Thanks Mike.
Nothing is implemented by clicking: everything is pre-click: GA, Reinvigorate, Drupal's own cookies, and if you happen to interact with Vimeo, YouTube, AddThis or other third party widgets on our site those will also set their own cookies. Clicking "OK" in our bar is an acknowledgement that you have been informed that cookies are being set and that you have seen that you can find out more about turning cookies off etc. I've written an excessively long rationale for it on the cookie policy page, but it boils down to this:
- browser settings are perfectly legit, the problem ICO have with them is that people aren't well enough informed to make a choice. We give them plenty of information to help them make that choice
- to try to build our own opt-in instead of browser controls would give you a crippled experience and/or no guarantee that it would work, in part because the third party services we use would either have to be switched off all the time if you opted out, or they'd have to be vetted. Either way some could slip through the net by various means - web editors' mistakes, 3rd parties adding in new cookies without our knowledge etc.
- therefore browser settings are the ONLY way to be certain that no cookies are set that you don't want set
- if you don't want first- or (more likely) third-party cookies set on our site, then you won't want them set elsewhere, so it's better to use your browser controls there too. It's a matter of consistency
- OK, this means that cookies will be set the moment you arrive, but (a) they don't do the job of a cookie until you go onto a subsequent page, and (b) here's how you get rid of them
I think the last point is important. As I've said before, ICO don't believe there's anything inherently wrong with using browser controls, which implicitly means that a site can set cookies unless the browser prevents it. But they say that people aren't well enough informed to rely ONLY on browser controls. The only way to square that circle and rely only on browser controls (the only thing guaranteed to work on a complex site) but also make sure people are informed, is to set cookies when they arrive but inform them clearly ASAP. I think we've done that.
I've not added event tracking to the OK button although I could. Since opt-out is implemented through people changing their browser settings I would only really be able to detect if they'd done anything by looking at total visitor trends (which are too volatile to pick up what I think will be a very small number) or to look at pages per visit, which will drop if many people opt out part-way through their visit.
Incidentally we test if people already have cookies disabled before showing the bar. Now I've wrapped the thing in a single script we will drop on our various other websites. It's much simpler than things like the Cookie Control script from Civic UK, which we were on the verge of using. We decided against because (a) it couldn't be configured to look nice (b) it was clashing on other sites (c) with our philosophy we didn't need to switch cookies on in response to acceptance, we only needed to notify people that cookies were already set (see also the Pearson site for a good example). However I do cheekily link to the Civic page about browser controls, muchas gracias to them for that. I've not done anything fancy like test which country people are coming from, although that could be added, but hey, I'm happy for people to use their browser controls wherever they live. If anyone wants to take the same approach as us and use our script (you can write your own CSS and HTML) lemme know.
It's just occurred to me that we should now probably think of ourselves as a third-party cookie setter too. Last week we started to offer people HTML to embed our film and sound archive digital assets into their own sites. The page that they embed in an iFrame has GA on it (which lets us see which sites our films are embedded on). I guess puts us in the same boat as YouTube when people embed that on their sites.
Cheers, Jeremy
-----Original Message-----
From: Museums Computer Group [mailto:[log in to unmask]] On Behalf Of Mike Ellis
Sent: 25 May 2012 08:29
To: [log in to unmask]
Subject: Re: [MCG] BBC - Privacy & Cookies - Strictly necessary cookies
Hey Jeremy
Nicely implemented!
It looks from your code as if Reinvigorate and possibly GA (can't tell) are implemented pre-click - i.e. opt-out?
On the banner - it's presumably far too early days to call, but any hints as to whether people are clicking or not?
btw, Here's another angle from Wired - title is "stop whining and just get on with it"..which kinda sets the tone. But - interesting points about privacy nonetheless: http://bit.ly/KGy1MA
Jon - I think it's fine detail as to whether the beeb is opt-in or not, I think the important point from my (probably our) POV is that analytics are considered "strictly necessary", which I've been arguing for a long time - and I think sets an important precedent..?
cheers
Mike
_____________________________
Mike Ellis
We do nice web stuff: http://thirty8.co.uk (http://thirty8.co.uk/)
* My book: http://heritageweb.co.uk (http://heritageweb.co.uk/) *
On Friday, 25 May 2012 at 08:21, Jeremy Ottevanger wrote:
> As have we.
> Jeremy
>
> --- original message ---
> From: "Mike Ellis" <[log in to unmask] (mailto:[log in to unmask])>
> Subject: [MCG] BBC - Privacy & Cookies - Strictly necessary cookies
> Date: 25th May 2012
> Time: 6:52:01 am
>
>
> So the BBC sees analytics cookies as "strictly necessary":
>
> http://www.bbc.co.uk/privacy/cookies/bbc/strictly-necessary.html
>
> This sets a pretty heavy precedent IMO, not to mention the fact
> they've ignored opt-in.
>
> Hurrah.
>
> _________________
>
> ****************************************************************
> website: http://museumscomputergroup.org.uk/
> Twitter: http://www.twitter.com/ukmcg
> Facebook: http://www.facebook.com/museumscomputergroup
> [un]subscribe: http://museumscomputergroup.org.uk/email-list/
> ****************************************************************
>
>
> This message has been scanned by the IWM Webroot Service.
>
> This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the named recipients, please notify the sender and do not disclose or retain this email or any part of it.
> Unless expressly stated otherwise, opinions in this email are those of the individual sender and not those of the Imperial War Museum.
> This email has been scanned by the Webroot security service. We believe but do not warrant that this email and any attachments are virus free: you must therefore take full responsibility for virus checking.
>
>
****************************************************************
website: http://museumscomputergroup.org.uk/
Twitter: http://www.twitter.com/ukmcg
Facebook: http://www.facebook.com/museumscomputergroup
[un]subscribe: http://museumscomputergroup.org.uk/email-list/
****************************************************************
****************************************************************
website: http://museumscomputergroup.org.uk/
Twitter: http://www.twitter.com/ukmcg
Facebook: http://www.facebook.com/museumscomputergroup
[un]subscribe: http://museumscomputergroup.org.uk/email-list/
****************************************************************
|