The most eagerly awaited IWMW session EVER

Workshop session C1: Responding to the Cookie Monster

We are . . .

• John Kelly, Principal Legal Information Specialist with JISC Legal

• Claire Gibbons, Senior Web and Marketing Manager, University of Bradford

We’ll cover . . .

• The Legal Stuff– Legal requirements– Clarifying the ICO guidance on how to comply with the new

cookie law requirements– Appropriate Wording for Policies– Tips for Compliance

• What Bradford and the sector did• Good, bad and best practice and views on the Cookie

Law – discussion, sharing, venting!• What next for institutions and the sector – ideas and

suggestions

John with the Legal Stuff

Claire with ‘what we did’

How Bradford Made Friends with the Cookie Monster

What we did

• Timeline• Issues• Remaining queries• Articles and news since May 2012• Next steps

• Announcement of the change in the law• 24 May 2011 - email sent to JISCMAIL list

from me

A year in the life . . .

• 26 May 2011: Law changed and we had a year to comply

• May/June 2011: Draft policy online at Bradford , clearly marked draft

• 27 May: Brian set up Google spreadsheet

• Google Spreadsheet

• 26 July 2011: Session with Jason Miles-Campbell last year at IWMW. Cookies was a hot topic

• August 2011 (after IWMW11): Google doc set up for the sector

• November 2011: Privacy Policy on agenda of University of Bradford committee

• 13 December 2011: Half term report from ICO – must try harder

• December 14 2011: Blog post for sector invite and Google doc

• December 15 2011: Brian’s blog post on the Half Term Report

• February 2012: Created Draft Privacy Policy for comment

• Spring 2012: JISC Inform article

• 25 May 2012 (later!): Updated info from ICO re: implied consent

• 25 May 2012: blog post from me(updated later that day!)

• 25 May 2012: Privacy Policy Amended and launched

• But it’s probably a bit hidden!

A novel approach!

• Post-26 May Guidance– JISC podcast

• Post-26 May Guidance– updated guidance from JISC Legal

• Article 29 Working Party– CRITERION A: the cookie is used

“for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”

Exemptions?• User-input cookies (e.g. shopping carts): probably exempt under Criterion

B (but note comments on cookie lifetime);• Authentication cookies: probably exempt under Criterion B if used within

a single browser session; need to warn the user beforehand (i.e. get implied consent) if the cookie will persist across browser sessions;

• User-centric security cookies (e.g. to detect repeated login failures): may be exempt under Criterion B, but need to check specific details;

• Multi-media Player Session Cookies: probably exempt under Criterion B, but make sure they aren’t used for other purposes;

• Load-balancing Session Cookies: probably exempt under Criterion A;• UI Customisation Cookies: short-lifetime cookies probably exempt under

Criterion B, for longer lifetimes obtain implied consent as for authentication cookies;

• Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only if they are restricted to logged-in users and limited to a session;

• Art.29WP on Cookies – specific and pragmatic advice

Law taken seriously

Not consistent across EU

But what does the averageuser think?

The results are in

Next steps

• Systems and cookies audit?• Are we doing enough?• Continuous review through Committee

structure• Update the Privacy Policy Template?• Sector article on our actions to national

magazines/blogs etc? Big up the sector!

Useful Resources

• http://econsultancy.com/uk/reports/the-eu-cookie-law-a-guide-to-compliance

• http://blogs.brad.ac.uk/web-team/• http://www.marketingweek.co.uk/news/impli

cit-consent-best-practice-on-cookies/4002151.article

• http://www.out-law.com/en/articles/2012/may/lack-of-single-eu-approach-to-cookies-enforcement-would-cause-problems-for-cross-border-businesses-expert-says/

Thanks – over to you for discussion, questions, sharing, venting!

What should the sector do next?

Apart from go and watch the football . . .

Thanks!