The cookie monster#ukgc12

Peter McClymontWeb content managerNorth Devon Council

@iamadonut@ndevoncouncil#WeeklyBlogClub

Disclaimer

These are my own views and do not necessarily represent the views or policies of my employer.

This presentation should be considered informal guidance and is not a representation of the law, its interpretation or enforcement.

www.ico.gov.ukwww.allaboutcookies.org/www.cookielaw.org

Advice and guidance borrowed heavily from these sources

WTF????

OMG!!!!!

This presentation is to inform and stimulate discussion, share best practice and hopefully lead to considered viewpoints

The EU Cookie Directive

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance

Article 3

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Directive 2009/136/EC

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

came into force on 26 May 2011

...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met...(2) The requirements are that the subscriber or user of that terminal equipment(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and(b) has given his or her consent.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)

No longer can you rely upon implied consent. If someone wants to use your website, they must given express consent that cookies or other programs or files are placed on their computer or device.

Device includes mobile or tablet.

The regulation requires: [that] website owners get consent in order to store or access information (including cookies) on users computers unless the cookie is strictly necessary to provide a service requested by the user.Source: ICO

Why?

Privacy lawsProtection of personal dataCookies misunderstood- must be bad- not viruses- but can be used to hoover up informationDesire to police the web

Information Commissioner

Enforcing body in the UK

Providing adviceWill not enforce until 26 May 2012 to allow time to discuss with industry on compliance

Up to 500,000 fine for non-compliance

Who wants to be the test case?

ICO advice

carry out audit

decide whether cookies are intrusive

decide on solution for gaining user's consent

See the ICO site for the latest advice date December 2011

Audit

self audit

third party

SocitmSiteMorseothers

Types of cookies

Session

Persistent

First and third party

Session and persistent cookies Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies:

Session cookies allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies. Persistent cookies are stored on a user's device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users preferences and choices when using a site or to target advertising. First and third party cookies Whether a cookie is first or third party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

Audit methodology

automated SiteMorse audit covering www.northdevon.gov.uk

manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools

manual checking of webforms using Firefox web developer tools

manual checking of third party web ends planning, payments, licensing, benefits calculator - using the Firefox web developer tools

information from third party suppliers Northgate, Innogistic, Ovaltech, Lalpac, Civica

The audit identifies:

name of cookies set

purpose

lifetime

Answers to these questions help categorise the cookies, determine whether they are intrusive and/or unnecessary and what happens if the cookie is disabled

Name: _utmaTypical content: randomly generated numberExpires: 2 years

Name: _utmbTypical content: randomly generated numberExpires: 30 minutes

Name: _utmcTypical content: randomly generated numberExpires: when user exits browser

Name: _utmzTypical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search)Expires: 6 months

Google Analytics cookies

Explaining cookies

Don't forget to update your privacy statement

Exceptions

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.Source: ICO

Activities likely to fall within the exception

A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket

Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested for example in connection with online banking services

Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers

Source: ICO.

Activities unlikely to fall within the exception

Cookies used for analytical purposes to count the number of unique visits to a website for example

First and third party advertising cookies

Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

Source: ICO.

Obtaining consent

tick box at the top of its website.

pop-up tick boxes

global consent?

The use of tick boxes and/or pop-ups raises usability and accessibility concerns.

The pop-up approach

The terms and conditions approach

The registration approach

The preferences approach

Other issues

Consent required for any landing page

Consent may require setting a cookie (!)

Consent required for subsites using third party web front ends

Problems?

Analytics

Third party web front ends

Social media accounts/platforms

Malicious scripting

Both ICO and Torridge have lost 90% of traffic because of the pop-up banners.

Other server side analytics: AW Stats

User control of cookies

Most web users will be unaware that they can control how content is delivered and/or displayed through their web browser.

For example, most modern web browsers will automatically enable Javascript to ensure that the intended functionality of web pages that deploy this common technology.

Disabling Javascript is a simple task. However, many web pages use Javascript to improve functionality. If Javascript is turned off, pages may cease to function, links wont work and so on.

Because most cookies are set using Javascript, disabling Javascript will stop cookies being set on a users device. However, as above, many cookies are an essential part of page functionality: many pages will cease to function, links wont work and so on.

A user disabling Javascript or cookies would have access to most services offered by our website.

Directive 2009/136/ECPECR 2011Cookie: flickr.com/photos/roboppy/115562673/

Credits