The cookie monster #ukgc12
Peter McClymont Web content manager North Devon Council @iamadonut @ndevoncouncil #WeeklyBlogClub
Disclaimer
www.ico.gov.uk www.allaboutcookies.org/ www.cookielaw.org
WTF???? OMG!!!!!
“ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amendin...
Article 3 "Member States shall ensure that the storing of  information,  or the gaining of access to information alre...
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
“...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unles...
The regulation requires: “[that] website  owners  … get consent in order to store or access information (including cookies...
Why?
Information Commissioner Enforcing body in the UK
Up to £500,000 fine for non-compliance
ICO advice <ul><li>carry out audit
decide whether cookies are intrusive
decide on solution for gaining user's consent </li></ul>
Audit <ul><li>self audit
third party </li></ul>
Types of cookies <ul><li>Session
Persistent
First and third party </li></ul>
Audit methodology <ul><li>automated SiteMorse audit covering www.northdevon.gov.uk
manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools
manual checking of webforms using Firefox web developer tools
manual checking of third party web ends – planning, payments, licensing, benefits calculator - using the Firefox web devel...
information from third party suppliers – Northgate, Innogistic, Ovaltech, Lalpac, Civica </li></ul>
The audit identifies: <ul><li>name of cookies set
purpose
lifetime </li></ul>
Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated nu...
Explaining cookies
Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications ...
Activities likely to fall within the exception <ul><li>A cookie used to remember the goods a user wishes to buy when they ...
Upcoming SlideShare
Loading in …5
×

120119 ukgc12-cookies

669 views
630 views

Published on

#ukgc12 presentation on the EU cookies directive, what it means for public sector web managers and how to come with the issues raised.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
669
On SlideShare
0
From Embeds
0
Number of Embeds
52
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • These are my own views and do not necessarily represent the views or policies of my employer. This presentation should be considered informal guidance and is not a representation of the law, its interpretation or enforcement.
  • Advice and guidance borrowed heavily from these sources
  • This presentation is to inform and stimulate discussion, share best practice and hopefully lead to considered viewpoints
  • Directive 2009/136/EC
  • No longer can you rely upon implied consent. If someone wants to use your website, they must given express consent that cookies or other programs or files are placed on their computer or device. Device includes mobile or tablet.
  • Privacy laws Protection of personal data Cookies misunderstood - must be bad - not viruses - but can be used to hoover up information Desire to police the web
  • Providing advice Will not enforce until 26 May 2012 to allow time to discuss with industry on compliance
  • Who wants to be the test case?
  • See the ICO site for the latest advice – date December 2011
  • Socitm SiteMorse others
  • Session and persistent cookies Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies: Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies. Persistent cookies – are stored on a user&apos;s device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. First and third party cookies – Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.
  • Answers to these questions help categorise the cookies, determine whether they are intrusive and/or unnecessary and what happens if the cookie is disabled
  • Google Analytics cookies
  • Don&apos;t forget to update your privacy statement
  • The use of tick boxes and/or pop-ups raises usability and accessibility concerns.
  • The pop-up approach
  • The terms and conditions approach
  • The registration approach
  • The preferences approach
  • Both ICO and Torridge have “lost” 90% of traffic because of the pop-up banners. Other server side analytics: AW Stats
  • Most web users will be unaware that they can control how content is delivered and/or displayed through their web browser. For example, most modern web browsers will automatically enable Javascript to ensure that the intended functionality of web pages that deploy this common technology. Disabling Javascript is a simple task. However, many web pages use Javascript to improve functionality. If Javascript is turned off, pages may cease to function, links won’t work and so on. Because most cookies are set using Javascript, disabling Javascript will stop cookies being set on a user’s device. However, as above, many cookies are an essential part of page functionality: many pages will cease to function, links won’t work and so on. A user disabling Javascript or cookies would have access to most services offered by our website.
  • 120119 ukgc12-cookies

    1. 1. The cookie monster #ukgc12
    2. 2. Peter McClymont Web content manager North Devon Council @iamadonut @ndevoncouncil #WeeklyBlogClub
    3. 3. Disclaimer
    4. 4. www.ico.gov.uk www.allaboutcookies.org/ www.cookielaw.org
    5. 5. WTF???? OMG!!!!!
    6. 6. “ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance
    7. 7. Article 3 &quot;Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent , having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.&quot;
    8. 8. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
    9. 9. “...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met...” “(2) The requirements are that the subscriber or user of that terminal equipment “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and “(b) has given his or her consent.” Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
    10. 10. The regulation requires: “[that] website owners … get consent in order to store or access information (including cookies) on users’ computers – unless the cookie is strictly necessary to provide a service requested by the user .” Source: ICO
    11. 11. Why?
    12. 12. Information Commissioner Enforcing body in the UK
    13. 13. Up to £500,000 fine for non-compliance
    14. 14. ICO advice <ul><li>carry out audit
    15. 15. decide whether cookies are intrusive
    16. 16. decide on solution for gaining user's consent </li></ul>
    17. 17. Audit <ul><li>self audit
    18. 18. third party </li></ul>
    19. 19. Types of cookies <ul><li>Session
    20. 20. Persistent
    21. 21. First and third party </li></ul>
    22. 22. Audit methodology <ul><li>automated SiteMorse audit covering www.northdevon.gov.uk
    23. 23. manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools
    24. 24. manual checking of webforms using Firefox web developer tools
    25. 25. manual checking of third party web ends – planning, payments, licensing, benefits calculator - using the Firefox web developer tools
    26. 26. information from third party suppliers – Northgate, Innogistic, Ovaltech, Lalpac, Civica </li></ul>
    27. 27. The audit identifies: <ul><li>name of cookies set
    28. 28. purpose
    29. 29. lifetime </li></ul>
    30. 30. Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated number Expires: 30 minutes Name: _utmc Typical content: randomly generated number Expires: when user exits browser Name: _utmz Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search) Expires: 6 months
    31. 31. Explaining cookies
    32. 32. Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. Source: ICO
    33. 33. Activities likely to fall within the exception <ul><li>A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
    34. 34. Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
    35. 35. Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers </li></ul>Source: ICO.
    36. 36. Activities unlikely to fall within the exception <ul><li>Cookies used for analytical purposes to count the number of unique visits to a website for example
    37. 37. First and third party advertising cookies
    38. 38. Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored </li></ul>Source: ICO.
    39. 39. Obtaining consent <ul><li>tick box at the top of its website.
    40. 40. pop-up tick boxes
    41. 41. global consent? </li></ul>
    42. 46. Other issues <ul><li>Consent required for any landing page
    43. 47. Consent may require setting a cookie (!)
    44. 48. Consent required for subsites – using third party web front ends </li></ul>
    45. 49. Problems? <ul><li>Analytics
    46. 50. Third party web front ends
    47. 51. Social media accounts/platforms </li></ul><ul><li>Malicious scripting </li></ul>
    48. 52. User control of cookies
    49. 54. Directive 2009/136/EC PECR 2011 Cookie: flickr.com/photos/roboppy/115562673/ Credits

    ×