A good summary here from Ranjit Sidhu on the [log in to unmask]<mailto:[log in to unmask]> list. Pretty much aligns with what Mike has been saying I think.
Andy
--
Andy Powell
Research Programme Director
Eduserv
t: 01225 474319
m: 07989 476710
twitter: @andypowe11
blog: efoundations.typepad.com
www.eduserv.org.uk<http://www.eduserv.org.uk>
From: Managing institutional Web services [mailto:[log in to unmask]] On Behalf Of Ranjit Sidhu
Sent: 14 December 2011 11:38
To: [log in to unmask]
Subject: Cookies and new ICO guidance
HI All,
Thought I would let you all know about the new ICO guidance about the EU cookies and privacy law as per the earlier conversation on Jiscmail - see below.
The good news is that common sense (and some, no doubt, massive lobbying by Google et al) has lead to a light touch interpretation of the law. The ICO document downloadable at http://t.co/kvNH1QME is never going to win a plain English award, but the crux is that it is really repeating what we highlighted the guidance said six months ago with a clear mention of the analytical cookie:
1. p12 "Check what type of cookies you use and how you use them", in other words: Do a site audit! WASP http://webanalyticssolutionprofiler.com/ is a good free software that allows you to see cookies on a page, but also do an expert ( i.e. manual!) check of top home pages. Reality for Unis is make sure you only have an analytical cookie not some advertising third party cookie on your site,
2. p12 "Check how intrusive your use of these cookies is". See below email as to the 1 to 10 sliding scale that was mentioned in the previous guidance and repeated here- they really want to check that you are not "creating detailed profiles of an individual's browsing activity" Page 13 provides a good check list and is also good guidance as what to put in explaining the cookie. In reality if you are using GA as 99% of Unis are you are a 1/2 (max3) out of 10.
3. p14 and p15 are clear examples of where and how to put your cookie statements, to use "plain english", even though looking at the report the ICO would struggle to do this...
4. p15 This is the key statement "Which method (of consent) will be appropriate to get for cookies will depend in the first instance on what cookies you use" - In other words- 'we are not making a blanket ban- check what you are doing, if you are not being evil and creating a profile on the user without them knowing with a persistent cookie, then be sensible, do all that we have told you to do and you will be ok. And to confirm....
On the last page (p 27) specifically on "analytical cookies" they say " In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement...... Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
So there you go...
As a last point as I know there has been a lot of talk on this, and plenty of scare stories peddled by legal practioners in particular, make sure you and your bosses are aware as to the enforcement of this (p24 of the report). The ICO will first issue an information notice if they think the organisation is doing something wrong, then ask it to take an "undertaking" notice which asks the organisation to change some practice to comply or an "enforcement" notice to make it comply, only finally if your organisation totally doesn't listen at all will be fined! In other words, it is about the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down. There are some industries this is going to effect badly...newspapers etc.. but honestly, what you Uni's do in tracking is very, very low in its privacy implications.
My personal view is don't be scared of this regulation, but embrace it; its raison d'être was an attempt to make the web space less underhand in it's tracking and less intimidating for those non technical to understand who/what is tracking them. After all, all this analytical tracking is being done to improve the users experience and save money for your organisation by being more efficient and isn't that worth shouting (in plain english) about ?
Cheers
Sid
From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Ranjit Sidhu
Sent: 26 May 2011 13:14
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information
Hi All,
Having just got back from holiday was surprised at all the emails on this- we all knew this was coming and there was a long email string about it a couple of months back on Jiscmail? Strange thing is that the ICO guidelines are actually far more relaxed than we expected and should be seen as an opportunity to clarify what the sector does (which is very little regarding intrusion in the world of cookies and tracking) rather than seen in a negative light as more red tape . In my quick review of uni sites its seems to have just lead to re-workings of jargon ridden privacy policies, which is exactly what the legislation is against.
Couple of basic points:
ICO guidelines are really clear on page 3 and 4 that it is all about 1.What you use your cookies for and 2. How intrusive they are. It goes on to point out that some cookies will have no privacy implication or "simply allow you to improve your website based on information such as links" and compares it to the intrusive cookies that "involves creating detailed profiles of an individual browsing history". It states that it is important that you think of it as a sliding scale- and need specific acceptance for the latter rather than the former currently (this may change but not for a time).
So:
Universities do 1. Track behaviour to improve the website to make sure it is efficient in both terms of user experience and investment (remember the article of Universities website costing so much? Well here you can clearly spell out that this is required to make sure you spend less and target it!) 2. Use tracking of aggregated groups such as geographical or organisations to allow the websites to be in the future maximised to benefit the university.
Universities (or generally that I know of) 1. Do not track individual behaviour to sell targeted advertising or make a profit by selling the data 2. Do not compile the users data to allow a third party to sell advertising or make a profit by selling the data (bnelt and braces:make sure the Google Analytics share data opt in is off) 3. Do not allow the tracking of users once they have left the organisational website 4. Do not create detailed individual profiling of on a individual basis 5. Do not (in the case of GA) even process data so that the university can track an individual usern (very very low on intrusive scale) unless the data is specifically provided by the visitor (eg Forms)
So your cookies experience is "generally" about a 2 (max 3) out of 10 in the intrusive cookie scale. And to me, no the BBC is not a good model to follow, it is far wider in its use of cookie and tracking and is a different business model for example its site seen internationally is now covered in advertising and therefore uses what could be deemed as much more intrusive cookies
ICO than goes on to actually tell you what to do in your case when talking about the "analytic cookie", that perhaps you should make it more "prominent" (and I would say more clear!) by placing "text in the footer" as to what you track and do not "via privacy pages of the site".
So surely:
Make sure there is a clear footer link that leads you to a Privacy Page or even a scroll down that says:
1. We do track you to....
2. We do NOT track you to.....
3. If you want to not be tracked click here to opt out (eg..http://tools.google.com/dlpage/gaoptout)
Longer term- make sure you audit your site properly to check their isn't any legacy or evil tags anywhere- something that can be done cheaply (no more then £100 to £200 from the myriad of companies out there that do this). Make sure all Web Editors etc..know that all cookie usage or data use needs to be approved in the future and....
BINGO !!! ??? !!!
Sorry for being flippant, and yes I can think of a lot of what ifs, but to me it seems generally clear that this is what is currently required and all the government is can be said to be reasonably requesting you to do?
Brian, totally agree with Sector response
Cheers
Sid aka Ranjit
On 26 May 2011, at 10:49, Adrian Tribe wrote:
Hi Brian,
Yes, I saw your blog post earlier and I totally agree that the last thing we need
is for unis to go down various different routes in finding/attempting to develop
solutions to this problem. I certainly agree that the best approach is to encourage
"use of privacy-compliant browsers and user education", as I simply can't see how
else a workable and practicable solution to complying with the spirit of this law
can be achieved. (Let's forget about the letter of the law for the moment, as we
can only be sure about the meaning of that once there have been some court
cases!)
Writing a page giving some basic information about cookies in general and
the specific cookies used on that uni's web site(s) is something that I would
suggest every uni should do, if nothing else because it shows that there is
no "lack of action" on our part if the ICO come asking. I suspect most of us
will be copying the wording used elsewhere and just tailoring info about the
specific cookies we use (most of which can probably also be copied from
elsewhere - e.g. about Google Analytics). So I don't have a problem with
spending some time creating such a page myself.
I can't be at IWMW this year (it's in the school hols!), but look forward to seeing
the output from any collaborative contemplations regarding a whole-sector
proposal for a 'business-friendly' solution. The page about cookies isn't a solution
and it isn't meant to be. It's just some information to show we like to be open
about such things.
Best wishes,
Adrian
From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Brian Kelly
Sent: 26 May 2011 10:13
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information
Hi Adrian
"Now I'd better get on and write a page about cookies for our site...!"
And so will people at ~160 other UK Universities and replicate work , loose benefits of collaboration, many eyes, ...!
More importantly if we want to provide the 'business-friendly' solution which Ed Vaizey has said the Government is looking for we need to provide a sectoral response. The last thing we need is for University A to provide an ICO-style optin/optout box on every page whilst University B feels that encouraging use of privacy-compliant browsers and user education is an appropriate response.
There is a session on Online Privacy at IWMW 2011. There is also a slot which could be used at the end of the event. Could we come up with some proposals for how the sector should respond? Anyone interested in getting involved in a small group to do this?
I've posted some thoughts on this at:
http://ukwebfocus.wordpress.com/2011/05/26/how-should-uk-universities-respond-to-eu-cookie-legislation/
Thanks
Brian
---------------------------------------------------------------------------------
Brian Kelly, UKOLN, University of Bath, BATH, UK, BA 2 7AY
Email: [log in to unmask]<mailto:[log in to unmask]>
Blog: http://ukwebfocus.wordpress.com/
Twitter: @briankelly and @ukwebfocus
Phone: +44 1225 383943
From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Adrian Tribe
Sent: 26 May 2011 08:15
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information
It's reassuring to hear that the ICO were saying yesterday that "Organisations and
businesses that run websites aimed at UK consumers are being given up to 12
months to 'get their house in order' before enforcement of the new EU cookies
law begins".
Not that this means we can all forget about it for 12 months of course, as the same
ICO press release goes on to say: "So we're giving businesses and organisations
up to one year to get their house in order. This does not let everyone off the hook.
Those who choose to do nothing will have their lack of action taken into account
when we begin formal enforcement of the rules."
So the approach of adding something general to terms and conditions / privacy
policy pages now, while then taking time to think through the most appropriate
course of action according to our own use of cookies seems a very sensible one
to me.
Now I'd better get on and write a page about cookies for our site...!
Best wishes,
Adrian
From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Brian Kelly
Sent: 24 May 2011 16:55
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: Changes to the rules on using cookies and similar technologies for storing information
Hi Claire
As I have just mentioned on Twitter I have published a survey of the privacy settings for the 20 UK Russell Group University Web sites: seehttp://ukwebfocus.wordpress.com/2011/05/24/privacy-settings-for-uk-russell-group-university-home-pages/
I used the W3C Privacy Dashboard - a FireFox extension - for the survey.
Note that Dave Raggett, the developer, will be talking about privacy issues at IWMW 2011, to be held at the University of Reading on 26-27 July - seehttp://iwmw.ukoln.ac.uk/iwmw2011/
I'd be interested to hear if anyone is planning to provide a machine-readable statement of their privacy policies.
Brian
---------------------------------------------------------------------------------
Brian Kelly, UKOLN, University of Bath, BATH, UK, BA 2 7AY
Email: [log in to unmask]<mailto:[log in to unmask]>
Blog: http://ukwebfocus.wordpress.com/
Twitter: @briankelly and @ukwebfocus
Phone: +44 1225 383943
From: Managing institutional Web services [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Claire Gibbons
Sent: 24 May 2011 11:33
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Changes to the rules on using cookies and similar technologies for storing information
Hi all
Has anyone done anything in particular in response to the changes to the rules on using cookies and similar technologies for storing information from the ICO?
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
We were going to update and add to our privacy policy in terms of what cookies we use and why, and that's about it for now.
Useful article: http://www.pcpro.co.uk/news/enterprise/367198/ico-browser-settings-not-enough-for-cookies-law
"The ICO said it will issue "separate guidance" on how it plans to enforce the new regulations, but stressed it would only investigate websites after receiving a complaint, and then will merely require sites to show they have a "realistic plan to achieve compliance"."
Cheers
C.
--------------------------------------------------------------
Claire Gibbons | Senior Web and Marketing Manager | Marketing and Communications
University of Bradford | BD7 1DP | E: [log in to unmask]<x-msg:[log in to unmask]> | T: 01274 236529
http://www.bradford.ac.uk<http://www.bradford.ac.uk/> | http://twitter.com/BradfordUni |
www.youtube.com/UniversityOfBradford<http://www.youtube.com/UniversityOfBradford> | http://www.wildwestyorkshire.com<http://www.wildwestyorkshire.com/>
British Science Festival comes to Bradford, Sept 2011: http://blogs.brad.ac.uk/bsf/
-------------------------------------------------------------
The University of Aberdeen is a charity registered in Scotland, No SC013683.
On 26 May 2011, at 12:21, Jon Warbrick wrote:
On Thu, 26 May 2011, David Mackland wrote:
I like the BBC's approach - http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml
They identify all potential cookies delivered from their sites, describe what they do and provide links out to how they can be rejected. Simples (too keep in with the insurance quotes)
Obviously the BBC is a leader of standards so perhaps this could for the basis for UK Universities approach?
My take is that this approach was fine until today when (at least in theory) the new regulations came into force. Unless all the BBC cookies are "strictly necessary for the provision of an information society service" requested by me then they now need to obtain my consent if they want to "store or gain access to information stored" in my browser. At a quick look I don't think all the BBC cookies fall under "strictly necessary" as interpreted by the ICO's guidance ([1]).
The Department for Culture, Media and Sport has published an open letter about the cookie rules [2]. My take is that it seems to be trying to say that consent doesn't need to be obtained in advance, which is 'interesting'. It also seems to say that relying on existing browser controls (at least their default settings) isn't sufficient.
There's a lot more dust that is going to need to settle before we are going to be able to see where this is all going. There are some wittering in my blog [3] on this subject and I fear there will be more in the future.
Jon.
[1] http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
[2] http://www.dcms.gov.uk/images/publications/cookies_open_letter.pdf
[3] http://jw35.blogspot.com/search/label/cookies
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
****************************************************************
website: http://museumscomputergroup.org.uk/
Twitter: http://www.twitter.com/ukmcg
Facebook: http://www.facebook.com/museumscomputergroup
[un]subscribe: http://museumscomputergroup.org.uk/email-list/
****************************************************************
|