JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MCG Archives

MCG Archives

MCG Archives


MCG@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font
LISTSERV Archives

LISTSERV Archives
MCG Home

MCG Home
MCG December 2011

MCG December 2011

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

FW: Cookies and new ICO guidance

From:

Andy Powell <[log in to unmask]>

Reply-To:

Museums Computer Group <[log in to unmask]>

Date:

Wed, 14 Dec 2011 16:32:34 +0000

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (281 lines) 

A good summary here from Ranjit Sidhu on the [log in to unmask]<mailto:[log in to unmask]> list. Pretty much aligns with what Mike has been saying I think.

Andy

--
Andy Powell
Research Programme Director
Eduserv
t: 01225 474319
m: 07989 476710
twitter: @andypowe11
blog: efoundations.typepad.com

www.eduserv.org.uk<http://www.eduserv.org.uk>

From: Managing institutional Web services [mailto:[log in to unmask]] On Behalf Of Ranjit Sidhu
Sent: 14 December 2011 11:38
To: [log in to unmask]
Subject: Cookies and new ICO guidance

HI All,

Thought I would let you all know about the new ICO guidance about the EU cookies and privacy law as per the earlier conversation on Jiscmail - see below.

The good news is that common sense (and some, no doubt, massive lobbying  by Google et al) has lead to a light touch interpretation of the law. The ICO document downloadable at http://t.co/kvNH1QME is never going to win a plain English award, but the crux is that it is really repeating what we highlighted the guidance said six months ago with a clear mention of the analytical cookie:


1. p12  "Check what type of cookies you use and how you use them", in other words: Do a site audit! WASP http://webanalyticssolutionprofiler.com/ is a good free software that allows you to see cookies on a page, but also do an expert ( i.e. manual!) check of top home pages. Reality for Unis is make sure you only have an analytical cookie not some advertising third party cookie on your site,

2. p12 "Check how intrusive your use of these cookies is". See below email as to the 1 to 10 sliding scale that was mentioned in the previous guidance and repeated here- they really want to check that you are not "creating detailed profiles of an individual's browsing activity" Page 13 provides a good check list and is also good guidance as what to put in explaining the cookie. In reality if you are using GA as 99% of Unis are you are a 1/2 (max3) out of 10.

3. p14 and p15 are clear examples of where and how to put your cookie statements, to use "plain english", even though looking at the report the ICO would struggle to do this...

4. p15 This is the key statement "Which method (of consent) will be appropriate to get for cookies will depend in the first instance on what cookies you use" - In other words- 'we are not making a blanket ban- check what you are doing, if you are not being evil and creating a profile on the user without them knowing with a persistent cookie, then be sensible, do all that we have told you to do and you will be ok. And to confirm....

On the last page (p 27) specifically on "analytical cookies" they say " In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement...... Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

So there you go...

As a last point as I know there has been a lot of talk on this, and plenty of scare stories peddled by legal practioners in particular, make sure you and your bosses are aware as to the enforcement of this (p24 of the report). The ICO will first issue an information notice if they think the organisation is doing something wrong, then ask it to take an "undertaking" notice which asks the organisation to change some practice to comply or an "enforcement" notice to make it comply,  only finally if your organisation  totally doesn't listen at all will be fined! In other words, it is about the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down. There are some industries this is going to effect badly...newspapers etc.. but honestly, what you Uni's do in tracking is very, very low in its privacy implications.

My personal view is don't be scared of this regulation, but embrace it; its raison d'être was an attempt to make the web space less underhand in it's tracking and less intimidating for those non technical to understand who/what is tracking them. After all, all this analytical tracking is being done to improve the users experience and save money for your organisation by being more efficient and isn't that worth shouting (in plain english) about ?

Cheers

Sid





From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Ranjit Sidhu
Sent: 26 May 2011 13:14
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information

Hi All,

Having just got back from holiday was surprised at all the emails on this- we all knew this was coming and there was a long email string about it a couple of months back on Jiscmail? Strange thing is that the ICO guidelines are actually far more relaxed than we expected and should be seen as an opportunity to clarify what the sector does (which is very little regarding intrusion in the world of cookies and tracking) rather than seen in a negative light as more red tape . In my quick review of uni sites its seems to have just lead to re-workings of jargon ridden privacy policies, which is exactly what the legislation is against.

Couple of basic points:

ICO guidelines are really clear on page 3 and 4  that it is all about 1.What you use your cookies for and 2. How intrusive they are. It goes on to point out that some cookies  will have no privacy implication or "simply allow you to improve your website based on information such as links" and compares it to the intrusive cookies that "involves creating detailed profiles of an individual browsing history".  It states that it is important that you think of it as a sliding scale- and need specific acceptance for the latter rather than the former currently (this may change but not for a time).

So:

Universities do 1. Track behaviour to  improve the website to make sure it is efficient in both terms of user experience and investment (remember the article of Universities website costing so much? Well here you can clearly spell out that this is required to make sure you spend less and target it!) 2. Use tracking of aggregated groups such as geographical or organisations to allow the websites to be in the future maximised to benefit the university.

Universities (or generally that I know of)  1. Do not track individual behaviour to sell targeted advertising or make a profit by selling the data 2. Do not compile the users data to allow a third party to sell advertising or make a profit by selling the data (bnelt and braces:make sure the Google Analytics share data opt in is off) 3. Do not allow the tracking of users once they have left the organisational website   4. Do not create detailed individual profiling of on a individual basis 5. Do not (in the case of GA) even process data so that the university can  track an individual usern (very very low on intrusive scale) unless  the data is specifically provided by the visitor (eg Forms)

So your cookies experience is "generally" about a 2 (max 3) out of 10 in the intrusive cookie scale. And to me, no the BBC is not a good model to follow, it is far wider in its use of cookie and tracking and is a different business model for example its site seen internationally  is now covered in advertising and therefore uses what could be deemed as much more intrusive cookies

ICO than goes on to actually tell you what to do in your case when talking about the "analytic cookie", that perhaps you should make it more "prominent" (and I would say more clear!) by placing "text in the footer" as to what you track and do not  "via privacy pages of the site".

So surely:

 Make sure there is a clear footer link that leads you to a Privacy Page or even a scroll down that says:

1. We do track you to....

2. We do NOT track you to.....

3. If you want to not be tracked click here to opt out (eg..http://tools.google.com/dlpage/gaoptout)


Longer term- make sure you audit your site properly to check their isn't any legacy or evil tags anywhere- something that can be done cheaply (no more then £100 to £200 from the myriad of companies out there that do this). Make sure all Web Editors etc..know that all cookie usage or data use needs to be approved in the future and....

BINGO !!! ??? !!!

Sorry for being flippant, and yes I can think of a lot of what ifs, but to me it seems generally clear that this is what is currently required and all the government is can be said to be reasonably requesting you to do?

Brian, totally agree with Sector response


Cheers

Sid aka Ranjit







On 26 May 2011, at 10:49, Adrian Tribe wrote:



Hi Brian,

Yes, I saw your blog post earlier and I totally agree that the last thing we need
is for unis to go down various different routes in finding/attempting to  develop
solutions to this problem.  I certainly agree that the best approach is to encourage
"use of privacy-compliant browsers  and user education", as I simply can't see how
else a workable and practicable solution to complying with the spirit of this law
can be achieved. (Let's forget about the letter of the law for the moment, as we
can only be sure about the meaning of that once there have been some court
cases!)

Writing a page giving some basic information about cookies in general and
the specific cookies used on that uni's web site(s) is something that I would
suggest every uni should do, if nothing else because it shows that there is
no "lack of action" on our part if the ICO come asking.  I suspect most of us
will be copying the wording used elsewhere and just tailoring info about the
specific cookies we use (most of which can probably also be copied from
elsewhere - e.g. about Google Analytics).  So I don't have a problem with
spending some time creating such a page myself.

I can't be at IWMW this year (it's in the school hols!), but look forward to seeing
the output from any collaborative contemplations regarding a whole-sector
proposal for a 'business-friendly' solution.  The page about cookies isn't a solution
and it isn't meant to be.  It's just some information to show we like to be open
about such things.

Best wishes,
Adrian


From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Brian Kelly
Sent: 26 May 2011 10:13
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information

Hi Adrian
     "Now I'd better get on and write a page about cookies for our site...!"
    And so will people at  ~160 other UK Universities and replicate work , loose benefits of collaboration, many eyes, ...!
     More importantly if we want to provide the 'business-friendly' solution which Ed Vaizey has said the Government is looking for we need to provide a sectoral response.  The last thing we need is for University A to provide an ICO-style optin/optout box on every page whilst University B feels that encouraging use of privacy-compliant browsers  and user education is an appropriate response.
     There is a session on Online Privacy at IWMW 2011. There is also a slot which could be used at the end of the event.  Could we come up with some proposals for how the sector should respond?  Anyone interested in getting involved in a small group to do this?
    I've posted some thoughts on this at:
http://ukwebfocus.wordpress.com/2011/05/26/how-should-uk-universities-respond-to-eu-cookie-legislation/

Thanks

Brian

---------------------------------------------------------------------------------
Brian Kelly, UKOLN, University of Bath, BATH, UK, BA 2 7AY
Email: [log in to unmask]<mailto:[log in to unmask]>
Blog: http://ukwebfocus.wordpress.com/
Twitter: @briankelly and @ukwebfocus
Phone: +44 1225 383943

From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Adrian Tribe
Sent: 26 May 2011 08:15
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information

It's reassuring to hear that the ICO were saying yesterday that "Organisations and
businesses that run websites aimed at UK consumers are being given up to 12
months to 'get their house in order' before enforcement of the new EU cookies
law begins".

Not that this means we can all forget about it for 12 months of course, as the same
ICO press release goes on to say:  "So we're giving businesses and organisations
up to one year to get their house in order. This does not let everyone off the hook.
Those who choose to do nothing will have their lack of action taken into account
when we begin formal enforcement of the rules."

So the approach of adding something general to terms and conditions / privacy
policy pages now, while then taking time to think through the most appropriate
course of action according to our own use of cookies seems a very sensible one
to me.

Now I'd better get on and write a page about cookies for our site...!

Best wishes,
Adrian

From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Brian Kelly
Sent: 24 May 2011 16:55
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information

Hi Claire
       As I have just mentioned on Twitter I have published a survey of the privacy settings for the 20 UK Russell Group University Web sites: seehttp://ukwebfocus.wordpress.com/2011/05/24/privacy-settings-for-uk-russell-group-university-home-pages/
    I used the W3C Privacy Dashboard - a FireFox extension - for the survey.
    Note that Dave Raggett, the developer, will be talking about privacy issues at IWMW 2011, to be held at the University of Reading on 26-27 July - seehttp://iwmw.ukoln.ac.uk/iwmw2011/
    I'd be interested to hear if anyone is planning to provide a machine-readable statement of their privacy policies.

Brian

---------------------------------------------------------------------------------
Brian Kelly, UKOLN, University of Bath, BATH, UK, BA 2 7AY
Email: [log in to unmask]<mailto:[log in to unmask]>
Blog: http://ukwebfocus.wordpress.com/
Twitter: @briankelly and @ukwebfocus
Phone: +44 1225 383943

From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Claire Gibbons
Sent: 24 May 2011 11:33
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Changes to the rules on using cookies and similar technologies for storing information

Hi all

Has anyone done anything in particular in response to the changes to the rules on using cookies and similar technologies for storing information from the ICO?

http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf

We were going to update and add to our privacy policy in terms of what cookies we use and why, and that's about it for now.

Useful article: http://www.pcpro.co.uk/news/enterprise/367198/ico-browser-settings-not-enough-for-cookies-law

"The ICO said it will issue "separate guidance" on how it plans to enforce the new regulations, but stressed it would only investigate websites after receiving a complaint, and then will merely require sites to show they have a "realistic plan to achieve compliance"."

Cheers

C.


--------------------------------------------------------------
Claire Gibbons | Senior Web and Marketing Manager | Marketing and Communications

University of Bradford | BD7 1DP | E: [log in to unmask]<x-msg:[log in to unmask]> | T: 01274 236529

http://www.bradford.ac.uk<http://www.bradford.ac.uk/>  | http://twitter.com/BradfordUni |
www.youtube.com/UniversityOfBradford<http://www.youtube.com/UniversityOfBradford> | http://www.wildwestyorkshire.com<http://www.wildwestyorkshire.com/>

British Science Festival comes to Bradford, Sept 2011: http://blogs.brad.ac.uk/bsf/
-------------------------------------------------------------




The University of Aberdeen is a charity registered in Scotland, No SC013683.
On 26 May 2011, at 12:21, Jon Warbrick wrote:


On Thu, 26 May 2011, David Mackland wrote:


I like the BBC's approach - http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml

They identify all potential cookies delivered from their sites, describe what they do and provide links out to how they can be rejected. Simples (too keep in with the insurance quotes)

Obviously the BBC is a leader of standards so perhaps this could for the basis for UK Universities approach?

My take is that this approach was fine until today when (at least in theory) the new regulations came into force. Unless all the BBC cookies are "strictly necessary for the provision of an information society service" requested by me then they now need to obtain my consent if they want to "store or gain access to information stored" in my browser. At a quick look I don't think all the BBC cookies fall under "strictly necessary" as interpreted by the ICO's guidance ([1]).

The Department for Culture, Media and Sport has published an open letter about the cookie rules [2]. My take is that it seems to be trying to say that consent doesn't need to be obtained in advance, which is 'interesting'. It also seems to say that relying on existing browser controls (at least their default settings) isn't sufficient.

There's a lot more dust that is going to need to settle before we are going to be able to see where this is all going. There are some wittering in my blog [3] on this subject and I fear there will be more in the future.

Jon.

[1] http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
[2] http://www.dcms.gov.uk/images/publications/cookies_open_letter.pdf
[3] http://jw35.blogspot.com/search/label/cookies

--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge


****************************************************************
       website:  http://museumscomputergroup.org.uk/
       Twitter:  http://www.twitter.com/ukmcg
      Facebook:  http://www.facebook.com/museumscomputergroup
 [un]subscribe:  http://museumscomputergroup.org.uk/email-list/
****************************************************************

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000
1999
1998


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager