I've been around the block on this subject a few times.
This board sets a (usual) bunch of Google Analytics cookies (__utma, __utmb, __utmc, __utmz).
The following (what I would call 'site-admin') cookies are specific to the operation of the board, and seem to be based on IP interrogation:
bb_lastactivity (permanent cookie, duration 1 year)
bb_lastvisit (permanent cookie, duration 1 year)
bb_np_notices_dislayed (session cookie, deleted when quitting browser)
The above two categories of cookies are set whether one is logged in or not, i.e. it would appear they are set irrespective of whether one is a member.
The law requires cookies to be set only with a visitor's consent. This consent is required prior to the cookies being set. The consent has to be an informed one.
In respect of members, this consent can be considered granted by virtue of their consent to agreeing to the terms and conditions of the board. (That doesn't absolve the requirement to explain what the cookies do in those board terms and conditions however.) In respect of non-members, the consent cannot be considered to be so granted.
For Google Analytics cookies, the nature of what constitutes 'consent' varies across EU Member States. The UK's Information Commissioner's Office is (unofficially) receptive to the notion of implied consent being acceptable for cookies used solely for anonymised analytics purposes - although GA data does record an IP address, they cannot in themselves be used to identify anyone personally. It would seem that the board does not host any 3rd party cookies or scripts that read the Google Analytics cookies, so it is a reasonable assumption that they are being used solely for anonymised analytical purposes. Google does not share its GA site analytics data with any other party. Indeed, it is a condition of service for GA that they are not used for purposes other than anonymised analytic purposes.
That's the official Google line, but Google has got itself into hot water lately over its breaking of security features in some browsers, and it is likely that the FDA will impose a massive fine on Google as a result. Google is also in the middle of a high-stakes cat and mouse game with the EU concerning the recent controversial harmonisation of Google's privacy policies: CNIL, the French Regulator, acting on behalf of the EU, sent Google a detailed questionnaire a month or so ago. Google has responded in part, but its answers to the remaining questions have not yet been published. Crucially, Google have yet to answer the CNIL questions about whether they use GA data for Online Behavioural Advertising (OBA). The absence of ads on for3.org is not relevant in this respect. If it is revealed that Google is using GA data for any kind of OBA, then all hell will let loose, and the 'turning a blind eye' to the need for consent to GA cookies is likely to undergo an about-turn. In effect, pending Google's responses to CNIL, if consent for GA cookies is seen as mandatory under the law, it will mean the death of client-side analytics.
My current personal view is that GA cookies are in themselves benign, and I will not be seeking user consent for them on a website I run. Please note this is contrary to the strict letter of the UK law. GA cookies consent is at the bottom of ICO's agenda - it will have a lot more pernicious cookie and ad-tracking mechanisms to stamp down on. ICO's guidance note includes:
"Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
The for3.org server is based in the States, so is immune to EU law. Currently there is no requirement to obtain cookie consent outside the EU. However, my guess is if a 'webmaster/administrator' (a party having prime control over the 'content' of a site, to use a loose definition) is based in the EU, the site will be expected to comply. Where the domain is registered and where the server happens to be are likely to be secondary considerations. The ICO guidance document includes:
"An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided."
In other words, ICO admits it is powerless about non-EU hosting, but expresses an aspiration that non-EU hosting too will comply.
The chief focus of regulatory concern is likely to be on 3rd party behavioural/user-profiling tracking cookies, and social website interactivity. (Neither of these areas are present in for3.org as far as I can tell.) The two main factors driving ICO in the immediate post-May months will I think be a complaints-driven strategy coupled with their ongoing desparation to see a browser-based solution, the latter becoming more and more hopelessly flawed and confusing in my personal view, and it's certainly not going to roll out properly within a year or so. And please note the proposed 'do not track' schemes are only requests - it seems likely that the response from the adserver industry will be at most to cease targetting, but continue tracking.
That being said, doing nothing is not an option. What ICO is looking for in the short term is an indication that publishers are doing something, albeit imperfect best intentions, so I would suggest:
- Given that cookies are being set irrespective of forum membership, a 'Privacy and cookies policy' page should be compiled and made visible;
- A reference to the Privacy and cookies pages should be prominent on each page of the forum (in a header, typically).
- The Privacy and cookies page should detail what personal information is being held, and what each set of cookies does. (The law still expects an explanation of what the cookies do, even for members.)
- Make a reference from the Board Terms and Conditions to the Privacy and cookies policy page.
As to the consent mechanisms needed (or not) for the site cookies, those can be considered at more leisure. As indicated above, my personal view is that consent need not be obtained for GA cookies provided what they do is explained. In respect of the IP-based 'site-admin' cookies, it is a moot point whether they can be regarded (from a regulatory point of view) as 'essential to the operation of the site', and therefore regarded as immune to the need for consent. The fact that they are set irrespective of membership is unfortunate, and indicates that a consent mechanism is probably required. It would be useful to know exactly what the three site-admin cookies do, and that they weren't being interrogated by Yahoo servers (I don't think this is the case, and I can't detect any Yahoo cookies being set, but it would be good to have the reassurance). The key consideration on the site-admin cookies is whether they carry personally-identifiable information.
The only 3rd party cookies likely to be encountered in for3.org are from embedded Youtubes. In conventional embedding, Youtube cookies are set as soon as the page on which the video is embedded is loaded. If they are embedded in what Youtube call 'privacy-enhanced mode' (sic), the cookies are still set, but not until the video is actually played. This delayed cookie setting mechanism can be explained upfront on the Privacy and cookies page, and is a useful way of circumventing the need to gain consent. (Otherwise, if Youtubes are embedded normally, the only option is to insert a consent mechanism on the site/page, and to hide the video code until the consent is granted.) It would be difficult if not impossible to expect users to embed Youtubes in the privacy-enhanced mode, so it looks likely a forum-wide consent mechanism will be needed. It does however depend on the settings of a user's browser, and information on this (e.g. blocking 3rd party cookies) is probably a more pragmatic recommendation, at least in the short term. 3rd party cookies are a real pain to deal with under the new law.
Don't worry unduly about the 26 May 'deadline'. ICO has a lot more important things to take care of before it considers little membership forums like this one.