What is not to like about the buttons that drive traffic to your site from Facebook and Twitter? Quite a lot if you consider a study commissioned by the Wall Street Journal published in May.
‘Like’ and ‘tweet’ widgets, which appear on one third of the world’s 1,000 most-visited websites, enable Facebook and Twitter to track and follow the sites a user visits by dropping cookies – small text files placed on a user’s computer.
New EU cookie law, which came into force in the UK on 26 May, requires websites to confirm they accept cookies before they can be dropped. So what is the legal position of websites that use ‘tweet’ and ‘like’ buttons, how should they act responsibly and can anything be done to stop this happening?
How Facebook and Twitter ‘follow’ your readers
The WSJ article explains how the ‘tweet’ and ‘like’ buttons on your site track readers:
For this to work, a person only needs to have logged into Facebook or Twitter once in the past month. The sites will continue to collect browsing data, even if the person closes their browser or turns off their computers, until that person explicitly logs out of their Facebook or Twitter accounts, the study found.
Kennish’s study examined more than 200,000 web pages on the top 1,000 sites. He found Facebook obtained browsing data from 331 sites, and Google obtained data from 250 sites, some of it from its Buzz widget. Twitter got browsing information from about 200 sites.
This all may sound a little ‘big brother’ to some Facebook and Twitter users but cookies are dropped by almost every website you visit and collect all sorts of data. One of the major uses of cookies by news sites is to gather audience data and display targeted advertising. They can also be dropped by any third-party with links on your site, such as Facebook and Twitter buttons.
So what can news sites do to prevent their readers being tracked by Facebook and Twitter?
Nothing, according to Julian Evans, an information security expert with his own blog on online security, who said all ‘tweet’ and ‘like’ buttons, even if they are made by third-parties, drop cookies.
The legal position of ‘tweet’, ‘like’ and cookies
However, websites are not liable for cookies dropped by third-parties, such as Facebook’s ‘like’, Twitter’s ‘tweet’ or other buttons and links on your site, according to the Information Commissioner’s Office, an independent public body which polices the new EU cookie law and can fine websites up to £500,000 for non-compliance.
Katherine Vander from the ICO told Journalism.co.uk that websites must, during the next few months, concentrate on getting their houses in order to make sure they comply with the new EU directive that came into force in the UK on 26 May which states users have to confirm they accept cookies before a website can drop them. Before that date internet users merely had to opt out of receiving cookies if they did not want their data collected.
What should sites do to act responsibly?
Although there is no legal requirement for news sites to get readers to opt in to agree to allowing Facebook and Twitter to drop cookies and track their reading habits, the ICO is encouraging news sites to act responsibly and inform readers what is going on.
“If you’re encouraging people to come to your site to use those facilities and you’re making a deliberate link there – which obviously [sites which have ‘tweet’ and ‘like’ buttons] are – you may well feel some sense of responsibility in terms of, at the very least, providing people with information about what might result in that happening,” Vander told Journalism.co.uk. She also asked news sites to keep up-to-date with Facebook and Twitter’s privacy policies.
She suggests sites which want to be really responsible should “put a note next to the link” to tell readers this button drops cookies.
That may not sound like an attractive solution to many as it may scare or confuse readers, many of whom think a cookie is just something to dunk in a cup of tea.
“Consumers don’t understand what cookies are. People don’t want to know what [a cookie] does, they just want to know it’s safe and their privacy is safe online,” security expert Julian Evans said.
He also pointed out that news sites should remember users willingly share their own information through login authentication sites like Facebook and Twitter.
What users can do to prevent cookies
- Log out of social networks when you are not using them. Use a separate browser to log on to Facebook and Twitter;
- Amend your browser’s privacy settings (preferences > privacy);
- Clear out your cookies;
- Clear out your ‘evercookies’, a persistent JavaScript API, which you can learn how to get rid of here;
- Use a service like Disconnect;
- Security expert Julian Evans, who runs ID-Theft Protect, recommends Firefox users install No Script, a script blocker that shows where your data is going.
“However, websites are not liable for cookies dropped by third-parties, such as Facebook’s ‘like’, Twitter’s ‘tweet’ or other buttons and links on your site, according to the Information Commissioner’s Office”
If that’s what the ICO were saying when this article was written, then they seem to have changed their tune since then. According to their revised guidance document (December 2011):
“The person setting the cookie is […] primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.”