|2003 Rule||2011 Rule|
|Must provide clear and comprehensive information||Must provide clear and comprehensive information|
|Must provide an option to opt-out||Must obtain consent|
- where a cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and
- where storage or access to a user’s device is strictly necessary for the provision of a service requested by the user or subscriber
Probably not what you think is strictly necessary! The exception is pretty limited and does not include use that is reasonable or that is necessary for uses you wish to make of the data. It also doesn’t include analytic cookies like those set by Google Analytics. The “strictly necessary” must be strictly necessary for services specifically requested by the user – not that you wish to provide. A common example used is a cookie to remember what is in your shopping basket when you click on “check-out” since it is reasonable to expect that a user would wish the site to remember this! Other cookies that would fall under the exemption would be those that are required to comply with other legislation such as the 7th data protection principle, as set out in Schedule 1 to the Data Protection Act 1998. In other words, cookies that are used to provide security and authentication. The ICO gives the following examples:
NO! The law applies to any similar technology that stores information or accesses information on a user’s terminal equipment. For example that includes Local Shared Objects (or "Flash Cookies"), web beacons or bugs and html5 localStorage.
The University operates a devolved environment when it comes to information security and compliance issues. Council Secretariat is generally responsible for the management of compliance issues which affect the whole University, but the implementation of its guidance is devolved to individual departments. The University therefore recognises that, in order to comply with the law, it is imperative to have a coordinated approach towards issues such as this and also to provide clear guidance and instruction to all relevant users. The Infosec team is therefore working closely with the Legal Services Office, Council Secretariat and webmasters from the central services providers such as OUCS, BSP and PAD in order to tackle the central sites first and to provide guidance, advice and instruction to the rest of the University.
It is recognised that time is tight to be fully compliant by the end of May 2012 and we need to be realistic about what we can do by then. However it is important that we start addressing this issue and have a plan in place to achieve compliance in the longer term. Creating this plan is now underway and we are taking the approach of dealing with some of the higher-profile central sites first. The tools, methods and techniques used will then be shared with the rest of the University for you to follow suit. In the first instance you should be carrying out an initial audit of your cookie usage.
- Identification of cookies
- Confirmation of their purpose
- Confirm whether cookies link to or contain personal information
- Identification of the data each cookie holds
- Whether the cookies are session cookies or persistent cookies
- Whether the cookies are first or third party cookies
- If third party, who is the third party
If you have any further questions about the use of this spreadsheet you should contact firstname.lastname@example.org.
There is no one-size fits all or one particular tool that you are mandated to use. We are working on a number of possibilities however and please do bear in mind that this advice may change in the future. For the time being we’ve heard good reports of the use of the Firefox Add On "View Cookies". This may not show certain cookies that are browser specific but it provides a good starting point and a consistent approach for now. In order to minimise the chance of missing certain cookies you should, however ensuer that your browser settings are appropriate. For example, when auditing a site you should:
Well, if you have any particularly intrusive cookies you should consider whether you need to use these, or whether their use can be amended. The University will be providing some guidance on classification of cookies very soon along with some examples. In the meantime the Government Digital Service gives the following examples:
- The information you provide must be sufficiently full and intelligible
- You must allow individuals to understand clearly the potential consequences of allowing the cookies
- Specific descriptions of use are more likely to satisfy the requirements than simply listing cookies along with their basic functions.
- Making information on privacy and use more prominent is important
- This could be done by simple formatting or positional changes (e.g. making the font bigger on links to privacy policies and moving the link to the top of the page).
- Providing consent
- There are numerous ways in which this can be done and for more details and examples see the ICO’s guidance. More information will be provided on this as time goes on but in the meantime the priority is to audit your cookie use and make sure you are providing clear and comprehensive information on their use.
- Can’t you just implement one Oxford Cookie for consent
- In theory you could obtain consent for cookies set on connected sites. However this is likely to be impractical at a University level since we would need to be absolutely clear which sites the cookies were set on, what they were used for, and what the users were agreeing to. Populating and maintain such a list would be very difficult. However this may be feasible for particular cookies and would likely be very feasible for smaller subgroups (e.g. departments). We are, of course, looking into any options whereby we may be able to save duplication of work.
- Are intranets covered?
- Not according to the ICO. See section 13 of the ICO's guidance
- Great!........but what is an intranet?
- Good question. JANET's Chief Regulatory Advisor suggests that they are sites whereby the website and its users are on the same private network. It seems that it is a fair assumption to make that a VPN could still be considered to be private but that simply requiring a username and password for services available from the general Internet probably wouldn’t be. One question to ask is whether the cookies that are set are sent over a public electronic communications network. This brings the likes of webmail and VLE systems into scope however we’d suggest that sites/services intended for use by the public would be the first priority. Remember that data protection laws always apply (including to intranets)!.
- What if we do nothing?
- What about Google Analytics?
- Finally, the question you have all been wondering! Again the answer is not to panic. The ICO can’t rule out any formal action, but he has made it pretty clear that he is unlikely to prioritise cookies where there is a low level of intrusiveness and the risk of harm to individuals is low. This doesn’t mean they are exempt and you must still provide clear and comprehensive information on their use. However it does mean we probably have some time to consider how to obtain consent for such cookies.
- Ok, where do I start again?
It should be pretty clear from this that the main priorities are to audit your sites and then to think about providing clear and comprehensive information. So, if you are still reading this, stop now and go and carry out your cookie audit!
More information will follow and please direct any queries to email@example.com