The Half Term Report on Cookie Compliance
Posted by Brian Kelly (UK Web Focus) on 15 December 2011
The EU’s Privacy and Communications Directive
Back in May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The context to this post was the EU’s Privacy and Communications Directive which officially came into force on 26 May 2011, the day the post was published. However as I described ”the good news is that the ICO has recognised the complexities in implementing this legislation” with UK websites being given a year to comply with EU cookie laws.
My initial post was followed by a report on a survey of Privacy Settings For UK Russell Group University Home Pages. This helped to identify how cookies are currently being used on the institutional home page for a selected group of institutions, explore a tool which can be used to report on the various types of cookies and to help raise the importance of institutional activity in this area, in particular in identifying cookie usage and ensuring that documentation on such usage is provided for visitors to the institutional web site.
Update On Institutional Activities
Over six months since those two posts were published, how are institutions responding to the year’s grace which the ICO has granted?
There has been some discussion on the website-info-mgt JISCMail list on how institutions should respond. Back in May Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford initiated a discussion on the Changes to the rules on using cookies and similar technologies for storing information which seems to have been the liveliest discussion on the list all year. The following month Web managers became aware of the news that 90% of visitors declined ICO website’s opt-out cookie and were worried that implementation of the legislation would result in similar loss of traffic to UK University Web sites.
If you have a responsibility for managing a Web site I would advise you to read this 26 page report. However here are some of the key points are given below with my personal comments.
|The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement. [Page 2]||Universities should recognise the benefits of these intention.|
|The initial effort is where the challenge lies – auditing of cookies, resolving problems with reliance on cookies built into existing systems and websites, making sure the information provided to users is clear and putting in place specific measures to obtain consent. [Pages 3-4]||A good summary of what institutions need to do.|
|Most importantly user awareness will be likely to increase as people become used to being prompted to read about cookies and make choices. A variety of consumer initiatives – such as the use of icons to highlight specific uses of cookies will also help in this area. [Page 4]||User education is key.|
|Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes obtaining consent before the cookie is set difficult. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available. [Page 6]||Guidelines acknowledge difficulties in implementing best practices and provides mechanism for documenting decisions.|
|You should also consider whether users who might make a one-off visit to your site would have a persistent cookie set on their device. If this is the case, you could mitigate any risk that they would object to this by shortening the lifespan of these cookies or, where possible given the purpose for using them, making them session cookies. [Page 6]||Guidelines accept that a risk assessment strategy may be appropriate.|
|Government is working with the major browser manufacturers to establish which browser level solutions will be available and when. In future many websites may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying themselves of consent to set cookies.||Standards-based privacy solutions provided by browsers will be important in the future.|
|The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers. [Page 24]||The Commissioner is more likely to take discretion if organisations are shown to be seeking to implement best practices.|
|We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the setting of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent. [Page 26]||Further guidance may be produced in light of experience.|
|In our view the rules do not apply in the same way to intranets. [Page 26]||This seems to suggest that the legislation does not cover content which is hosted on Intranets, VLEs, etc.|
My optimistic interpretation of the guidelines seems to be shared by Matt Jukes who, on the Digital by Default blog, yesterday suggested that we might be seeing A crack in the cookie craziness? Matt felt that “The final entry in the FAQ offers a glimmer of hope for those of us stressing about losing access to our usage data“, although his views were tempered slightly by some concerns that “the wording seems intentionally vague and non-committal” which may “scare a lot of public sector organisations into total compliance“. Overall, however Matt was reassured that the guidelines “ does at least seem to be saying that noone is going to prosecute you for using Google Analytics – especially if you make some concerted effort to inform and educate your users about the existence of those Cookies“.
Further commentary on the guidelines have been provided by Ranjit Sidhu on the Sidspace blog. Ranjit comments that:
This is the key statement “Which method (of consent) will be appropriate to get for cookies will depend in the first instance on what cookies you use” – In other words- ‘we are not making a blanket ban- check what you are doing, if you are not being evil and creating a profile on the user without them knowing with a persistent cookie, then be sensible, do all that we have told you to do and you will be ok. And to confirm….
On the last page (p 27) specifically on “analytical cookies” they say ” In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement…… Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
Ranjit’s post concludes:
As a last point as I know there has been a lot of talk on this, and plenty of scare stories peddled by legal practitioners in particular, make sure you and your bosses are aware as to the enforcement of this (p24 of the report). The ICO will first issue an information notice if they think the organisation is doing something wrong, then ask it to take an “undertaking” notice which asks the organisation to change some practice to comply or an “enforcement” notice to make it comply, only finally if your organisation totally doesn’t listen at all will be fined! In other words, it is about the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down. There are some industries this is going to effect badly…newspapers etc.. but honestly, what you Uni’s do in tracking is very, very low in its privacy implications.
First steps should be to:
- Check what type of cookies and similar technologies you use and how you use them.
- Where you need consent – decide what solution to obtain consent will be best in your circumstances.
followed by “provid[ing] clear information to users about analytical cookies and take what steps you can to seek their agreement“.
Many institutions will use technologies such as Google Analytics for which documentation will need to be provided. In addition there will be other commonly-used systems, such as content management systems, for which shared approaches in documenting information about the purposes of the information being gathered and the approaches to seeking user agreement would be beneficial.
Claire Gibbons, Senior Web and Marketing Manager at University of Bradford is currently developing guidelines for the University of Bradford which she has described in a post on Cookies and legislation – some thoughts and a sector invite. As suggested by the title, Claire would like to invite others to contribute to:
a Google spreadsheet … to store our info so we can share and learn from each other [in areas including:]
- Institution name
- Audit done
- Types of cookies used
- Technologies used
- Where consent is needed
- Any other comments
- Link to published or draft policy
This initiative, which is being driven by practitioners, is to be welcomed. Textual information, such as details of policies, processes, etc. can be added to the Google Document on Cookie Policies. In addition a Google Spreadsheet on UK HEI Privacy Policies is also available which can be used to provide links to privacy policies and provide brief comments. Finally Delicious users may wish to add a link to their privacy polices using the privacy-uk-heis tag so that their contribution can be included in an aggregation of tagged resources (although note that following recent changes to Delicious service the usefulness of this service is currently uncertain).
Why You Should Actively Engage
As Ranjit points out “the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down“. He points out that some sectors seem to be doing badly. If the higher education sector can be seen to be implementing appropriate and achievable best practices, respecting users’ needs whilst understanding the difficulties in blunt implementation of the legislation this will be beneficial for the sector as a whole. I do hope you will spend a small amount of time in giving comments on this post and on Claire’s, in providing links to your policy statements, so that others can learn from their peers and in documenting other aspects of this work which may be useful to others.
It should also be remembered that ways in which we should respond to cookie legislation will go beyond those working in institutional Web management teams. Clearly it will also be important for institutions which have a devolved approach to Web management. But responsibilities must also be shared by individuals who provide Web content, whether hosted within their institution or by third party services.
I have just added a widget on the right hand sidebar of this blog which describes how WordPress.com, who host the blog, make use of Google Analytics. I have gone beyond the issued of cookies by reminding people who leave comments on this blog that they are required to provide an email address. I have now published a policy which states that such email addresses will not be disclosed.
Is this an approach which we can recommend to others?