Is the BBC Website Compliant?
The BBC website went live with their cookie law solution just ahead of last week’s deadline for compliance. They were also one of the organisations that earlier in the week we learnt the ICO had written to asking for an update on their progress.
The BBC has one of the most popular websites in the UK, and many people I have spoken to over the last few months have said something along the lines of: I’ll wait and see what the BBC does, then copy that.
So it only seems appropriate to consider the question: Is the BBC solution compliant?
It clearly is not an opt-in solution. However on first appearances, their approach appears to provide a good model for how implied consent should work.
They have a prominent notice on the site that they are using cookies. This makes it clear that though they assume if I continue to use the site I am happy about this, they give me a link to a page where I can take control and change the settings to stop cookies that they deem are not ‘strictly necessary’.
If I choose not to change my cookie settings and continue through the site by clicking on a link – the message disappears. If I subsequently decide to change my settings, I have to click through several hard-to-find links to reach the page where I can do this.
As a consumer I am not entirely happy that this message dissappears so quickly, nor am I happy that I have to dig deep to change my settings now. However, my lack of happiness however is not necessarily relevent to the question of compliance.
The first question that occurs to me is: Is it reasonable to assume that I have read and understood the information I have been presented with on the very first page I visit?
Might a case be made for the fact that I didn’t even see it, let alone understood it? And if I didn’t and just clicked a link anyway, can my implied consent be valid?
This is a tricky question, but an argument could be made that I was presented with the information and a choice, and it was my responsibility to act on that or not.
When looked at from this perspective, I think it could be reasonable for the BBC to assume I have given my consent by my action. Although it would be even more reasonable to assume this if the message had stayed there until I actively removed it – which would be a much clearer indication that I had at least read it.
This however is not my main issue with their approach. My main issue is this:
If I arrive on the BBC website, read the message, and close by browser down, without taking any action, on my next visit to the site, the message does not display at all.
This particular behaviour I do have a problem with, especially taken in conjunction with the message itself, which reads: “If you continue without changing your settings we’ll assume that you are happy to receive all cookies on the BBC website.” (The bold is my own emphasis)
In my case, I didn’t continue, I went away and then returned to the same page, yet they still have made an assumption of implied consent.
The cookie used by the BBC to determine whether or not the message is displayed to me is called ckns_policy and it set to stay on my browser for a year. This means that even if I don’t return for 364 days, they are still assuming my implied consent from having visited one page and not interacted with any part of that page.
I feel that this is at the very least not within the spirit of the regulations, nor of the model of implied consent that that ICO has recently endorsed. Their latest guidelines on the issue indicate that some action needs to be taken for consent to be implied, and that the site owner needs to be clear what that action is.
In my case I took no action, but my consent was still assumed, and on my return, both notice and clear choice had been removed.
I realise that to a lot of people, this may seem like nit-picking. After all, the BBC has done a lot better job than may others, even amongst their peers and competitors. For this they should be applauded.
However, I feel the success or failure of these regulations will hinge on small distinctions like this, and for better or worse many website owners will look to emulate sites like the BBC, so it ought to be important to the regulators that the example they set is a good one.
What do you think? All comments invited.
January 13, 2017
Future of EU Cookie Compliance Webinar: ...
GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...View Article →
December 14, 2016
Draft EU ePrivacy Regulation Leaked...
A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...View Article →
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...
Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...View Article →