Data Protection Webinar: The New Cookie Law
By Lasa Information Systems Team
This article provides an overview of the webinar which Paul Ticher and Lasa ran looking at the implications for the third sector of the cookie law, the essence of which is that someone else must not store information on your computer without your prior informed consent.
For general background to the webinar and the cookie law issue, see Paul Ticher's Data Protection Roundup April 2012
(Please note that links to services that you may see at the end of this presentation are placed by Slideshare and are not endorsed by Lasa or Paul Ticher)
This recording of the second cookie law webinar run by Lasa and Paul Ticher can be watched on the embedded video above or on Vimeo in high definition.
Questions raised by participants during the webinar and replies from Paul Ticher (PT):
Q - What is deemed 'strictly neccessary' in terms of cookies for functioning of a website?
PT - I think it has to mean something without which the website would be unable to deliver whatever the user is trying to obtain from the site or do on the site.
Q - How should you deal with third party cookies e.g. Google Analytics? Is it a possibility that after a rethink the IC will allow tracking for Analytics purposes only?
PT: These are covered by the rules, but the Information Commissioner is not going to take any precipitate enforcement action until they have worked out the best solution. A total exemption is unlikely.
Q - Where you say that the IC doesn't see the enforcement of analytics cookies as a priority - could you share the source please?
PT - See this article on Out-Law.com.
Q - This all seems to presume that each user has one computer - yet many people access the web at community computer centres, where each computer will have a succession of users. Are we to suppose that this should apply only to logged-in users?
PT: There is some confusion in the legislation between the 'subscriber' who pays the bill, and the 'user'. Where a computer is used by lots of different people it could be the subscriber's decision, not the individual users'.
Q - A lot of community websites are done on things like wordpress, where people have no idea what's going on under the bonnet, and won't know if cookies are being used at all. Is there an easy way of finding out?
Participants made some useful comments on this:
A. You can see which cookies are set for a particular site in Firefox by left-clicking on the favicon in the address bar (the icon on the left of the URL)
A. Some info re self hosted Wordpress cookies.
A. Debate on wordpress cookies.
Q - So if you have a sign in link, are you suggesting we should mention cookies used?
PT - Yes, that's a good place to mention them.
Q - How will social networks (facebook/twitter) be affected? particularly for companies running pages on these sites and for gathering data on age groups/gender/location etc...
PT: Don't know. It might be the responsibility of the site, not the company/organisation, but this is unclear.
Q - Re: Facebook/ Twitter - as these are US sites will the cookie law be applicable? Or is it more about where the users are based?
PT: EU law rarely gets enforced in the US. It depends on the answer to the previous question. If it is the company/organisation that is responsible, the law would apply to anyone based in the UK.
Q - Is this primarily about privacy (in which case it's irrelevant whether data is stored server-side or client-side) or storing data on user's computer (in which case any other methods of tracking users is fine)? What tracking are people concerned about?
PT: Things that are done in the background, without people's knowledge, and largely for the benefit of the site provider and its advertisers.
Q - By having a big box at the top of the screen like that how do you see it affecting things such as bounce rate/conversions on sites that are selling things?
PT: Quite likely. It remains to be seen which approach is found most effective and best all round.
Q - Are you aware of any plugins we can install on our websites to help with this law?
PT: There are some ready-made solutions. See Wolf Software and Social Media Charity - Solution to the EU Cookie Directive Problem with CivicUK for examples.
Q: Why do I see BBC cookies listed in Firefox when I haven't visited
PT: This would probably be a third party cookie. The BBC has a list of its cookies on
its web site - see the links at the bottom of the page (Privacy, cookies, etc). "The BBC uses a number of suppliers who also set cookies on the BBC website on its behalf in order to deliver the services that they are providing."
Q: Do you have any examples of good cookie statements in T&Cs?
PT: Try the BBC.
Q: Can you say something about e-bulletins - tracking links followed etc?
Q: Any good tips on tools to find which cookies are used on your site?
Preferably not one page at a time.
A: Cookiecert is useful for this
Q: Neither of the examples of cookie policies include a 'dismiss' or 'X' close box option. Shouldn't that be an option in terms of usability at the very least?
PT: I don't think it's necessarily a good idea, because the only way to make it apply to future visits would be to store a cookie - which you can't do. But yes, in terms of removing unnecessary screen clutter. (I have not looked into how the various solutions work in terms of accessibility.)
Waitrose.com has quite a prominent link to their cookies policy at the top right of the page... but I haven't clicked through to see where else they might pop up.
Another tool that looks across a site is Optanon Audit which is a free download for Chrome. Looks to be a straightforward tool that covers cookies on all the different pages you explore. But there's a paid-for element to it, should you wish it to turn into a opt-in function declaring the relevant cookies.
Resources and examples
- Information Commissioner's Office
- Google Analytics - extract from terms and conditions
- Google Analytics opt-out browser add-in.
- South Ayrshire Council
- All About Computer Cookies - Session Cookies, Persistent Cookies, How to Enable/Disable/Manage Cookies
- EU cookie law: three approaches to compliance | Econsultancy
Louise Brown has also blogged about the webinar.
Published: 19th April 2012
Copyright © 2012 Lasa Information Systems Team
All rights reserved