How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation?
Posted by Brian Kelly on 16 April 2012
A post published in February recommended Next Steps In Addressing Forthcoming Cookie Legislation and described how the sector can benefit by sharing approaches on how institutions are responding to the cookie legislation, which comes into force on 26 May.
In order to help identify the ways in which institutions are advising visitors to their web sites on institutional policies on cookie usage a summary of interesting highlights from privacy policies provided by Russell Group Universities (which were surveyed in a post on Privacy Settings For UK Russell Group University Home Pages published in May 2011) together with a number of other universities who provided institutional details to a Google Spreadsheet on UK HEI Privacy Policies is given in the following table.
Note that the information provided in this table given below was collected on 13-16 April 2012.
|1||University of Aberdeen||Privacy statement||Y||Introduced by stating “This policy explains what information is gathered from web clients visiting the University of Aberdeen’s central web server, and how that information is used.“|
|4||Bath Spa University||Website terms and conditions of use||Y||Provides detailed information on specific cookies. Explains why Google Analytics is used and how users can opt out.|
|5||University of Birmingham||Privacy||Y||Has sections on What information is collected? and What we do with the information?|
|9||Cranfield University||Privacy||Via Legal link||Explains how “The “Cookie” allows us to track visitors through the website but does not include any personally identifiable information. With most Internet Browsers, you can erase “Cookies” from your computer hard drive, block all “Cookies”, or receive a warning before a “Cookie” is stored.“.|
|12||University of Glasgow||Privacy statement||Via link to Disclaimer||Provides an explanation of cookies and describes how they are used with Google Analytics. Describes how Google may use the information collected and explains how cookie can be disabled.|
|14||King’s College London||Privacy statement||Via link to Terms and Conditions of Use||Has sections on How do we collect information?; What information do we collect?; How do we use this information?; Do we use ‘Cookies’?; How do we protect personal information?; Will we disclose the information we collect to outside parties? and Your Consent. Has link to detailed page on Cookie use at King’s College London.|
|15||University of Leeds||Privacy statement||Y||Has sections on Purpose of this statement; Automated collection of personal information; Non-automated collection; Third-party access; Cookies; Google Analytics and Changes to this statement.|
|16||University of Liverpool||Personal information on the web||Via link to Legal, Risk & Compliance||Has sections on What information is collected, and how is it used?; Cookies (including link to All About Cookies); Security and Requests for Access.|
|20||University of Nottingham||Privacy||Y||Has sections on Information we collect; How we may use the information; Cookies; Security Access Requests and Security.|
|22||Queen’s University Belfast||-||N||-|
|25||Staffordshire University||Protecting Privacy on Data Transmission over the Internet||Via link to Legal||Has sections on What information is collected and What do we do with the information?|
|28||University of Warwick||Website terms and conditions||Y||The privacy statement explains “what types of personal information will be gathered when you visit the University of Warwick’s web site and how this information will be used. Please note that although Warwick’s web site provides links to other web sites, this policy only applies to the University’s web pages (ie. those ending in warwick.ac.uk).“|
|29||University of West of England||
|Y||Has information on What are cookies?; Which type of cookie does UWE use?; UWE cookies and personal information; Blackboard; Web metrics; Can I turn off UWE cookies? and What happens if I switch off UWE cookies?.|
Moves Towards Pragmatism
The approaches which are being taken appear to reflect the pragmatic guidance which has been provided recently.
The emphasis on providing appropriate information rather than implementing technical solutions was highlighted last week in a post on Enforcement of cookie consent rules for analytics not a priority, ICO says published on Out-law.com, a Web site which provides legal news and guidance from Pinsent Masons, an international law firm. This article began:
The UK’s data protection watchdog is not likely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent, it has said.
A statement from the ICO said:
” … it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.“
It should also be noted that the International Chamber of Commerce (ICC) UK has issued new guidance (15-page / 296KB PDF) on cookies. The guidance, which has been welcomed by the ICO, contains information on the different categories of cookies that website operators use and when consent to those cookies will be required to be obtained. From this document I learnt that:
The Government and the ICO have said that browsers will be an important part of giving users the increased access
It seems that the government does have an understanding of the need for technical privacy standards such as the W3C’s Tracking Protection Working Group which aims to “improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements“.
The ICC’s guidance document also helpfully defines four categories of cookies:
- strictly necessary cookies
- performance cookies
- functionality cookies
- targeting cookies or advertising cookies
The document adds that “we are keen to ensure that these categories do not become entrenched but rather evolve as industry discovers cookies that need more accurate categorisation” which again emphasis the realistic approaches which are being taken.
I might add that I suspect that concerns regarding privacy issues and c0okies will primarily focus on targeting cookies and advertising cookies, with cookies which are
- strictly necessary “in order to enable you to move around the website and use its features, such as accessing secure areas of the website“;
- performance cookies which “collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages” and
- functionality cookies which “allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features“
will not be the prime area of concern for the ICO (although I should add that IANAL) .
When I started writing this post I was intending to comment on the patterns which we can see starting to develop. These include:
- The ways of addressing privacy policies in a very distributed environment, as can be seen in the approach taken at the University of Cambridge.
- The detailed technical information about specific cookies which is being provided at institutions such as Bath Spa and King’s College London.
- The ways in which use of Google Analytics is documented, such as can be seen at Bath Spa and the University of Leeds.
- The ways in which users are advised to disable Google Analytics, such as can be seen at the University of Glasgow.
- The popularity of the All About Cookies service for further information about cookies.
At the IWMW 2012 event, to be held at the University of Edinburgh on 18-20 June, Claire Gibbons (University of Bradford) and John Kelly (JISC Legal) will be running a 90 minute session on Responding to the Cookie Monster. I wonder if the cookie monster will turn out to be not as scary as we first feared?
Twitter conversation from Topsy: [View]