Wherein I unwisely take on the government

The following is an email I just sent to the Information Commissioner’s Office internal compliance department regarding the failure of their website to comply with the new regulations on cookies that are coming into force in Europe:


I am a professional working in the field of web development. As such, I have been looking into the new regulation surrounding the use of “cookies” by websites to track users and store information about them. During my investigation, it has become clear that your own site http://www.ico.gov.uk is not operating in compliance with the regulations as you explain them. What’s more, it provides misleading information that suggests it IS in compliance when it is not.

Upon browsing to your site, the user is presented with a notification that site uses cookies and that one such cookie is “essential for parts of the site to operate and has already been set”. Checking the privacy notice for your site reveals that this is the ASP.NET session cookie which, according to your policy falls under the category of “essential” cookies as it is essential for the “notification form” to operate. By “notification form”, I presume you mean the one available here: https://www.ico.gov.uk/onlinenotification/

There are serious problems with this line of argument:

  • Navigating directly to the notification form[1] sets the cookie, but does not inform the user. This situation could easily occur if a user has been sent a link in an email (such as this one) and therefore has not reached the form via the main page of the site, and will have been given no information on the use of cookies.

  • Your document[2] explaining the changes to regulations regarding cookies, says the following regarding the exemption for essential cookies:

    This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user.

    Clearly, a user who simply visits your site has not “explicitly requested” to use the notification form. In fact, they may not be intending to use it at all, or even be aware of it. I visited your site with the intention of discovering more information about the changes to the regulation regarding cookies, not to use the online notification form. At no point did I make any explicit request to use the service, so the exemption clearly does not apply.

  • The ASP.NET session cookie is NOT essential to have the online form work. I say this as someone with years of experience working directly with the Microsoft ASP.NET technology in question. It is quite possible to turn off[3] the ASP.NET session cookie and still have the site work. If this Microsoft mandated approach presented problems, you could also easily develop a solution that sets a cookie only when the user begins using the form, or develop a solution that does not use a cookie, and instead tracks state via hidden form fields.

Judging from how your website is operating, I would hazard a guess that the person(s) responsible for the maintenance of your site have tried to do the least possible they could in order to claim compliance with the regulations. The ASP.NET session cookie is enabled by default, and turning it off and developing an alternative solution would require marginally more effort. Therefore, they have disingenuously claimed that it is essential in an effort to save effort on their part.

I was surprised and disappointed to find that these problems. If your own website cannot properly comply with the regulations, and apparently sees them as a nuisance to be skirted around, what message does that send to those of us in the industry who have to work to them?


Jon Rimmer

So anyway, if the men in black come to get me, you’ll know why.