Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
How Bradford made friends with the Cookie Monster v0.1
1. The most eagerly awaited
IWMW session EVER
Workshop session C1: Responding to
the Cookie Monster
2. We are . . .
• John Kelly, Principal Legal Information
Specialist with JISC Legal
• Claire Gibbons, Senior Web and Marketing
Manager, University of Bradford
3. We’ll cover . . .
• The Legal Stuff
– Legal requirements
– Clarifying the ICO guidance on how to comply with the
new cookie law requirements
– Appropriate Wording for Policies
– Tips for Compliance
• What Bradford and the sector did
• Good, bad and best practice and views on the
Cookie Law – discussion, sharing, venting!
• What next for institutions and the sector – ideas
and suggestions
25. • Post-26 May Guidance
– updated guidance from JISC Legal
26. • Article 29 Working
Party
– CRITERION A: the cookie is used
“for the sole purpose of carrying
out the transmission of a
communication over an
electronic communications
network”.
CRITERION B: the cookie is
“strictly necessary in order for
the provider of an information
society service explicitly
requested by the subscriber or
user to provide the service”
27. Exemptions?
• User-input cookies (e.g. shopping carts): probably exempt under Criterion
B (but note comments on cookie lifetime);
• Authentication cookies: probably exempt under Criterion B if used within
a single browser session; need to warn the user beforehand (i.e. get
implied consent) if the cookie will persist across browser sessions;
• User-centric security cookies (e.g. to detect repeated login failures): may
be exempt under Criterion B, but need to check specific details;
• Multi-media Player Session Cookies: probably exempt under Criterion
B, but make sure they aren’t used for other purposes;
• Load-balancing Session Cookies: probably exempt under Criterion A;
• UI Customisation Cookies: short-lifetime cookies probably exempt under
Criterion B, for longer lifetimes obtain implied consent as for
authentication cookies;
• Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only
if they are restricted to logged-in users and limited to a session;
28. • Art.29WP on Cookies – specific and
pragmatic advice
33. Next steps
• Systems and cookies audit?
• Are we doing enough?
• Continuous review through Committee
structure
• Update the Privacy Policy Template?
• Sector article on our actions to national
magazines/blogs etc? Big up the sector!
I’m Claire Gibbons, the senior web and marketing manager at the University of Bradford and I’m just going to share with you what we did at Bradford over the last year or so, since the legislation was announced. I think we would all agree that there has been a lot of reading, writing, sharing, angst, confusion, frustration and so on over the last year but I think that we all got there in the end.Feel free to chip in as we go along if you have got any comments or question and we have put some time aside after my bit for others to share their experiences and generally vent a bit!
So we’ll look at the last year, any issues that we found along the way, both from what we did at Bradford and what we tried to do as a sector leading up to the law coming into effect. We do have some outstanding queries that you may all be able to help with based on your own experiences. There’s been some development and news articles since the law came into effect which you may or may not have seen, and then we have some plans for what to do next.
So a lot has happened over the last year – both in terms of announcements, work within institutions and work across the sector.On the 24 May 2011 I sent an email to the INFO MGT mailing list asking what others were doing. We were planning on reviewing our privacy policy in terms of what cookies we use. It sounded so simple back then! The post created a lot of discussion with most people planning on doing the same.https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=WEBSITE-INFO-MGT;3423fc3e.1105
So on the 26 May the law changed and, like most others, we had our privacy policy online in draft form, as we knew we would have to do some more work in the following year. Is this pretty much what everyone did?BIT OF DISCUSSION HERE
And then on the 27 May Brian sent an email inviting everyone to contribute to a Google spreadsheet of their privacy policies which a lot of people did.Feel free to update your entry after today. I can send round the link.
Can send round the links later or add these slides to Slideshare.
Then last year at this very conference I attended a talk from Jason Miles-Campbell from JISC Legal about Your Top Ten Legal Issues to be Thinking about now – and cookies was very much the hot topic and we all left both informed and confused!
Following the conference it was decided that we should try and put our sector heads together and work collaboratively on this – as everyone would have to do more or less the same process within their institution and ultimately write a very similar updated privacy policy.So a Google doc was created and people from IWMW last year were invited to join in. The uptake wasn’t massive, understandably – it’s not the most thrilling topic, but we made a start.Note that we (i.e. Brian!) were clearly thinking ahead and that the aim of the doc was to create a report to be presented at IWMW 2012. Well, we’ve not quite done a report but we’re here to share good practice and keep that dialogue going. I’ll come onto what we could do next as a sector later.
By November our Updated Privacy Policy was on the agenda for our Information, Infrastructure, Access and Security Group which the University’s Legal Advisor also sits on and this committee would ultimately sign it off in time for the year’s grace period to be up.Then in December the information Commissioners Office published their half term report on cookie compliance, basically saying that everyone had to try harder! I would have thought that by this time most people had forgotten about it and was too busy counting down the days to Christmas.
But not me!!I did another blog and had a think about what we had done so far and reflected that we did, indeed, need to do more!!We needed to check exactly what cookies we were using, not just what they did, and needed to go back and check third party cookies also.And there was a reminder about the Google spreadsheet mentioned earlier.
Brian also blogged about the half term report and included an update on institutional activities and who had published privacy policies etc.The ICO had also published a new set of Guidelines on the Rules on use of Cookies and Similar Technologies and Brian kindly picked out the key points and again promoted the Google doc and the Google spreadsheet.
In February we created a Draft Privacy Policy Template based on the Bradford one to share with the sector and invited comments on the policy.It is hosted on the JISCPress service and people can leave comments.I used this to store my thoughts as we went through the process here at Bradford and a few people did comment – so thanks!
It all went quiet for a while but in the background John and myself were inputting into an article that Brian was writing for JISC Inform. This came out in the spring edition and gave some general background to the new law and some handy tips for what to do before May 2012. It also promoted the draft policy template mentioned previously.
And then it seemed to be a couple of months of fervoured activity. Our Privacy Policy was going back and to between the Committee and the Web Team and we were reading everything and anything to do with the subject even thought a lot of it made no sense or seemed to be conflicting. Which cookies were completely necessary and which weren’t.Then it was crunch time on 25 May (which was a Friday) so we fine-tooth combed the policy and we were just about to go for it when we read the ‘implied consent’ article from the ICO. So we made a few tweaks and went for it. Although I’m not totally convinced we got it right – but I’ll come onto that in a bit!DID ANYONE ELSE MAKE LAST MINUTE ADJUSTMENTS?-------------------------------------------------------First issued in May 2011, the guidance has been updated to clarify the following points around implied consent:Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
Also on the 25th May I blogged about where we were up to, and later in the day added in a bit about ‘implied consent’. I think I win the prize for finding the best cookie monster pic on Flickr!!
So 25th May our revised and revised again Privacy and Cookie Policy went live. I’d like to point out that we cover data protection as well as the new EU cookie law as it’s hard to separate out the two.
But in hindsight it is probably a bit hidden. It’s in the footer of our corporate pages and academic school sites and it’s being added to new templates as we make them.WHERE HAS EVERYONE ELSE PUT THEIR LINKS? IN THE TOP? A POP UP?What is the general consensus of getting people to click something to say that they have read and understood how each site uses cookies? Is this what implied consent means?
So following the 26 May there’s been some more useful advice from JISC including this podcast from 1 June which features Mike Nolan from Edge Hill and John!Well worth a listen.
And also JISC Legal have updated their guidance.
This is quite a new one on me and something I picked up off twitter the other day. John may know more about this!This working party is looking at potential exemptions from the legislation if:the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”though if they relate to individual users, websites still need to inform users about them, under data protection law----------------------------------------The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.It has advisory status and acts independently.It’s now thought that these will cover . . .
These are the potential exemptions. But I think we need to keep an eye on this.Janet have written an article which helps explain it a bit more.http://webmedia.company.ja.net/edlabblogs/regulatory-developments/2012/06/12/art-29wp-on-cookies-specific-and-pragmatic-advice/
Useful article from JANET
So is the law a load of flannel that no one will pay any attention to? Well it appears not. 5 EU countries are being taken to court for cookie law failures but part of the problem might be inconsistencies in how the law is being applied.BelgiumNetherlandsPolandPortugalSlovenia
An article from earlier in May suggests that there isn’t yet a common approach to enforcement of the new laws across the EU and that there was no guarantee that website practices that are deemed compliant with new consent requirements to cookies in one EU country would also be found to comply with laws in the other EU member states.http://www.out-law.com/en/articles/2012/may/lack-of-single-eu-approach-to-cookies-enforcement-would-cause-problems-for-cross-border-businesses-expert-says/
However, the results are in and not surprisingly sites which inform users that cookies are running and then offer the option to disable them - implicit consent - are seeing exceptionally high acceptance rates of up to 99.7%, according to customer data platform QuBit’s analysis of 500,000 interactions since the EU Privacy Directive was enforced on 26 May.By comparison, sites that seek explicit consent from users before receiving cookies are seeing consent rates of just 57.2%.The report also found that using a notification-only method, which only informs users that cookies are running on the site, results in a 99.9% consent rate. Which I take to be implied consent?I think we are currently operating under implicit consent which is potentially not enough?
So what do we do now as individual institutions but also as a sector?At Bradford we are wondering whether we need to do a systems audit as most of the systems that we use are delivered online? Do we need a warning that basically says “You can’t use this system if you don’t accept cookies”? Examples would be our online shop, VLE etc Or do we not need to do this after the Article 29 possible exemptions? Should the notices or warning only be on the pages that use cookies, e.g. shopping baskets, or should there be something on the front page of each system?As an exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example – we may not need to do anything with our systems.Do we need to do anything with trackable emails? HAS ANYONE ELSE?Are we doing enough at Bradford? Our privacy and cookies policy isn’t immediately obvious – it’s in the footer of all our main web pages and is being added to new templates in the CMS as we do them. Should we add a pop-up on first page and give more prominence? THOUGHTS?Should we categorise our cookies to make them more understandable:Strictly necessary, settings-led, feature-led, functional and analytical, third partyWe’re keeping an eye on everything and the privacy and cookies policy will be monitored and reviewed by the Information, Infrastructure, Access and Security Committee.I think as a sector we’ve been at the forefront of getting on with it and taking action and taking the legislation seriously. It would be good to respond to some of the press around compliance in other countries and sectors and submit a press release on the work that we’ve been doing? A sector case study almost. Happy to lead on that if others would like to include their stories?