1. What has changed?

The law which applies to the use of cookies and similar technology changed on 26th May 2011. The Information Commissioner’s Office (ICO) said that this would be enforced from 26th May 2012.

2. What is new?

It has been UK law since 2003 that sites should provide clear and comprehensive information about their use of cookies and similar technology as well as providing an option to opt-out of using cookies. The new law means that, instead of simply leaving the option to “opt-out”, site owners must actively obtain consent for the use of cookies and similar technologies.

2003 Rule2011 Rule
Must provide clear and comprehensive information Must provide clear and comprehensive information
Must provide an option to opt-out Must obtain consent

This is a good time to ensure that all websites are compliant with the legislation from 2003 as well as thinking about obtaining consent for the use of cookies and similar technologies.

3. What should we be doing?

Basically, if you are setting cookies you should:

  • tell people which cookies are there;
  • explain what the cookies are doing; and
  • obtain consent from the user to store a cookie on their device

4. Are there any exceptions to this?

There are a couple of exceptions to this law which are:

  • where a cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and
  • where storage or access to a user’s device is strictly necessary for the provision of a service requested by the user or subscriber

Exceptions mean that you don't have to provide information or obtain consent.

5. What does “strictly necessary” mean?

Probably not what you think is strictly necessary! The exception is pretty limited and does not include use that is reasonable or that is necessary for uses you wish to make of the data. It also doesn’t include analytic cookies like those set by Google Analytics. The “strictly necessary” must be strictly necessary for services specifically requested by the user – not that you wish to provide. A common example used is a cookie to remember what is in your shopping basket when you click on “check-out” since it is reasonable to expect that a user would wish the site to remember this! Other cookies that would fall under the exemption would be those that are required to comply with other legislation such as the 7th data protection principle, as set out in Schedule 1 to the Data Protection Act 1998. In other words, cookies that are used to provide security and authentication. The ICO gives the following examples:

Likely to fall within the exceptionUnlikely to fall within the exception
Remembering shopping baskets Cookies used for analytical purposes
Cookies that provide security First and third party advertising cookies
Load balancing Cookies to remember users

6. Can I get round this by using something other than a cookie?

NO! The law applies to any similar technology that stores information or accesses information on a user’s terminal equipment. For example that includes Local Shared Objects (or "Flash Cookies"), web beacons or bugs and html5 localStorage.

7. What is the University doing about this?

The University operates a devolved environment when it comes to information security and compliance issues. Council Secretariat is generally responsible for the management of compliance issues which affect the whole University, but the implementation of its guidance is devolved to individual departments. The University therefore recognises that, in order to comply with the law, it is imperative to have a coordinated approach towards issues such as this and also to provide clear guidance and instruction to all relevant users. The Infosec team is therefore working closely with the Legal Services Office, Council Secretariat and webmasters from the central services providers such as OUCS, BSP and PAD in order to tackle the central sites first and to provide guidance, advice and instruction to the rest of the University.

8. What do we all need to do?

Essentially, if you are setting cookies you will need to:

  • Audit the use of cookies (and similar technologies)
  • Assess how intrusive their use is
  • Where possible/appropriate reduce intrusiveness
  • Decide how to request and give consent

9. I’ll never do that by the end of May 2012!!

It is recognised that time is tight to be fully compliant by the end of May 2012 and we need to be realistic about what we can do by then. However it is important that we start addressing this issue and have a plan in place to achieve compliance in the longer term. Creating this plan is now underway and we are taking the approach of dealing with some of the higher-profile central sites first. The tools, methods and techniques used will then be shared with the rest of the University for you to follow suit. In the first instance you should be carrying out an initial audit of your cookie usage.

10. How should I audit my sites?

The ICO has suggested things that should be included in an audit. They are:

  • Identification of cookies
  • Confirmation of their purpose
  • Confirm whether cookies link to or contain personal information
  • Identification of the data each cookie holds
  • Whether the cookies are session cookies or persistent cookies
  • Whether the cookies are first or third party cookies
  • If third party, who is the third party
  • Check your privacy policy provides accurate and clear information

With that in mind we have created a spreadsheet for you to fill in which you can find below along with a simple example and some guidance on how to fill the form in.

Cookie audit spreadsheet

Cookie form guidance

If you have any further questions about the use of this spreadsheet you should contact infosec@oucs.ox.ac.uk.

11. What tool should I use to carry out the audit?

There is no one-size fits all or one particular tool that you are mandated to use. We are working on a number of possibilities however and please do bear in mind that this advice may change in the future. For the time being we’ve heard good reports of the use of the Firefox Add On "View Cookies". This may not show certain cookies that are browser specific but it provides a good starting point and a consistent approach for now. In order to minimise the chance of missing certain cookies you should, however ensuer that your browser settings are appropriate. For example, when auditing a site you should:

  • Accept third-party cookies
  • Accept cookies until they expire
  • Don't block pop-ups

We’ll update you further if there are any helpful developments in this respect.

12. What next?

12.1. Assessing Intrusiveness

Well, if you have any particularly intrusive cookies you should consider whether you need to use these, or whether their use can be amended. The University will be providing some guidance on classification of cookies very soon along with some examples. In the meantime the Government Digital Service gives the following examples:

How intrusive?Type of application
Moderately Intrusive Embedded third-party content and social media plugins
Advertising campaign optimisation
Minimally Intrusive Web analytics/metrics
Personalised content/interface
Exempt Preventing multiple form submissions
Load balancing
Transaction specific cookies

12.2. Providing Information

Cookies that are minimally intrusive are likely to be less of a priority providing you are providing clear and comprehensive information on their use. So this should be the priority in the short term. The University addressing how to do this on those central sites available and is also revising its central privacy policy. More information and guidance will be provided on this but in the mean time you should consider the following:

  • The information you provide must be sufficiently full and intelligible
  • You must allow individuals to understand clearly the potential consequences of allowing the cookies
  • Specific descriptions of use are more likely to satisfy the requirements than simply listing cookies along with their basic functions.
  • Making information on privacy and use more prominent is important
  • This could be done by simple formatting or positional changes (e.g. making the font bigger on links to privacy policies and moving the link to the top of the page).
Providing consent
There are numerous ways in which this can be done and for more details and examples see the ICO’s guidance. More information will be provided on this as time goes on but in the meantime the priority is to audit your cookie use and make sure you are providing clear and comprehensive information on their use.
Can’t you just implement one Oxford Cookie for consent
In theory you could obtain consent for cookies set on connected sites. However this is likely to be impractical at a University level since we would need to be absolutely clear which sites the cookies were set on, what they were used for, and what the users were agreeing to. Populating and maintain such a list would be very difficult. However this may be feasible for particular cookies and would likely be very feasible for smaller subgroups (e.g. departments). We are, of course, looking into any options whereby we may be able to save duplication of work.
Are intranets covered?
Not according to the ICO. See section 13 of the ICO's guidance
Great!........but what is an intranet?
Good question. JANET's Chief Regulatory Advisor suggests that they are sites whereby the website and its users are on the same private network. It seems that it is a fair assumption to make that a VPN could still be considered to be private but that simply requiring a username and password for services available from the general Internet probably wouldn’t be. One question to ask is whether the cookies that are set are sent over a public electronic communications network. This brings the likes of webmail and VLE systems into scope however we’d suggest that sites/services intended for use by the public would be the first priority. Remember that data protection laws always apply (including to intranets)!.
What if we do nothing?
This is LAW and isn’t going to go away no matter what you think of it. The ICO has the ability to apply monetary penalties of up to £500,000 and if we have done nothing we will be fairly defenceless in the event of a complaint. However the good news is that we are doing something about this and have a plan to work towards compliance. In the shorter term we shouldn’t panic but we should now be auditing our sites and making sure we provide clear and comprehensive information on the use of cookies.
What about Google Analytics?
Finally, the question you have all been wondering! Again the answer is not to panic. The ICO can’t rule out any formal action, but he has made it pretty clear that he is unlikely to prioritise cookies where there is a low level of intrusiveness and the risk of harm to individuals is low. This doesn’t mean they are exempt and you must still provide clear and comprehensive information on their use. However it does mean we probably have some time to consider how to obtain consent for such cookies.
Ok, where do I start again?

It should be pretty clear from this that the main priorities are to audit your sites and then to think about providing clear and comprehensive information. So, if you are still reading this, stop now and go and carry out your cookie audit!

More information will follow and please direct any queries to infosec@oucs.ox.ac.uk