bhonda - 10:14 am on Apr 18, 2012 (gmt 0)
Maybe I'm a little late to this game, but after reading through this thread, the transcript of the interview with ICO, and reading the guidance, I just don't get it.
I get what they are trying to do here, but practically, I don't see how this is going to work. There are quite a lot of websites in the UK that will be affected by this (intentional understatement). I'm concerned by one of the answers David Evans (from ICO) gave, when asked -
6. Surely the best way to implement this would be in the browser - i.e. requiring all browsers distributed in the UK to specifically ask the user if they wish to allow a particular site to set a cookie on their machine. Why has it been executed in this particular manner?
...I think the other important point there is in the way the question was phrased, sounded to me like somebody was suggesting it would be nice and easy if browsers simply asked you every time you went to sites, do you want cookies from this site. I could see that being fantastically irritating for users because I know how irritated I get when my browser tries to do things for me or tries to help me out, so maybe its not quite the silver bullet solution that the questioner thought it might be.
What I don't get, is how is this different to individual websites asking users whether they want to allow cookies? Surely that would be just as 'fantastically irritating for users', in fact, even more so because each website would do this in a completely different way.
My other main concern is one that has been mentioned before, is the apparent non-conformance by government sites, such as [direct.gov.uk....] Even today, when I access that site, I am not asked for confirmation of consent to allow cookies, but looking at what cookies are stored, they are not conforming to this law. Obviously, we are still a few weeks away from the 26th May 'deadline' where this law is supposed to be fully up and running, so maybe they've got an updated version just ready to go that meets all the new requirements, but if they do not get something out there by that deadline, surely that is a benchmark we could measure against? I'm not a lawyer, so I have no idea about the technicalities of law, but surely one cannot be held responsible if your site is acting in exactly the same way as a government site?
I just don't know whether I need to get some guys on this for our sites now, or whether we can just make sure our privacy statements are up to scratch, and leave it at that. I don't want to waste days and days of work, to do something that might adversely affect our user's experience of our site, if I don't have to.