6. “ The EU Cookie Directive” Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance
7. Article 3 "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent , having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
8. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011
9. “...a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met...” “(2) The requirements are that the subscriber or user of that terminal equipment “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and “(b) has given his or her consent.” Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
10. The regulation requires: “[that] website owners … get consent in order to store or access information (including cookies) on users’ computers – unless the cookie is strictly necessary to provide a service requested by the user .” Source: ICO
30. Name: _utma Typical content: randomly generated number Expires: 2 years Name: _utmb Typical content: randomly generated number Expires: 30 minutes Name: _utmc Typical content: randomly generated number Expires: when user exits browser Name: _utmz Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search) Expires: 6 months
32. Exceptions (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. Source: ICO
33.
34. Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
35. Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers Source: ICO.
These are my own views and do not necessarily represent the views or policies of my employer. This presentation should be considered informal guidance and is not a representation of the law, its interpretation or enforcement.
Advice and guidance borrowed heavily from these sources
This presentation is to inform and stimulate discussion, share best practice and hopefully lead to considered viewpoints
Directive 2009/136/EC
No longer can you rely upon implied consent. If someone wants to use your website, they must given express consent that cookies or other programs or files are placed on their computer or device. Device includes mobile or tablet.
Privacy laws Protection of personal data Cookies misunderstood - must be bad - not viruses - but can be used to hoover up information Desire to police the web
Providing advice Will not enforce until 26 May 2012 to allow time to discuss with industry on compliance
Who wants to be the test case?
See the ICO site for the latest advice – date December 2011
Socitm SiteMorse others
Session and persistent cookies Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies: Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies. Persistent cookies – are stored on a user's device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. First and third party cookies – Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.
Answers to these questions help categorise the cookies, determine whether they are intrusive and/or unnecessary and what happens if the cookie is disabled
Google Analytics cookies
Don't forget to update your privacy statement
The use of tick boxes and/or pop-ups raises usability and accessibility concerns.
The pop-up approach
The terms and conditions approach
The registration approach
The preferences approach
Both ICO and Torridge have “lost” 90% of traffic because of the pop-up banners. Other server side analytics: AW Stats
Most web users will be unaware that they can control how content is delivered and/or displayed through their web browser. For example, most modern web browsers will automatically enable Javascript to ensure that the intended functionality of web pages that deploy this common technology. Disabling Javascript is a simple task. However, many web pages use Javascript to improve functionality. If Javascript is turned off, pages may cease to function, links won’t work and so on. Because most cookies are set using Javascript, disabling Javascript will stop cookies being set on a user’s device. However, as above, many cookies are an essential part of page functionality: many pages will cease to function, links won’t work and so on. A user disabling Javascript or cookies would have access to most services offered by our website.