Your SlideShare is downloading. ×
Cookies: best practice September 2012 by Fedelma Good, Barclays
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cookies: best practice September 2012 by Fedelma Good, Barclays

419

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
419
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The actual wording of the Regulations The relevant rules are found in amended regulation 6, which reads as follows: 6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment - (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. (3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information - (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
  • “ The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there .”
  • Consent would be site or linked-site specific and could range from implied to explicit, given the differing underlying technologies used by different sites We would, where relevant, adopt the ICC cookie classifications as the framework for describing cookies in use on each site Defined the concept of a One Time Message (OTM) i.e. a message which would be displayed once to site visitors to inform them of the presence of cookies on the site Defined the concept of An Enhanced Cookies Notice which would provide detailed information to the user about the use of cookies and, where relevant and possible, provide the user with the ability to ‘turn off ‘ cookies as relevant. Cookies notices to be easily accessible to site visitors For websites which used only strictly necessary cookies we agreed we would, wherever possible, include a relevant information message for site users Given the challenges' surrounding OBA we agreed that we would not want to work with any third party who themselves were not prepared to move towards signing up to the IAB’s Ad Choices principles , thus ensuring greater consistency and clarity for our customers
  • 1. Minimum (quarter circle) A. Review use of cookies through an audit, classifying theme as strictly necessary, functional, performance and advertising (see the BBC or BT as an example) B. Update privacy message C. Provide a direct link to “cookie-use” policy from all pages 2. Sufficient? (half-circle) We have this ambiguous label since with the new guidance on “implicit opt-in” we’re not sure for compliance you need to build complex/expensive opt-out solutions such as those built by the BBC and BT. At this level you have a prominent panel above the fold with a link to more details which disappears as users click forward (implicit consent – we do recommend this). 3. Compliant for implicit opt-in (three-quarter circle) As above, but with selection of cookies possible, examples BBC, BT and Burberry. 4. Full opt-in compliance We haven’t seen any examples of this, other than the ICO site. Have you?
  • Transcript

    • 1. 20th September 2012Cookies Best PracticeFedelma GoodHead of Marketing Privacy & Information Management Page 1
    • 2. Covering• The law• The ICO’s stance• What Barclays did to ensure compliance• Yes there were some challenges!• Current state of play Page 2
    • 3. The law• The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) came into force on 26 May 2011• For clarity the EU laws have been in place since 2003 and always required anyone using cookies to provide clear information about them• The changes dramatically tightened the rules: now, anyone depositing cookies is required not just to provide clear information about them but also to obtain consent from users to store a cookie on their device• Technically all firms in Europe must comply with the law but in the UK we were given until end May 2012 to ensure compliance• Opinions and advice varied right from the outset… Page 3
    • 4. But it’s not just about cookies• The law isn’t actually about cookies, but because it affects them so much people have always referred to it as the ‘Cookie Law’• The law covers all technologies which store information in the “terminal equipment" of a user, and that includes so-called Flash cookies (Locally Stored Objects), HTML5 Local Storage, web beacons or bugs…and moreAnd it doesn’t just apply to websites …• We also need to think about other instances where similar technologies are used e.g. emails and Apps. Page 4
    • 5. This is what the law requires:• A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.• (2) The requirements are that the subscriber or user of that terminal equipment- a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b) has given his or her consent.• There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. Page 5
    • 6. In summaryThose setting cookies must:• tell people that the cookies are there,• explain what the cookies are doing, and• obtain their consent to store a cookie on their device. Page 6
    • 7. The ICO’s advice remains consistent “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”1. Check what type of cookies and similar technologies you use and how you use them.2. Assess how intrusive your use of cookies is.3. Decide what solution to obtain consent will be best in your circumstances. Page 7
    • 8. There was real nervousness about impact Page 8
    • 9. Particularly when this was released Page 9
    • 10. What Barclays did to ensure compliance• We began our preparatory work in relation to cookies back in 2010 with the development of training materials to help colleagues understand cookies in more detail• Those same training materials were subsequently shared with many other organisations, including the ICO and DCMS• In 2011, our compliance journey began in force … Page 10
    • 11. A step-by-step group-wide approach• We read and took the ICO’s advice and guidance to heart and used this as the starting point for own approach. We’re a big group with lots of different technology and websites in place!• Thus, our approach to cookie compliance comprised group level elements running in parallel with each business area’s own activity Page 11
    • 12. Group Level Activities• Group wide cookie steering group established• Group Cookie Standard written. This clearly set out that compliance would be required for: – websites (excluding intranet sites) – mobile apps and – emails (where relevant)• Regular internal discussions / forums held to share ideas and learnings• Participation in industry level discussions throughout e.g. the ICC, DMA• General principles defined for websites, mobile apps and emails … Page 12
    • 13. Websites• Consent can be implied or explicit depending on the underlying technology used• Consent can be site or linked-site specific (within session)• The ICC cookie classifications will be used as the starting framework for describing cookies in use on each site• We will display a One Time Message (OTM) in combination with an Enhanced Cookies Notice• The Cookies notice will be easily accessible to site visitors• On websites which use only strictly necessary cookies we will, wherever possible, include a relevant information message• We will work only with Third Parties who are prepared to move towards signing up to the IAB’s Ad Choices principles Page 13
    • 14. Mobile apps & emailsMobile applications: – Agreed approach was acceptance to cookies via mobile apps Ts&Cs – Standard template clause for inclusion in Ts&Cs was drafted and signed offEmails: – Agreed approach, given our current email deployment strategy, was to include cookie information wording within all emails which made use of relevant technology – For some consented emails (i.e. where the individual has signed up) to receive the email we have (a) written to inform if cookie type technology is used and (b) adjusted the consent wording for those now signing up. Page 14
    • 15. Activity undertaken within each business area• Accountable executive appointed• Business area steering groups and project team established• Available cookie audit software reviewed and partner(s) selected• Full audit of business area’s websites• Inactive websites identified and closed down• Site by site cookie audits conducted• Full audit of businesses area’s emails and use of cookies in emails Page 15
    • 16. Activity undertaken within each business area• HLD (High Level Design) reviewed and signed off for each site• Customer facing language (including cookie policy) for each site drafted and signed off• Each site solution was – Developed in test environment; – Technology Tested; – User Acceptance Tested• Solution taken through customer usability research• Business area site / cookie log developed• Customer ‘facing’ staff awareness materials including FAQs developed and circulated Page 16
    • 17. And it wasn’t just about compliance for 26th May• We recognised that we must remain compliant going forward and have adopted relevant processes and controls, for example: Page 17
    • 18. Examples: Page 18
    • 19. Retail online banking Page 19
    • 20. Enhanced cookies notice Page 20
    • 21. Enhanced cookies notice Page 21
    • 22. Barclays .mobi - public site Page 22
    • 23. .mobi - member One Time Message screen design Page 23
    • 24. Woolwich.co.uk Page 24
    • 25. www.barclays.com Page 25
    • 26. www.barclays.com – Cookie Settings Page 26
    • 27. Yes there were some challenges! …EmailsPre-header•We use cookies in this email to help us understand whether you have opened itand clicked on any links. To accept these cookies simply enable images, or clickon any link in this email.•To find out more, please see the information at the end of this email.Footer•We use cookies or similar technologies in this email. If you enable images, orclick on any link within the email, cookies will be stored locally on your computeror mobile device. They help us to know a little bit about how you interact with ouremails, which we use to help improve our future email communications – both foryou and for others.•To find out more about cookies in emails, please follow the link below. If youremail settings have disabled links in this email, you can paste this address intoyour browser without enabling/accepting cookies.•For more information visit <URL> Page 27
    • 28. How did we do?Source: www.smartinsights.com – May 28 2012 Page 28
    • 29. Just when we thought it had all gone quiet• Silktide published this video• And then this• An ICO spokesman said, “We welcome any opportunity to help us draw attention to this matter as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations.” An ICO blog post notes education is “key to cookie law progress.”• And it might have all blown over but the BBC picked up on the story … Page 29
    • 30. Page 30
    • 31. Current state of play• Since the new EU Cookie Directive came into force in the UK three months ago, around six in ten top websites have taken steps to address the law. Research carried out by data privacy management solutions firm TRUSTe shows that 63 per cent have made efforts to comply with the legislation. Of these 51 per cent have implemented "minimal" privacy notices with "limited" cookie controls, while 12 per cent have introduced "prominent" notices with "robust" controls. Only 37 per cent of those questioned have not taken any steps to address the directive, which directs website publishes to gain consent from users before using cookies. Chris Babel, chief executive of TRUSTe, said his companys research shows that many companies have begun to take the legislation seriously and have devoted time and resources to dealing with it. "At the same time it is clear that some companies have yet to put a compliance solution in place," he said. Page 31

    ×