• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
120119 ukgc12-cookies
 

120119 ukgc12-cookies

on

  • 667 views

#ukgc12 presentation on the EU cookies directive, what it means for public sector web managers and how to come with the issues raised.

#ukgc12 presentation on the EU cookies directive, what it means for public sector web managers and how to come with the issues raised.

Statistics

Views

Total Views
667
Views on SlideShare
617
Embed Views
50

Actions

Likes
1
Downloads
5
Comments
0

3 Embeds 50

http://allotment5andahalf.wordpress.com 42
http://buzz.ukgovcamp.com 7
http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • These are my own views and do not necessarily represent the views or policies of my employer. This presentation should be considered informal guidance and is not a representation of the law, its interpretation or enforcement.
  • Advice and guidance borrowed heavily from these sources
  • This presentation is to inform and stimulate discussion, share best practice and hopefully lead to considered viewpoints
  • Directive 2009/136/EC
  • No longer can you rely upon implied consent. If someone wants to use your website, they must given express consent that cookies or other programs or files are placed on their computer or device. Device includes mobile or tablet.
  • Privacy laws Protection of personal data Cookies misunderstood - must be bad - not viruses - but can be used to hoover up information Desire to police the web
  • Providing advice Will not enforce until 26 May 2012 to allow time to discuss with industry on compliance
  • Who wants to be the test case?
  • See the ICO site for the latest advice – date December 2011
  • Socitm SiteMorse others
  • Session and persistent cookies Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies: Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies. Persistent cookies – are stored on a user's device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. First and third party cookies – Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.
  • Answers to these questions help categorise the cookies, determine whether they are intrusive and/or unnecessary and what happens if the cookie is disabled
  • Google Analytics cookies
  • Don't forget to update your privacy statement
  • The use of tick boxes and/or pop-ups raises usability and accessibility concerns.
  • The pop-up approach
  • The terms and conditions approach
  • The registration approach
  • The preferences approach
  • Both ICO and Torridge have “lost” 90% of traffic because of the pop-up banners. Other server side analytics: AW Stats
  • Most web users will be unaware that they can control how content is delivered and/or displayed through their web browser. For example, most modern web browsers will automatically enable Javascript to ensure that the intended functionality of web pages that deploy this common technology. Disabling Javascript is a simple task. However, many web pages use Javascript to improve functionality. If Javascript is turned off, pages may cease to function, links won’t work and so on. Because most cookies are set using Javascript, disabling Javascript will stop cookies being set on a user’s device. However, as above, many cookies are an essential part of page functionality: many pages will cease to function, links won’t work and so on. A user disabling Javascript or cookies would have access to most services offered by our website.

120119 ukgc12-cookies 120119 ukgc12-cookies Presentation Transcript

  • The cookie monster #ukgc12
  • Peter McClymont Web content manager North Devon Council @iamadonut @ndevoncouncil #WeeklyBlogClub
  • Disclaimer
  • www.ico.gov.uk www.allaboutcookies.org/ www.cookielaw.org
  • WTF???? OMG!!!!!
  • “ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance
  • Article 3 "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent , having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
  • The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
  • “...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met...” “(2) The requirements are that the subscriber or user of that terminal equipment “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and “(b) has given his or her consent.” Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
  • The regulation requires: “[that] website owners … get consent in order to store or access information (including cookies) on users’ computers – unless the cookie is strictly necessary to provide a service requested by the user .” Source: ICO
  • Why?
  • Information Commissioner Enforcing body in the UK
  • Up to £500,000 fine for non-compliance
  • ICO advice
    • carry out audit
    • decide whether cookies are intrusive
    • decide on solution for gaining user's consent
  • Audit
    • self audit
    • third party
  • Types of cookies
    • Session
    • Persistent
    • First and third party
  • Audit methodology
    • automated SiteMorse audit covering www.northdevon.gov.uk
    • manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools
    • manual checking of webforms using Firefox web developer tools
    • manual checking of third party web ends – planning, payments, licensing, benefits calculator - using the Firefox web developer tools
    • information from third party suppliers – Northgate, Innogistic, Ovaltech, Lalpac, Civica
  • The audit identifies:
    • name of cookies set
    • purpose
    • lifetime
  • Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated number Expires: 30 minutes Name: _utmc Typical content: randomly generated number Expires: when user exits browser Name: _utmz Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search) Expires: 6 months
  • Explaining cookies
  • Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. Source: ICO
  • Activities likely to fall within the exception
    • A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
    • Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
    • Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers
    Source: ICO.
  • Activities unlikely to fall within the exception
    • Cookies used for analytical purposes to count the number of unique visits to a website for example
    • First and third party advertising cookies
    • Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored
    Source: ICO.
  • Obtaining consent
    • tick box at the top of its website.
    • pop-up tick boxes
    • global consent?
  •  
  •  
  •  
  •  
  • Other issues
    • Consent required for any landing page
    • Consent may require setting a cookie (!)
    • Consent required for subsites – using third party web front ends
  • Problems?
    • Analytics
    • Third party web front ends
    • Social media accounts/platforms
    • Malicious scripting
  • User control of cookies
  •  
  • Directive 2009/136/EC PECR 2011 Cookie: flickr.com/photos/roboppy/115562673/ Credits