Learn more about ICO and the Cookie Law
Well it’s the eve before the Information Commissioner’s Office (ICO) starts enforcing the new EU cookie law (e-Privacy Directive); the law which applies to how you use cookies and similar technologies for storing information on a user’s equipment such as a PC or mobile device.
But what sort of shape is the government in? How are they treating cookies and privacy concerns?
The ICO has had nearly one year to warn them to get in line with the new law.
So we decided to investigate…
We ran through Direct.gov.uk’s list of central government websites which include government departments, executive agencies and non-departmental public bodies… 122 sites in all.. Then we ran through all 122 to see how they conform according to the 3 main principals of setting cookies for being within the law:
- tell people that the cookies are there,
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device
Not all bodies are included as they may share the same domain or not distinct enough to warrant being its own site. You can view the full table of websites below.
Statistics we found…
11 Sites where it was impossible to find information regarding cookies or having a privacy policy at all.
2 Sites chose to use exactly the same method as ICO for not allowing any cookies to form (only allowing consent first).
4 Sites chose to use the ICO method but with session cookies being stored first.
6 Sites in total chose to obtain consent; visibly warning users about cookies. 4 of which were Scottish sites.
11 Sites mentioned cookies were being used when entering their homepage.
14 Sites that used cookies failed to mention their policy on cookies.
8 Sites do not set cookies when entering their site by their main/root domain.
47 Sites chose to display their policy via a link mentioning the word ‘cookies’. Of those only 1 site offered to turn off cookies via its own settings such as a cookie control panel (The Forestry Commission).
4 Sites were found to have misleading or incorrect information regarding their cookies.
- The Serious Fraud Office uses Google Analytics and states on their page “We do not use cookies for collecting information from the site.”
- The British Waterways states “Once the user closes their browser, the cookie terminates.” Which is true to a point, but their analytics uses persistent cookies.
- The Care Quality Commission (CQC) fails to signal any use of cookies from using their site but states “Please be aware that some systems on our website require the use of cookies, but we will always state if this is the case.”
- It might be picky but The Crown Estate site intends to use Analytics which uses persistent cookies but states, “Where we intend to use a cookie, explanatory text will be provided to tell you what the cookie does, and you will be given a specific opportunity to accept the cookie or refuse it.”
Below is the list we have compiled of central government websites taken from Direct.gov.uk such as government departments, executive agencies and non-departmental public bodies.
What the columns represent:
Tell Visitors Cookies Are There This is based on ICO’s principal of being clear about cookies. A popup or sentence would be deemed acceptable. A link saying Cookies is not acceptable.
Explain What Cookies Are Doing These are direct links from the home page to information on cookies. Some are recorded as 2 hops, say, from Privacy page to Cookies page.
Obtained Consent Did they obtain consent first before allowing cookies.
Cookie Types Types of cookies stored from first visiting the website.
Appropriate Info Page: The appropriate page for finding information about their privacy policy and cookies.
| Name | Cookies On Arrival | Tell Visitors Cookies Are There | Explain What Cookies Are Doing | Obtained Consent | Cookie Types | Appropriate Info Page |
| Information Commissioner’s Office (ICO) | No | Yes | Yes | Yes | None | Link |
| DirectGov | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Advisory, Conciliation and Arbitration Service (ACAS) | Yes | No | Yes (via Privacy page) | No | Session/Persistent/Third Party | Link |
| The Adjudicator’s Office | Yes | No | No | No | Persistent | Link |
| Association of Police Authorities (APA) | Yes | No | Partial (Privacy Page) | No | Persistent | Link |
| Attorney General’s Office (AGO) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Audit Commission | Yes | No (Direct link) | Yes | No | Session | Link |
| Audit Scotland | No | Yes | Yes | No | Persistent | Link |
| Department for Business Innovation & Skills (BIS) | Yes | Yes | Yes | No | Session/Persistent | Link |
| Bona Vacantia | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Boundary Commission for England | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Boundary Commission for Northern Ireland | Yes | No | No | No | Persistent | x |
| Boundary Commission for Scotland | Yes | No | No | No | Session | x |
| Boundary Commission for Wales | Yes | No | No | No | Session/Persistent | x |
| BRB (Residuary) | No | n/a | No | n/a | None | x |
| British Monarchy | Yes | No | Partial (via About this Site) | No | Session/Persistent/Third Party | Link |
| British Waterways | Yes | No | Partial (via Privacy page) | No | Session/Persistent | Link |
| Office for Budget Responsibility | Yes | No | No | No | Third Party | x |
| Business Link | Yes | Yes | Yes | No | Session | Link |
| business.wales.gov.uk | Yes | No (Direct link) | Yes | No | Session | Link |
| Business Gateway | Yes | No (Direct link) | Yes | No | Session | Link |
| Cabinet Office | Yes | No | Yes | No | Session/Persistent | Link |
| Care Quality Commission (CQC) | Yes | No | Partial (Privacy page) | No | Session/Persistent | Link |
| Charity Commission | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Civil Service | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Communities and Local Government | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Companies House | Yes | No (Direct link) | Yes | No | Persistent | Link |
| Competition Appeal Tribunal | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Competition Commission | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| The Crown Estate | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| Crown Prosecution Service (CPS) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Culture, Media and Sport (DCMS) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department of Energy & Climate Change (DECC) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Environment, Food and Rural Affairs (DEFRA) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Ministry of Defense (MoD) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Internation Development (DFID) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department of Finance and Personnel of NI (DFP) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Education | Yes | No | Yes (via Legal information) | No | Session/Persistent | Link |
| Department for Transport (DfT) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department of Health (DH) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| UK Debt Management Office (DMO) | Yes | No | No | No | Session | x |
| Driver and Vehicle Licensing Agency (DVLA) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Work & Pensions (DWP) | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| The Electoral Commission | Yes | Yes | Yes | No | Session/Persistent | Link |
| The Environment Agency | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| European Consumer Centre for Services (UK ECC) | No | Yes | Yes | Yes | None | Link |
| UK Export Finance (ECGD) | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| Equality and Human Rights Commission (EHRC) | Yes | No | No | No | Session/Persistent | Link |
| Office of Fair Trading (OFT) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Financial Ombudsman Service | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| Financial Services Authority (FSA) | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| Food Standards Agency | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Foreign and Commonwealth Office (FCO) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| http://www.forestry.gov.uk | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Gambling Commission | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Office of Gas and Electricity Markets (OFGEM) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Government Actuaries Department (GAD) | Yes | No | No | No | Session/Persistent | Link |
| Government Communications Headquarters (GCHQ) | No | n/a | Yes | n/a | None | Link |
| GCN | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| General Register Office for Scotland | No | Yes | Yes | Yes | None | Link |
| Health and Safety Executive (HSE) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| HM Inspectorate of Constabulary (HMIC) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| HM Revenue & Customs (HMRC) | Yes | No | Yes (via Privacy page) | No | Persistent | Link |
| HM Treasury | Yes | No | Yes (via Privacy page) | No | Session/Persistent | Link |
| Higher Education Funding Council for England (HEFCE) | Yes | No | No | No | Session/Persistent | x |
| Highways Agency | Yes | No | Yes (via Terms & Conditions) | No | Session/Persistent | Link |
| Homes and Communities Agency | Yes | No | Yes (via Legal) | No | Session/Persistent | Link |
| Home Office | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| The Independent Case Examiner (ICE) | No | n/a | n/a | n/a | None | x |
| Independent Police Complaints Commission (IPPC) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Intellectual Property Office (IPO) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Department for Justice | Yes | No | Yes (Privacy page) | No | Session/Persistent/Third Party | Link |
| Land Registry | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Legal Ombudsman | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Legal Services Commission (LSC) | Yes | No | Yes (Disclaimer) | No | Session/Persistent | Link |
| Local Government Ombudsman | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Greater London Authority (GLA) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Medicines and Healthcare Products Regulatory Agency (MHRA) | Yes | No | Yes (Terms & Conditions) | No | Session/Persistent | Link |
| MET Office | Yes | No (Direct link) | Yes | No | Session/Persistent/Third Party | Link |
| MI5 | No | n/a | Yes | No | n/a | Link |
| Money Advice Service | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| The National Archives | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| National Assembly for Wales | Yes | No | Yes (Privacy page) | No | Session/Persistent/Third Party | Link |
| The National Health Service (NHS) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| National Parks | Yes | No | Yes (Terms & conditions page) | No | Persistent/Third Party | Link |
| National Policing Improvement Agency (NPIA) | Yes | No | Yes (Legal) | No | Session/Persistent | Link |
| National Savings and Investments | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Natural England | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Northern Ireland Assembly | Yes | No | No | No | Session/Persistent | x |
| Northern Ireland Office (NIO) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| The Nuclear Decommissioning Authority (NDA) | Yes | No | Yes (Privacy page) | No | Session/Third Party | Link |
| 10 Downing Street | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Ofcom (Office of Communications) | Yes | No (Direct link) | Yes | No | Session/Persistent/Third Party | Link |
| Ofsted (Office for Standards in Education) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Office of Rail Regulation (ORR) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Office of the Parliamentary and Health Service Ombudsman | Yes | No | Yes (Site Info) | No | Session/Persistent/Third Party | Link |
| Office of Qualifications and Examination Regulation | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Office for National Statistics | Yes | No | Yes (Privacy page) | No | Persistent | Link |
| Office of Water Services (OFWAT) | Yes | Yes | Yes | Yes | Session | Link |
| Public Services Ombudsman (Wales) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Ordnance Survey | Yes | Yes | Yes | No | Session/Persistent | Link |
| Pensions Ombudsman | No | n/a | Yes | n/a | n/a | Link |
| Parliament.uk | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Planning Portal | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Prisons and Probation Ombudsman | Yes | No | Yes (Terms & conditions page) | No | Session/Persistent | Link |
| Government Procurement Service | Yes | No | No | No | Session/Persistent | Link |
| The Royal Mint | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Royal Parks Agency | Yes | No | Yes (Disclaimer) | No | Session/Persistent | Link |
| Scotland Office | Yes | Yes | Yes | Yes | Session | Link |
| Scottish Government | Yes | Yes | Yes | Yes | Session | Link |
| Serious Fraud Office (SFO) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Serious Organised Crime Agency (SOCA) | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Stabilisation Unit | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
| Transport Scotland | Yes | Yes | Yes | Yes | Persistent | Link |
| Treasury Solicitor’s Department (TSOL) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| UK Border Agency | Yes | No | Partial (Privacy page) | No | Session/Persistent | Link |
| UK Office of the European Parliament | Yes | No | No | No | Session/Persistent | x |
| UK Trade & Investment (UKTI) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Universities and Colleges Admission Service (UCAS) | Yes | No (Direct link) | Yes | No | Session/Persistent | Link |
| Service Personnel and Veterans Agency | Yes | No (Direct link) | Yes | No | Persistent | Link |
| Wales Audit Office | Yes | No | No | No | Session | x |
| Wales Office | Yes | No | No | No | Session/Persistent | Link |
| Welsh Government | Yes | No | Yes (Privacy page) | No | Session/Persistent | Link |
Conclusion…
If the sites listed do not change by tomorrow this means that 90% of those government sites will be breaking the law.
This is not a list to poke holes at privacy issues, but to show the confusion… what is the right method in being open/honest about cookies? And why is the UK government so lacklustre in this department.
Should there be a prompt about consent and cookie usage? According to The ICO and the law it does, but only 6 sites actually complied with this rule… And only 2 of those used the same method as The ICO by not allowing any cookies when first visiting their sites.
Hopefully we’ll see more sites changing in the coming days; not expecting any miracles though.
Even after a week later most websites do not comply with the new law! This is probably the most ignored law that ever came out. I think that is too right because the EU is picking on troubled webmasters that have to fight for their “business lives” in troubled recession times. They cannot live without knowing who buys their products/services. They need to be focused on prospects that make money. Cookies are not a bad thing – they are essential for webmasters to make their daily turnover and being able to eat at the end of the day. Okay, there might be some criminals who try to capture info that they might use to get bank details … but a normal thinking person would only give their bank details out to websites that sell and have a secure shopping interface with encrypted communication. If they would not receive their goods after a certain time they would complain to the banks and force the money back (be sure to not pay by debit card to a company that you don’t know. Pay by Paypal or Credit Card – then you can get your money back. Bringing a whole industry down with that does not help to get us out of the recession – or does it? It seems that governments don’t think entrepreneurial nor economical. This seems to be caused by guys who invent laws to defend their desks. Sorry, but that what I think it comes down to … defending government employees desks – sad but, whatever it takes to secure ones government employee’s income.
Therefore just comply with the law but make the people who visit your website to agree with at least that Google Analytics is necessary to carry on browsing your website. If they don’t agree don’t even let them see you content,
If every webmaster does that the law will be ridiculous and forced down in the end.