I’m Claire Gibbons, the senior web and marketing manager at the University of Bradford and I’m just going to share with you what we did at Bradford over the last year or so, since the legislation was announced. I think we would all agree that there has been a lot of reading, writing, sharing, angst, confusion, frustration and so on over the last year but I think that we all got there in the end.Feel free to chip in as we go along if you have got any comments or question and we have put some time aside after my bit for others to share their experiences and generally vent a bit!
So we’ll look at the last year, any issues that we found along the way, both from what we did at Bradford and what we tried to do as a sector leading up to the law coming into effect. We do have some outstanding queries that you may all be able to help with based on your own experiences. There’s been some development and news articles since the law came into effect which you may or may not have seen, and then we have some plans for what to do next.
And then on the 27 May Brian sent an email inviting everyone to contribute to a Google spreadsheet of their privacy policies which a lot of people did.Feel free to update your entry after today. I can send round the link.
Can send round the links later or add these slides to Slideshare.
Then last year at this very conference I attended a talk from Jason Miles-Campbell from JISC Legal about Your Top Ten Legal Issues to be Thinking about now – and cookies was very much the hot topic and we all left both informed and confused!
But not me!!I did another blog and had a think about what we had done so far and reflected that we did, indeed, need to do more!!We needed to check exactly what cookies we were using, not just what they did, and needed to go back and check third party cookies also.And there was a reminder about the Google spreadsheet mentioned earlier.
It all went quiet for a while but in the background John and myself were inputting into an article that Brian was writing for JISC Inform. This came out in the spring edition and gave some general background to the new law and some handy tips for what to do before May 2012. It also promoted the draft policy template mentioned previously.
Also on the 25th May I blogged about where we were up to, and later in the day added in a bit about ‘implied consent’. I think I win the prize for finding the best cookie monster pic on Flickr!!
So following the 26 May there’s been some more useful advice from JISC including this podcast from 1 June which features Mike Nolan from Edge Hill and John!Well worth a listen.
And also JISC Legal have updated their guidance.
This is quite a new one on me and something I picked up off twitter the other day. John may know more about this!This working party is looking at potential exemptions from the legislation if:the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”though if they relate to individual users, websites still need to inform users about them, under data protection law----------------------------------------The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.It has advisory status and acts independently.It’s now thought that these will cover . . .
These are the potential exemptions. But I think we need to keep an eye on this.Janet have written an article which helps explain it a bit more.http://webmedia.company.ja.net/edlabblogs/regulatory-developments/2012/06/12/art-29wp-on-cookies-specific-and-pragmatic-advice/
Useful article from JANET
So is the law a load of flannel that no one will pay any attention to? Well it appears not. 5 EU countries are being taken to court for cookie law failures but part of the problem might be inconsistencies in how the law is being applied.BelgiumNetherlandsPolandPortugalSlovenia
An article from earlier in May suggests that there isn’t yet a common approach to enforcement of the new laws across the EU and that there was no guarantee that website practices that are deemed compliant with new consent requirements to cookies in one EU country would also be found to comply with laws in the other EU member states.http://www.out-law.com/en/articles/2012/may/lack-of-single-eu-approach-to-cookies-enforcement-would-cause-problems-for-cross-border-businesses-expert-says/
However, the results are in and not surprisingly sites which inform users that cookies are running and then offer the option to disable them - implicit consent - are seeing exceptionally high acceptance rates of up to 99.7%, according to customer data platform QuBit’s analysis of 500,000 interactions since the EU Privacy Directive was enforced on 26 May.By comparison, sites that seek explicit consent from users before receiving cookies are seeing consent rates of just 57.2%.The report also found that using a notification-only method, which only informs users that cookies are running on the site, results in a 99.9% consent rate. Which I take to be implied consent?I think we are currently operating under implicit consent which is potentially not enough?
Need to find who has taken this pic!!
How Bradford made friends with the Cookie Monster v0.1
The most eagerly awaitedIWMW session EVER Workshop session C1: Responding to the Cookie Monster
We are . . .• John Kelly, Principal Legal Information Specialist with JISC Legal• Claire Gibbons, Senior Web and Marketing Manager, University of Bradford
We’ll cover . . .• The Legal Stuff – Legal requirements – Clarifying the ICO guidance on how to comply with the new cookie law requirements – Appropriate Wording for Policies – Tips for Compliance• What Bradford and the sector did• Good, bad and best practice and views on the Cookie Law – discussion, sharing, venting!• What next for institutions and the sector – ideas and suggestions
• Post-26 May Guidance – updated guidance from JISC Legal
• Article 29 Working Party – CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”. CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”
Exemptions?• User-input cookies (e.g. shopping carts): probably exempt under Criterion B (but note comments on cookie lifetime);• Authentication cookies: probably exempt under Criterion B if used within a single browser session; need to warn the user beforehand (i.e. get implied consent) if the cookie will persist across browser sessions;• User-centric security cookies (e.g. to detect repeated login failures): may be exempt under Criterion B, but need to check specific details;• Multi-media Player Session Cookies: probably exempt under Criterion B, but make sure they aren’t used for other purposes;• Load-balancing Session Cookies: probably exempt under Criterion A;• UI Customisation Cookies: short-lifetime cookies probably exempt under Criterion B, for longer lifetimes obtain implied consent as for authentication cookies;• Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only if they are restricted to logged-in users and limited to a session;
• Art.29WP on Cookies – specific and pragmatic advice