Cookies 14 Oct 2011 Fedelma Good Head of Marketing Privacy & Information Management … Practical steps to compliance
Check what type of cookies and similar technologies you use and how you use them.
Decide what solution to obtain consent will be best in your circumstances.
Check what type of cookies you use
This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why.
You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.
Sample audit questions (1 of 2)
Date questionnaire completed
Form completed by (name, job title), email address, telephone number
Website name / URL
What EU countries is the website aimed at?
Does the site provide access to any other privacy/cookies/security related policy (if yes provide link)
Sample audit questions (2 of 2)
Cookie 'name' or id (to facilitate any subsequent conversations about a specific cookie)
Cookie Purpose (description)
Is the cookie being used to support the delivery of targeted marketing or advertising communication?
What data does the cookie hold?
What is the Cookie expiry date?
Is it a First or Third party cookie?
If Third Party please state third party name
What type of cookie is it? Temporary? Persistent? Flash?
Assess cookies on a privacy scale …
… .It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
Decide what solution to obtain consent will be best in your circumstances
Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent….
Barclays approach to compliance consists of four key elements:
Understanding Barclays existing landscape
Determining what changes are needed to the information provided to users
Determining what changes are needed to Barclays technology
Determining what process changes are needed internally within Barclays
Underpinning all of this is an ongoing evaluation of what legal compliance looks like.
Barclays Existing Landscape
Our initial audit was a catalyst for additional activities:
Making easy and immediate changes to customer policies
Developing action plan and prioritising work for high privacy impact cookies
Starting to consider how our Cookie policies will need to be updated
Engaging with other organisations and sharing knowledge
Barclays Existing Landscape
Enhanced due diligence
Initial response are being reviewed to ensure that all “live sites” have been captured
Exploring the option of having a third party independently verify initial findings
Mapping customer journeys
Need to give more detailed consideration to the steps that are necessary in relation to third party websites e.g. white labelled, partnership sites, internal sites that face out to the world, etc.
Will consider how to audit other technologies e.g. email, mobile apps, social media etc
A quick checklist
Ensure the issue is understood by senior stakeholders
Inform and educate internally
Set up a cross functional task force (IT / Digital, Legal, Compliance, PR, Marketing …) to manage the process through to completion
Ensure customer facing staff know what to say if customers ask what your company is doing to comply
Make easy and immediate changes e.g. adding a single line entry in your cookie policies to tell your customers what you are doing e.g. With regards to the new requirements on Cookies following the revision of the e-Privacy Directive, Barclays is working towards implementing the new requirements in line with guidance from the Information Commissioner's Office
Audit all cookies across all sites (don’t forget about third party cookies, and third parties with whom you work in the online world)
Review the audit findings and develop your action plan, prioritising action for high privacy-impact cookies
Update your cookie and related policies
Keep your staff updated as you progress
Put in place a process for managing / monitoring cookies use going forward
And above all … keep talking to other organisations and share the knowledge you gather along the way