Contents
A cookie is a small file of alphanumeric text, downloaded onto a computer or other device (e.g. mobile phone), which enables the website to recognise that equipment and monitor an individual’s browsing activity. Cookies serve a number of useful purposes, such as analysing the use of a website, storing password information in order to allow an individual to move through a restricted website without having to re-enter log-in details each time, or to add items to an online shopping basket. However, they also give rise to concerns about the protection of privacy, which is why they are regulated.
2. What are the new cookie regulations?
The Privacy and Electronic Communications (EC Directive) Regulations (the ‘regulations’) have always required those setting cookies to provide ‘clear and comprehensive information’ about the purposes for which they are used. In 2011, the regulations were amended to require that website operators also obtain prior consent for the use of cookies..
3. Who has to comply with the new cookie regulations?
Any organisation based in the UK will be subject to the new requirements even if the website is technically hosted overseas. In addition, organisations based outside of Europe (the regime applies across the EU) with websites which are designed to be used by people in Europe may also be caught by these requirements.
4. What impact could these new Cookie regulations have?
The regulations relate to storing, or gaining access to information stored on, any equipment or device; and the law has a particular impact on website operators. The regulations predominantly affect the use of cookies, however it should be noted that they also apply to similar technologies, including “local shared objects” and “web beacons”.
6. What does ‘clear and comprehensive information’ mean?
The regulator’s current guidance on this topic states that it “should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies [or similar technologies] should they wish to do so”. Given the level of public awareness about these types of technologies, the regulator recognises that you may wish to provide a broad explanation of the way cookies and similar technologies operate (as appropriate) and the categories of cookies and similar technologies used on your website. This information may be included in a “Privacy Policy” and/or a specific “Cookie Statement”, which should be easily noticeable and accessible to even a casual visitor to your website. It would also be advisable to provide a link from this explanation to more detailed information about the particular technologies used, which might be presented in a simple table. The University has prodcued a Privacy Policy and Cookie Statement for http://www.ox.ac.uk.
7. What is meant by ‘consent’?
Consent must be a freely given, specific and informed indication of an individual’s wishes. Accordingly, the individual must have been provided with the information described above, been given a choice to accept the proposed use of these technologies and knowingly indicated their acceptance by some positive act, such as clicking an icon, sending an email or subscribing to a service. You cannot presume consent on the basis that an individual may have been told how to opt-out of the use of such technologies.
The regulator’s revised guidance has created a lot of discussion about the role of implied consent. For implied consent to work, the consenting individual must take some action from which their consent can be inferred and that individual must have a reasonable understanding that by doing so they are agreeing to cookies being set. Navigating to a web page is unlikely to fulfil these requirements, because research has show that website users have a poor understanding of cookies generally, let alone how they may be used on your website.
There are two narrow exceptions which we do not anticipate being widely available to University websites. The law does not apply to the technical storage of, or access to, information:
We have not identified any University uses which would fall within the exception at (1) and would point out that the exception at (2) is a narrow one. The exception at (2) would only apply to the use of those restricted technologies which are essential (rather than reasonably necessary) to provide a service explicitly requested by the individual concerned or to comply with any legislation which may relate to that service. Examples include the use of cookies to add items to an online shopping basket or to provide security in the course of using online banking services.
10. What happens if I fail to comply?
Compliance is a legal requirement. The Information Commissioner’s Office has been charged with enforcing this law and it has powers to require a website operator to (a) provide it with specified information, (b) provide an undertaking to improve its compliance, and (c) pay a penalty of up to £500,000. Everyone will need to be able to show that they have taken sensible, measured action to move to compliance, and where full compliance has not been achieved, you will be expected to provide a clear explanation as to why it was not possible to comply in the time allowed and the timescale in which you expect to achieve compliance.
11. What do I have to do to make sure my website is compliant?
The University has created guidance for compliance with the law and expects that all webmasters take steps to become compliant. The basic steps are:
12. Do I have to report any changes I make to anyone?
No. Every website has to comply with the law and the University expects all web owners to be checking and making any necessary amendments to their sites. There is no requirement to report changes made or compliance to the University.
13. The website I manage was made years ago and there is no one to maintain it – do I have to do anything?
Yes, every website comes under the new legislation and it is essential that all websites are checked for cookies and necessary changes made if cookies are found to be present.
14. I don’t have anyone technical to check or change our website is there any help available?
It is very important that all websites are checked using some form of audit tool and changes are made to ensure cookies are used with consent. The University is putting together a selection of tools and ideas to help you to complete the audit and/ or any changes you may need. In order to comply with the law you may have to find someone technical to help you to complete both of the tasks.
15. I think my website has cookies but I would prefer not to have any, is it safe to remove them?
Most cookies are there to help track or record short-lived information and in many cases they are not required to be running. Removing cookies should not reduce website functionality however you may want to check this before removing them altogether.
16. What is a privacy policy and how should I display it on my website?
A privacy policy is intended to provide a clear statement about the information you collect in relation to your website users and what you do with that information. It will usually contain information about your use of cookies and may link to a more detailed cookie statement. Links to a privacy policy and cookie statement must be visible from any of the website pages and be easy to find. The University has a privacy policy which you may wish to link to from your website where appropriate.
17. Do I have to give people the option not to use the cookies or can I just tell them they are there?
The law is very clear that if you are using cookies the individual must be informed that they are being used, be given information on what they are being used for and be given the choice of having the cookies installed or not installed on their computer.
18. I have heard that some cookies are exempt, how do I know if my cookies are exempt?
A description of the limited exemptions is given above. The cookie guidance states that the exemption in connection with what is “strictly necessary” to provide a service explicitly requested by an individual will be interpreted narrowly. The guidance also gives an indication of the limited scenarios this would apply to:
All other cookies are therefore NOT exempt. There is further guidance and examples available in the information security toolkit
19. What happens if my site links to other sites or facilities where there are cookies?
If your site links to other web functions or has embedded functionality (often called third party) that sets cookies then you have a responsibility to advise the individual that the functionality will have cookies and you have to give them the option of accepting those cookies. It would be sufficient to give individuals prior notice that a specific functionality uses cookies and a link to more detailed information next to the feature they may be required to click on to use that functionality. However, we understand that many embedded features set cookies as soon as an individual visits a page and this may be more problematic.
20. My website is not hosted in Oxford - do I need to do anything?
Any organisation based in the UK will be subject to the new requirements even if the website is technically hosted overseas. In addition, organisations based outside of Europe (the regime applies across the EU) with websites which are designed to be used by people in Europe may also be caught by these requirements.
21. I have a question about my department's website but I have no idea who owns or maintains it – how do I find out?
Your first port of call should be your local IT support staff. If you don't know who that is OUCS should be able to help you find out.
22. My department doesn’t have anyone responsible for the website. Who has to take responsibility for making the changes?
Ultimately the head of the department or unit has to take responsibility for ensuring the website meets all legal requirements.
23. How quickly do I have to do all of this?
The law came into force in May 2011 and everyone was given until the 26th May 2012 to become compliant. Basically the law will be more actively enforced from the 26th May 2012 which means that legal action could be taken against any non-compliant websites from that date. Efforts therefore should now be underway to evaluate the compliance of your website and to take action where necessary.
24. Who has to pay for this – are there any extra funds available to help with compliance?
There are no funds available for implementing compliance. The University is providing a free and updated toolkit but any financial consequences of changes that have to be made are the responsibility of the website owner.
25. Are there any tools available that can help me audit my website?
Yes there are a growing number of tools and prepared audit software that can assist you in detecting the cookies that your site is using. There are examples and guidance provided in the information security toolkit. This list will be updated as appropriate.
26. Is it right that session cookies are exempt?
No. A session cookie is a term that describes a cookie that will only last for the time that an individual is on your web pages. Session cookies will only be exempt if they fall into the limited exception described above.
27. Do I have to detail all of the different cookies my website uses?
Yes. You have to provide clear and comprehensive information that identifies the cookies that you are using and the purposes for which they are used. The only exceptions to this are those described above.
28. Is it enough to just tell people that the cookies are there?
No. The law explicitly requires you to obtain consent prior to setting a cookie, which usually means giving the individual an informed choice to accept or decline a cookie.
29. Are analytic cookies like Google Analytics exempt?
No. All analytic cookies must be declared and the individual given a choice to accept them.
30. How do I make the privacy statement more prominent?
It is recommended that access to the privacy statement should be available on every page and be clearly visible. There are various recommendations for making this information more prominent. Links from a header, footer or page widget are perhaps the most popular.
31. Can I use plugins or widgets to advise about the cookies?
Yes. There are several possible solutions starting to become available and depending on your website language several may be a good solution for you. Details of possible solutions will be regularly updated in the toolkit.
32. Are there any rules on how long cookies should be set for?
No. Generally you should set cookies only for as long as is necessary for the functionality of the website. It is good practice to have short expiration dates. The longer cookies persist on an individual’s computer equipment and the more information they may be used to collect, the more privacy intrusive they will be. The more privacy intrusive a cookie, the more you will need to do to bring their use to the individuals attention and obtain clear consent.
33. May I use the University privacy policy or do I have to create my own
The University has a privacy policy which can be linked to from your website where appropriate. Generally each website will need to create their own privacy policy and cookie statement that details the specific cookies used. The University cookie statement can be copied and used as a template for your own website.
34. Where can I get further advice from?
The toolkit has lots of helpful advice and this will be regularly updated as possible solutions and good practice becomes available. If you have a specific problem or issues that you would like some specific information on then you are welcome to use the contacts below: