How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation?

A post published in February recommended Next Steps In Addressing Forthcoming Cookie Legislation and described how the sector can benefit by sharing approaches on how institutions are responding to the cookie legislation, which comes into force on 26 May.

In order to help identify the ways in which institutions are advising visitors to their web sites on institutional policies on cookie usage a summary of interesting highlights from privacy policies provided by Russell Group Universities (which were surveyed in a post on Privacy Settings For UK Russell Group University Home Pages published in May 2011) together with a number of other universities who provided institutional details to a Google Spreadsheet on UK HEI Privacy Policies is given in the following table.

Note that the information provided in this table given below was collected on 13-16 April 2012.

Ref. No.	Institution	Privacy Policy	Linked from Home page?	Comments
1	University of Aberdeen	Privacy statement	Y	Introduced by stating “This policy explains what information is gathered from web clients visiting the University of Aberdeen’s central web server, and how that information is used.“
2	University of Aberystwyth	Cookie Policy	Via link to Terms and Conditions	Explains cookies in plain language and describes use of cookies for “(1) To retain the language choice and user type as defined on the Preferences page and (2) To collect detailed web site usage data“
3	University of Bath	Privacy statement	Y	Covers collection of personal data and use of email and online forms as well as use of cookies.
4	Bath Spa University	Website terms and conditions of use	Y	Provides detailed information on specific cookies. Explains why Google Analytics is used and how users can opt out.
5	University of Birmingham	Privacy	Y	Has sections on What information is collected? and What we do with the information?
6	University of Bristol	Privacy and cookie policy	Y	Has sections on Information that we collect from you and your use of this website; How we use your information; How we handle the data submitted by you; Links to external web sites and How to contact us. with additional link to Use of cookies on the University’s website page.
7	University of Cambridge	Privacy policies for services	Y	Provides links to privacy policy for specific services.
8	Cardiff University	Privacy policy	Y	Explains how “Cookies are also used to compile general (not personal) site usage statistics. Cookies are not used to capture or store personal information for any other purpose.” and explains that “Other pages that are linked to from the main Cardiff University sites may have a separate privacy policy, including some Academic School, Research Centre and project-orientated websites“.
9	Cranfield University	Privacy	Via Legal link	Explains how “The “Cookie” allows us to track visitors through the website but does not include any personally identifiable information. With most Internet Browsers, you can erase “Cookies” from your computer hard drive, block all “Cookies”, or receive a warning before a “Cookie” is stored.“.
10	Edge Hill University	Privacy statement	Y	Address data protection issues rather than use of cookies.
11	University of Edinburgh	Website privacy policy	Y	Has sections on Information that we collect from you; Use of your information; Storage of your information; Disclosure of your information and IP addresses and cookies.
12	University of Glasgow	Privacy statement	Via link to  Disclaimer	Provides an explanation of cookies and describes how they are used with Google Analytics.  Describes how Google may use the information collected and explains how cookie can be disabled.
13	Imperial College	–	N	–
14	King’s College London	Privacy statement	Via link to Terms and Conditions of Use	Has sections on How do we collect information?; What information do we collect?; How do we use this information?; Do we use ‘Cookies’?; How do we protect personal information?; Will we disclose the information we collect to outside parties? and Your Consent. Has link to detailed page on Cookie use at King’s College London.
15	University of Leeds	Privacy statement	Y	Has sections on Purpose of this statement; Automated collection of personal information; Non-automated collection; Third-party access; Cookies; Google Analytics and Changes to this statement.
16	University of Liverpool	Personal information on the web	Via link to Legal, Risk & Compliance	Has sections on What information is collected, and how is it used?; Cookies (including link to All About Cookies); Security and Requests for Access.
17	London School of Economics	Terms of use	Y	Section on cookies explains what they are; describes how the “Website does not use cookies to store personal data. Cookies are used to store a unique reference number for each visitor to the Website, which allows one visitor to be distinguished from another“; provides links to All About Cookies and Cookiecentral.com, and states that “if a User sets up his or her browser to reject the cookie, he or she may still use the Website, although functionality may be impaired“.
18	University of Manchester	Privacy	Y	States that “Some parts of The University of Manchester website use cookies for security purposes (eg to save the user from having to re-enter their details for every page in a section of the site). Cookies are not used to capture or store personal information for any other purpose, and all cookies are deleted as soon as a session is ended. You may choose to refuse cookies by disabling them using your web browser.“
19	Newcastle University	–	N	–
20	University of Nottingham	Privacy	Y	Has sections on Information we collect; How we may use the information; Cookies; Security Access Requests and Security.
21	University of Oxford	Privacy Policy	N	Has sections on Information collected and How the information collected is used.
22	Queen’s University Belfast	–	N	–
23	University of Sheffield	Privacy Policy	Y	Has sections on Information we collect as you browse our web site; About Cookies; About Spotlight tags; Use of optional information; Future developments and Security.
24	Sheffield Hallam University	Privacy Policy	Y	Has sections on Use of information provided by visitors; Security; Cookies and Inaccurate data.
25	Staffordshire University	Protecting Privacy on Data Transmission over the Internet	Via link to Legal	Has sections on What information is collected and What do we do with the information?
26	University of Southampton	Privacy Policy	Via link to Terms and conditions	Has sections on Information the University May Collect From You; IP Addresses and Cookies (including link to All About Cookies ); Storing your Personal Data; Uses made of the Information; Disclosure of your Information and Access to Information
27	University College London	Privacy	Y	Has links to Data Protection but not use of cookies.
28	University of Warwick	Website terms and conditions	Y	The privacy statement explains “what types of personal information will be gathered when you visit the University of Warwick’s web site and how this information will be used. Please note that although Warwick’s web site provides links to other web sites, this policy only applies to the University’s web pages (ie. those ending in warwick.ac.uk).“
29	University of West of England	Legal Statements Privacy	Y	Has information on What are cookies?; Which type of cookie does UWE use?; UWE cookies and personal information; Blackboard; Web metrics; Can I turn off UWE cookies? and What happens if I switch off UWE cookies?.
30	University of York	Legal Statements	Y	The Privacy section describes use of cookies with Google Analytics.

Moves Towards Pragmatism

The approaches which are being taken appear to reflect the pragmatic guidance which has been provided recently.

The post on The Half Term Report on Cookie Compliance drew attention to the ICO’s Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“). The guidelines made clear the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.

The emphasis on providing appropriate information rather than implementing technical solutions was highlighted last week in a post on Enforcement of cookie consent rules for analytics not a priority, ICO says published on Out-law.com, a Web site which provides legal news and guidance from Pinsent Masons, an international law firm. This article began:

The UK’s data protection watchdog is not likely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent, it has said. 

A statement from the ICO said:

” … it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.“

It should also be noted that the International Chamber of Commerce (ICC) UK has issued new guidance (15-page / 296KB PDF) on cookies. The guidance, which has been welcomed by the ICO, contains information on the different categories of cookies that website operators use and when consent to those cookies will be required to be obtained. From this document I learnt that:

The Government and the ICO have said that browsers will be an important part of giving users the increased access

It seems that the government does have an understanding of the need for technical privacy standards such as the W3C’s Tracking Protection Working Group which aims to “improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements“.

The ICC’s guidance document also helpfully defines four categories of cookies:

1. strictly necessary cookies
2. performance cookies
3. functionality cookies
4. targeting cookies or advertising cookies

The document adds that “we are keen to ensure that these categories do not become entrenched but rather evolve as industry discovers cookies that need more accurate categorisation” which again emphasis the realistic approaches which are being taken.

I might add that I suspect that concerns regarding privacy issues and c0okies will primarily focus on targeting cookies and advertising cookies, with cookies which are

• strictly necessary “in order to enable you to move around the website and use its features, such as accessing secure areas of the website“;
• performance cookies which “collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages” and
• functionality cookies which “allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features“

will not be the prime area of concern for the ICO (although I should add that IANAL) .

Discussion

Note click for enlarged view of University of Sheffield’s Privacy Policy

When I started writing this post I was intending to comment on the patterns which we can see starting to develop. These include:

• The ways of addressing privacy policies in a very distributed environment, as can be seen in the approach taken at the University of Cambridge.
• The detailed technical information about specific cookies which is being provided at institutions such as Bath Spa and King’s College London.
• The commonly used sections provided in Privacy policy pages such as the Privacy Policy at the University of Sheffield, which is illustrated.
• The ways in which use of Google Analytics is documented, such as can be seen at Bath Spa and the University of Leeds.
• The ways in which users are advised to disable Google Analytics, such as can be seen at the University of Glasgow.
• The popularity of the All About Cookies service for further information about cookies.

However in light of ICC’s guidance document and its endorsement by the ICO it does occur to me that it would be useful for institutional privacy policies to make use of the language provided in this document. This suggestion might be particularly relevant for those institutions which do not appear to provide a privacy policy which can be easily found from the institution’s home page!

At the IWMW 2012 event, to be held at the University of Edinburgh on 18-20 June, Claire Gibbons (University of Bradford) and John Kelly (JISC Legal) will be running a 90 minute session on Responding to the Cookie Monster. I wonder if the cookie monster will turn out to be not as scary as we first feared?

---

Twitter conversation from Topsy: [View]

51.379915 -2.331708