Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The cookie monster #ukgc12
Peter McClymont Web content manager North Devon Council @iamadonut @ndevoncouncil #WeeklyBlogClub
Disclaimer
www.ico.gov.uk www.allaboutcookies.org/ www.cookielaw.org
WTF???? OMG!!!!!
“ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amendin...
Article 3 "Member States shall ensure that the storing of  information,  or the gaining of access to information alre...
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
“...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unles...
The regulation requires: “[that] website  owners  … get consent in order to store or access information (including cookies...
Why?
Information Commissioner Enforcing body in the UK
Up to £500,000 fine for non-compliance
ICO advice <ul><li>carry out audit
decide whether cookies are intrusive
decide on solution for gaining user's consent </li></ul>
Audit <ul><li>self audit
third party </li></ul>
Types of cookies <ul><li>Session
Persistent
First and third party </li></ul>
Audit methodology <ul><li>automated SiteMorse audit covering www.northdevon.gov.uk
manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools
manual checking of webforms using Firefox web developer tools
manual checking of third party web ends – planning, payments, licensing, benefits calculator - using the Firefox web devel...
information from third party suppliers – Northgate, Innogistic, Ovaltech, Lalpac, Civica </li></ul>
The audit identifies: <ul><li>name of cookies set
purpose
lifetime </li></ul>
Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated nu...
Explaining cookies
Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications ...
Activities likely to fall within the exception <ul><li>A cookie used to remember the goods a user wishes to buy when they ...
Upcoming SlideShare
Loading in …5
×

120119 ukgc12-cookies

690 views

Published on

#ukgc12 presentation on the EU cookies directive, what it means for public sector web managers and how to come with the issues raised.

Published in: Technology
  • Be the first to comment

120119 ukgc12-cookies

  1. 1. The cookie monster #ukgc12
  2. 2. Peter McClymont Web content manager North Devon Council @iamadonut @ndevoncouncil #WeeklyBlogClub
  3. 3. Disclaimer
  4. 4. www.ico.gov.uk www.allaboutcookies.org/ www.cookielaw.org
  5. 5. WTF???? OMG!!!!!
  6. 6. “ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance
  7. 7. Article 3 &quot;Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent , having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.&quot;
  8. 8. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
  9. 9. “...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met...” “(2) The requirements are that the subscriber or user of that terminal equipment “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and “(b) has given his or her consent.” Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
  10. 10. The regulation requires: “[that] website owners … get consent in order to store or access information (including cookies) on users’ computers – unless the cookie is strictly necessary to provide a service requested by the user .” Source: ICO
  11. 11. Why?
  12. 12. Information Commissioner Enforcing body in the UK
  13. 13. Up to £500,000 fine for non-compliance
  14. 14. ICO advice <ul><li>carry out audit
  15. 15. decide whether cookies are intrusive
  16. 16. decide on solution for gaining user's consent </li></ul>
  17. 17. Audit <ul><li>self audit
  18. 18. third party </li></ul>
  19. 19. Types of cookies <ul><li>Session
  20. 20. Persistent
  21. 21. First and third party </li></ul>
  22. 22. Audit methodology <ul><li>automated SiteMorse audit covering www.northdevon.gov.uk
  23. 23. manual checking of www.northdevon.gov.uk pages containing third party content using Firefox web developer tools
  24. 24. manual checking of webforms using Firefox web developer tools
  25. 25. manual checking of third party web ends – planning, payments, licensing, benefits calculator - using the Firefox web developer tools
  26. 26. information from third party suppliers – Northgate, Innogistic, Ovaltech, Lalpac, Civica </li></ul>
  27. 27. The audit identifies: <ul><li>name of cookies set
  28. 28. purpose
  29. 29. lifetime </li></ul>
  30. 30. Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated number Expires: 30 minutes Name: _utmc Typical content: randomly generated number Expires: when user exits browser Name: _utmz Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search) Expires: 6 months
  31. 31. Explaining cookies
  32. 32. Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. Source: ICO
  33. 33. Activities likely to fall within the exception <ul><li>A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
  34. 34. Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
  35. 35. Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers </li></ul>Source: ICO.
  36. 36. Activities unlikely to fall within the exception <ul><li>Cookies used for analytical purposes to count the number of unique visits to a website for example
  37. 37. First and third party advertising cookies
  38. 38. Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored </li></ul>Source: ICO.
  39. 39. Obtaining consent <ul><li>tick box at the top of its website.
  40. 40. pop-up tick boxes
  41. 41. global consent? </li></ul>
  42. 46. Other issues <ul><li>Consent required for any landing page
  43. 47. Consent may require setting a cookie (!)
  44. 48. Consent required for subsites – using third party web front ends </li></ul>
  45. 49. Problems? <ul><li>Analytics
  46. 50. Third party web front ends
  47. 51. Social media accounts/platforms </li></ul><ul><li>Malicious scripting </li></ul>
  48. 52. User control of cookies
  49. 54. Directive 2009/136/EC PECR 2011 Cookie: flickr.com/photos/roboppy/115562673/ Credits

×