Responding to Cookie Legislation
A post entitled How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? has been published on the UK Web Focus blog which summarises work in advising the UK’s higher and further education sector on appropriate responses to the ‘cookie’ legislation which comes into force on 26 May 2012.
In May 2011 a survey of Privacy Settings For UK Russell Group University Home Pages was followed by a post which asked How Should UK Universities Respond to EU Cookie Legislation? The suggested answer was to work collaboratively in order to share best practices and monitor developments, especially advice from the UK government organisations.
In December 2011 a post which provided a The Half Term Report on Cookie Compliance highlighted government guidelines which suggested that the government would be taking a pragmatic approach to interpretation of the legislation: “The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“.
In February 2012 a post which provided suggestions on the Next Steps In Addressing Forthcoming Cookie Legislation was published.
In April 2012 a report on a survey of privacy policies provided by 30 UK Universities was published in a post which sought to provide answers to the question How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? The post also highlighted the emphasis on providing appropriate information rather than implementing technical solutions which was described in a post on Enforcement of cookie consent rules for analytics not a priority, ICO says published on Out-law.com, a Web site which provides legal news and guidance from Pinsent Masons, an international law firm. This article began:
The UK’s data protection watchdog is not likely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent, it has said.
A statement from the ICO said:
“ … it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.“
In addition to engaging with practitioners across the sector who have responsibilities for managing institutional web site, in order to ensure that policy makers as well as practitioners were aware of the appropriate responses to the legislation we published an article in the Spring 2012 issue of JISC Inform. The article concluded with the following suggestions on actions to be taken by May 2012:
JISC Inform (33) Spring 2012
- Audit your web site – so that you know what cookies you are using and for what purposes. It is likely that many cookies being used are redundant and serve no useful business purpose. Stop your web server using them and get rid of the information collected by them.
- Ensure information about cookie use is clear and prominent. This involves providing a simple explanation of what the information collected by the cookie is to be used for, who has access to it and how long the information will be retained. Having this cookie information in a consistent location and in language similar to other institutions is advisable.
- Devise an appropriate mechanism for obtaining informed consent from your web site users – in advance of you placing a cookie on their device. ICO guidance suggests a number of methods which are frequently used to obtain prior consent from users.
- Look wider. Don’t forget that you will need to go beyond the main web site which may be managed by a central web team. Intranet web pages which are not available to the public are not covered by the legislation – but web pages that are directed internally will be covered if they are available to the public.
We hope that the open approaches we have taken in coordinating this work has helped to minimise unnecessary duplication of effort across the sector in interpreting the legislation and developing appropriate instituional policies.