Yes, the government responded (a few days ago now actually, but I only just got around to posting this). I won’t copy their email here, because publishing communications from the Information Commissioner’s Office without their permission probably isn’t the smartest thing to do, but the gist of their message was an entirely friendly admission that yes, they aren’t entirely compliant yet. They’d like to be, but there’s still work to be done and they’ll be doing it over the forthcoming months. In particular they said they’d address the lack of cookie information on their notification form as a priority. So ho hum, how boringly reasonable of them!
The only point we didn’t seem to see quite eye to eye was over the issue whether they are currently claiming that the session ID they are setting falls under the “essential services” exemption of the new regulations. I would argue, judging from the wording of their privacy policy that they are, and that’s a disingenuous claim because there are ways to do what they’re doing without using cookies. They aren’t the way ASP.NET works out of the box, but they’re possible. However, since they say they’re planning on making further improvements, maybe we should give them the benefit of the doubt. For now. I’ll be interested to see what they’re site looks like in 6 months time.
Leave a Reply