how bradford made friends with the cookie monster v0.1
TRANSCRIPT
The most eagerly awaited IWMW session EVER
Workshop session C1: Responding to the Cookie Monster
We are . . .
• John Kelly, Principal Legal Information Specialist with JISC Legal
• Claire Gibbons, Senior Web and Marketing Manager, University of Bradford
We’ll cover . . .
• The Legal Stuff– Legal requirements– Clarifying the ICO guidance on how to comply with the new
cookie law requirements– Appropriate Wording for Policies– Tips for Compliance
• What Bradford and the sector did• Good, bad and best practice and views on the Cookie
Law – discussion, sharing, venting!• What next for institutions and the sector – ideas and
suggestions
John with the Legal Stuff
Claire with ‘what we did’
How Bradford Made Friends with the Cookie Monster
What we did
• Timeline• Issues• Remaining queries• Articles and news since May 2012• Next steps
• Announcement of the change in the law• 24 May 2011 - email sent to JISCMAIL list
from me
A year in the life . . .
• 26 May 2011: Law changed and we had a year to comply
• May/June 2011: Draft policy online at Bradford , clearly marked draft
• 27 May: Brian set up Google spreadsheet
• Google Spreadsheet
• 26 July 2011: Session with Jason Miles-Campbell last year at IWMW. Cookies was a hot topic
• August 2011 (after IWMW11): Google doc set up for the sector
• November 2011: Privacy Policy on agenda of University of Bradford committee
• 13 December 2011: Half term report from ICO – must try harder
• December 14 2011: Blog post for sector invite and Google doc
• December 15 2011: Brian’s blog post on the Half Term Report
• February 2012: Created Draft Privacy Policy for comment
• Spring 2012: JISC Inform article
• 25 May 2012 (later!): Updated info from ICO re: implied consent
• 25 May 2012: blog post from me(updated later that day!)
• 25 May 2012: Privacy Policy Amended and launched
• But it’s probably a bit hidden!
A novel approach!
• Post-26 May Guidance– JISC podcast
• Post-26 May Guidance– updated guidance from JISC Legal
• Article 29 Working Party– CRITERION A: the cookie is used
“for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”
Exemptions?• User-input cookies (e.g. shopping carts): probably exempt under Criterion
B (but note comments on cookie lifetime);• Authentication cookies: probably exempt under Criterion B if used within
a single browser session; need to warn the user beforehand (i.e. get implied consent) if the cookie will persist across browser sessions;
• User-centric security cookies (e.g. to detect repeated login failures): may be exempt under Criterion B, but need to check specific details;
• Multi-media Player Session Cookies: probably exempt under Criterion B, but make sure they aren’t used for other purposes;
• Load-balancing Session Cookies: probably exempt under Criterion A;• UI Customisation Cookies: short-lifetime cookies probably exempt under
Criterion B, for longer lifetimes obtain implied consent as for authentication cookies;
• Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only if they are restricted to logged-in users and limited to a session;
• Art.29WP on Cookies – specific and pragmatic advice
Law taken seriously
Not consistent across EU
But what does the averageuser think?
The results are in
Next steps
• Systems and cookies audit?• Are we doing enough?• Continuous review through Committee
structure• Update the Privacy Policy Template?• Sector article on our actions to national
magazines/blogs etc? Big up the sector!
Useful Resources
• http://econsultancy.com/uk/reports/the-eu-cookie-law-a-guide-to-compliance
• http://blogs.brad.ac.uk/web-team/• http://www.marketingweek.co.uk/news/impli
cit-consent-best-practice-on-cookies/4002151.article
• http://www.out-law.com/en/articles/2012/may/lack-of-single-eu-approach-to-cookies-enforcement-would-cause-problems-for-cross-border-businesses-expert-says/
Thanks – over to you for discussion, questions, sharing, venting!
What should the sector do next?
Apart from go and watch the football . . .
Thanks!