Next Steps In Addressing Forthcoming Cookie Legislation
Posted by Brian Kelly on 20 Feb 2012
The Forthcoming Cookie Legislation
We all need our privacy!
On 26 May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The post was published the day before UK government legislation based on the EU Directive requiring users to opt-in to cookie use was due to come into force. However in light of the government’s awareness of the difficulties in conforming with the legislation, the Information Commissioner’s Office (ICO) announced that UK websites were to be being given one year to comply with EU cookie law. But May 2012 is now only three months away, so how are UK Universities responding?
As described in a post on The Half Term Report on Cookie Compliance in December 2011 the ICO published a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“), but made it clear of the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.
One of the key challenges will be in developing policy statements regarding information which is gathered and stored in cookies.
Learning from Current Practices
Back in May 2011 a survey of cookie use across the twenty Russell Group universities was carried out and the findings published in a post on Privacy Settings For UK Russell Group University Home Pages. Subsequently staff working in institutional web teams across the wider UK higher education sector were invited to provide links to their privacy policies in a Google spreadsheet. The following table provides links to privacy policies and statements based on the information available from the spreadsheet.
| No. | Institution | Privacy Policy |
| 1 | Aberdeen | Privacy statement |
| 2 | Aberystwyth | Terms and Conditions |
| 3 | Bath | Privacy |
| 4 | Bath Spa | Website Terms and Conditions of Use |
| 5 | Birmingham | Privacy |
| 6 | Bristol | Privacy and cookie policy |
| 7 | Cambridge | Privacy policies for services |
| 8 | Cardiff | Privacy Policy |
| 9 | Cranfield | Cranfield University Privacy Policy |
| 10 | Edge Hill | Privacy Statement |
| 11 | Edinburgh | Website privacy policy |
| 12 | Glasgow | Privacy statement |
| 13 | KCL | Privacy statement |
| 14 | Leeds | Privacy statement |
| 15 | Liverpool | Personal information on the web |
| 16 | LSE | Privacy and data protection |
| 17 | Manchester | Privacy |
| 18 | Nottingham | Privacy |
| 19 | Oxford | Privacy Policy |
| 20 | Sheffield | Privacy Policy |
| 21 | Sheffield Hallam | Privacy Policy |
| 22 | Staffordshire | Protecting Privacy on Data Transmission over the Internet |
| 23 | UCL | Privacy |
| 24 | Warwick | Website terms and Conditions |
| 25 | York | Legal Statements |
The links aim to make it easy for people wishing to see the approaches taken by others within the sector to see the approaches which are being taken.
Sharing Practices
In addition to the passive process of seeing what others are doing and making use of approaches which appear useful it can be more useful to collaboratively engage in the development of public privacy statements, such as those listed above, as well as discussions about important issues including approaches to auditing cookie use on web sites; ongoing auditing processes; policies for web sites which are not under the control of a central web team and the internal processes for developing policies and procedures, including reaching agreement on the institution’s willingness to take risks if it is not possibly to conform with the letter of the legislation.
Claire Gibbons, the Senior Web and Marketing Manager at the University of Bradford, has had responsibility for the development of the privacy policy at her host institution. As described in a recent blog post about a north east regional web meeting Claire:
shared our experience in terms of doing an audit of what cookies we have and presenting an updated privacy policy to our Information, Infrastructure, Access and Security group who actually signed it off. However, after subsequent conversations with colleagues and reading up a bit more I think we need to some more work here to go beyond the ‘corporate web’ or at least point out that our Privacy policy covers www.bradford.ac.uk and anything on another domain isn’t covered by this policy.
Claire subsequently made her draft cookie policy available as a resource which can be used and commented on by others. The draft cookie policy has been uploaded to JISCPress, with references to Bradford University removed to facilitate its use by others. Claire has made use of JISCPress’s commenting facilities to annotate the document, and is now inviting comments from her peers across the sector.
Feedback can be provided on the JISCPress site or on this blog.
UK Web Focus (Brian Kelly) 
Advice on Implications of Cookie Legislation | Innovation Support Centre said
[…] Next Steps In Addressing Forthcoming Cookie Legislation […]
How is the Higher Education Sector Responding to the Forthcoming Cooking Legislation? « UK Web Focus said
[…] post published in February recommended Next Steps In Addressing Forthcoming Cookie Legislation and described how the sector can benefit by sharing approaches on how institutions are responding […]
IWMW 2012 and the Cookie Monster – 28 Days Later « UK Web Focus said
[…] Next Steps In Addressing Forthcoming Cookie Legislation, 20 February 2012 […]