number of unique users for various parts of bbc.co.uk."
Now, I see completely why you'd find that useful information to have, but it's flat out untrue to say that your ability to get good log analysis is strictly necessary to a user's browsing of the site. 'Strictly necessary' means that a cookie is required for something the user wants to do to actually work, rather than break completely. It does not mean something the user can do without, but the website owner really, really wants.
Complain about this comment (Comment number 9)
Comment number 10.
At 29th May 2012, Craig Smith wrote:Ian, while I appreciate the desire to present flexiblity and options to readers regarding cookies, I think that this approach is unnecessarily complicated. The basics of would suggest keeping things as simple as possible. Having readers, many of whom are barely aware of what cookies are, select an option takes away from the user experience.
"Implied consent" I believe would go a long way in this instance - ´óÏó´«Ã½ should use it!
Complain about this comment (Comment number 10)
Comment number 11.
At 31st May 2012, Ian Hunter wrote:Thanks for these additional points. I'd like to make three in response. First, we believe that our approach would have been compliant even before the ICO issued their revised guidance on 25 May. In that update the ICO say "implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices". That seems clear enough.
Second, to Ewan's comment, we have designated these cookies as "strictly necessary" because they are sometimes used in conjunction with other cookies to provide a service that has been explicitly requested by users. However, their use for log analysis would not be enough to make them "strictly necessary" and we'll amend the wording here to make that clear.
Finally, I agree that it is good to keep things as simple as possible and we hoped that the approach adopted achieved this. Users are not required to select an option; if they ignore the banner it goes away.
Complain about this comment (Comment number 11)
Comment number 12.
At 7th Jun 2012, Russ wrote:Rather than issuing a bunch of functionality cookies to a user's device(s), I feel the ´óÏó´«Ã½ should be building on and putting more emphasis on ´óÏó´«Ã½ iD (i.e. server-side) for remembering functionality settings.
Russ
Complain about this comment (Comment number 12)
Comment number 13.
At 8th Jun 2012, Russ wrote:I realise that Radioplayer is not under the unilateral control of the ´óÏó´«Ã½, but could you clarify, in the context of Radioplayer as being served from a bbc.co.uk server, what constitutes a 1st party cookie and what constitutes a 3rd party cookie. Could you further clarify which of these cookies or cookie sets are necessary for the functionalities of remembering stations, programme favourites, and remembering the 'last played programme'. (The cookie domains when listening to a ´óÏó´«Ã½ station would seem to be: bbc.co.uk; id.bbc.co.uk; cookie.radioplayer.co.uk; static.radioplayer.co.uk and radioplayer.co.uk.)
Could you also clarify when Radioplayer is going to have a PECR-compliant cookie consent control mechanism.
I am asking here because the only response I can get from Radioplayer is "Radioplayer is undergoing developmental changes." (and that response took over 2 months)
Russ
Complain about this comment (Comment number 13)