³ÉÈË¿ìÊÖ

« Previous | Main | Next »

Privacy and Cookies

Post categories: ,Ìý

Ian Hunter | 16:24 UK time, Thursday, 24 May 2012

Today I want to introduce some changes we are making on ³ÉÈË¿ìÊÖ Online so that it is easier for you to manage the cookies we use. This is in response to changes in the regulations about cookies which my colleague Kate Leece last blogged about in May 2011.

She explained how the regulations were changing and the steps we were taking to meet the new rules. The UK implementation of the new regime is led by the Information Commissioner’s Office (ICO) and .

The principle behind the changes is that users of websites should be given more information about the cookies set on their computers or other devices by those websites, and the means to set their own preferences.

At the same time, both regulators and publishers are keen to find a way to do this that is not intrusive and does not unduly disrupt a user’s normal experience of a site. We have made a number of changes to the ³ÉÈË¿ìÊÖ website to ensure that we give users more control over the types of cookies they accept.

Our cookies pages have been rewritten and given a separate link from the bottom of every page.

We have built a newÌýfeature which allows you to turn off any of the three classes of cookies on the ³ÉÈË¿ìÊÖ’s website, which are not in the category of "Strictly Necessary Cookies", as explained in the section on different types of cookies below, if you wish to do so. This functionality will be on the international website bbc.com soon.Ìýis also available on the international website, bbc.com.Ìý

The new feature enables users to turn off cookies that are not strictly necessary

The pages also explain how users can .

From today users of ³ÉÈË¿ìÊÖ Online will be presented with a banner telling them about the use of cookies and how they can change their settings at any time, on first use of their chosen browser (e.g. Internet Explorer, FireFox etc).

At the present time it is not technically possible for us to allow you to carry your settings with you between your browsers and devices so you will need to change these settings from each browser you use.

Ìý

Users will be offered three options:

  • to find out more about cookies
  • to change their settings
  • or to continue their journey, either by clicking on Continue or by clicking elsewhere on the page

Users who subsequently decide to change their settings can do so at any time by clicking on the link to Cookies in the footer of every page.

TheÌý ICO’s guidance defines four different types of cookie:

Strictly Necessary Cookies, few in number, are those which are essential to enable you to move around the website and use its essential features. Without them a user’s normal expectations cannot be met. One example is the cookie that allows you to automatically sign in to the ³ÉÈË¿ìÊÖ website for a service which you have previously registered for.

The second category is Functionality Cookies. These cookies allow the website to remember a user’s preferences in terms of look and feel, language or location. One example is to enable you to set your preferred location to receive your local news and weather forecast.

Performance Cookies collect information, usually anonymised, about the areas of the site visited by a user, frequency of visits and any errors experienced, inter alia. This information helps publishers to improve their services by helping them to understand user behaviour and experience in the mass.

Finally, Advertising Cookies gather information which helps to ensure that the advertisements served to a user are relevant. In the ³ÉÈË¿ìÊÖ’s case these only apply to users who access our services from outside the UK via the ³ÉÈË¿ìÊÖ’s international site, bbc.com, which is advertising funded. This data is also anonymised. There is more on thisÌýon our cookies pages.

Ian Hunter is Managing Editor, ³ÉÈË¿ìÊÖ Online

Other useful links:

Correction (cookie management on bbc.com) 11:38 Fri 25 May

Comments

  • Comment number 1.

    It's an interesting approach and mostly makes sense. However it seems that the latest guidance (taking the April document from the ICC[1] as 'latest') indicates unambiguously that users must *opt-in* to the category 4 (advertising/tracking) cookies

    "What is absolutely clear is that whatever mechanism is used, the user should be given a clear, informed choice."

    I'm clearly not a lawyer, but a banner which disappears after first use and is tricky to find subsequently doesn't seem to me to offer a clear and informed choice.

    Now this is all a bit of a moot point because ICO have said they aren't likely to fine anyone for non-compliance even if anyone does complain (which in itself is unlikely, because nobody who actually understands cookies really has a problem with how they're being used). But it seems strange that the ³ÉÈË¿ìÊÖ have gone to the trouble of implementing this far without addressing the opt-in issues which form the heart of the new cookie laws.

    [1] - Part 4, Category 4

  • Comment number 2.

    It is a principle of the PECR that a user's consent to cookies is an 'informed opt-in' process, i.e. that cookies are not set before consent is given, and that the user is given information on what those cookies do before consent is given.

    Why have you chosen to break the law?

    Russ

  • Comment number 3.

    Of the so-called 'strictly necessary' cookies, only one (IDENTITY_SESSION) actually is; the others should clearly be in the optional category.

  • Comment number 4.

    If you select 'find out more' then it assumed you accept the cookies - surely the cookies information pages should be accessible without using a cookie to allow informed consent?

  • Comment number 5.

    I didn't even see the banner and had no idea the ³ÉÈË¿ìÊÖ had taken any action about cookies until I found this blog on Twitter. While I do think this is silly legislation that serves no real purpose, I don't think the ³ÉÈË¿ìÊÖ solution comes even close to abiding by the principle that users must now give 'informed' consent to cookies.

  • Comment number 6.

    Thanks for these comments. Our approach seems to us, and of course we have taken legal advice, to meet the terms of the new regulations in a sensible way. There is more debate here: /news/technology-18194235 Do note today's (25 May) updated guidance from the ICO to the effect that "implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for "doing nothing"". More on this here

  • Comment number 7.

    I think this is the wrong approach to cookies. Control of which cookies are allowed should be done in the browser in a consistent manner. This inconsistent site-by-site approach is a recipe for disaster.

    If I open up a program which is configured in such a way that making a HTTP request to a URL results in the copying of the contents of the Set-Cookie header onto my hard-drive, then that is me giving consent. I don't want to have a pop-up on every site I visit explaining what a cookie is.

    The ³ÉÈË¿ìÊÖ should be at the forefront of pointing out how ludicrous these regulations are.

  • Comment number 8.

    Leaving aside for one moment the clear breach on several counts of the actual law (please note I am not trying to defend the law, and my personal views on it are immaterial here), how did the ³ÉÈË¿ìÊÖ, who rolled out this opt-out implementation on 24 May, and which would have been illegal by any reading of ICO's version 2 guidance, know ICO was going to do a u-turn on implied consent in its version 3 guidance, only issued on 25 May?

    Russ

  • Comment number 9.

    The problem (I think) isn't the notice handling, it's the mischaracterisation of the cookies as 'Strictly necessary' - for example:

    "Unique identifiers set for each unique browser to allow log analysis to determine the number of unique users for various parts of bbc.co.uk."

    Now, I see completely why you'd find that useful information to have, but it's flat out untrue to say that your ability to get good log analysis is strictly necessary to a user's browsing of the site. 'Strictly necessary' means that a cookie is required for something the user wants to do to actually work, rather than break completely. It does not mean something the user can do without, but the website owner really, really wants.

  • Comment number 10.

    Ian, while I appreciate the desire to present flexiblity and options to readers regarding cookies, I think that this approach is unnecessarily complicated. The basics of would suggest keeping things as simple as possible. Having readers, many of whom are barely aware of what cookies are, select an option takes away from the user experience.

    "Implied consent" I believe would go a long way in this instance - ³ÉÈË¿ìÊÖ should use it!

  • Comment number 11.

    Thanks for these additional points. I'd like to make three in response. First, we believe that our approach would have been compliant even before the ICO issued their revised guidance on 25 May. In that update the ICO say "implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices". That seems clear enough.

    Second, to Ewan's comment, we have designated these cookies as "strictly necessary" because they are sometimes used in conjunction with other cookies to provide a service that has been explicitly requested by users. However, their use for log analysis would not be enough to make them "strictly necessary" and we'll amend the wording here to make that clear.

    Finally, I agree that it is good to keep things as simple as possible and we hoped that the approach adopted achieved this. Users are not required to select an option; if they ignore the banner it goes away.

  • Comment number 12.

    Rather than issuing a bunch of functionality cookies to a user's device(s), I feel the ³ÉÈË¿ìÊÖ should be building on and putting more emphasis on ³ÉÈË¿ìÊÖ iD (i.e. server-side) for remembering functionality settings.

    Russ

  • Comment number 13.

    I realise that Radioplayer is not under the unilateral control of the ³ÉÈË¿ìÊÖ, but could you clarify, in the context of Radioplayer as being served from a bbc.co.uk server, what constitutes a 1st party cookie and what constitutes a 3rd party cookie. Could you further clarify which of these cookies or cookie sets are necessary for the functionalities of remembering stations, programme favourites, and remembering the 'last played programme'. (The cookie domains when listening to a ³ÉÈË¿ìÊÖ station would seem to be: bbc.co.uk; id.bbc.co.uk; cookie.radioplayer.co.uk; static.radioplayer.co.uk and radioplayer.co.uk.)

    Could you also clarify when Radioplayer is going to have a PECR-compliant cookie consent control mechanism.

    I am asking here because the only response I can get from Radioplayer is "Radioplayer is undergoing developmental changes." (and that response took over 2 months)

    Russ

Ìý

More from this blog...

³ÉÈË¿ìÊÖ iD

³ÉÈË¿ìÊÖ navigation

³ÉÈË¿ìÊÖ Â© 2014 The ³ÉÈË¿ìÊÖ is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.