Cookies and "Similar Technologies"

As a result of a 2009 EU directive, the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") have been amended with effect from May 2011 so that in addition to the existing requirements for the provision of certain information, visitors must now give their prior consent to the placing of cookies. The Information Commissioner's Office ("the ICO") has at last issued some guidance on the use of cookies and similar technology. The ICO has announced that they will start taking enforcement action (including the issuing of fines) from May 2012 against organisations which are in breach of the new regulations.

"Cookie" is used here and in the ICO's guidance as a shorthand for any technique used to send some item of data to and later retrieve it from a user's equipment. The directive covers much more than basic HTTP cookies.

What is required? What is covered?

The requirements of the regulations are twofold:

• that anyone setting a cookie must tell users that cookies are in use, why, and how they will be accessed; and
• they must obtain prior consent to the storage of any cookies.

(The requirement to provide clear information about the use of cookies has been in place since 2003. The new part is the requirement to obtain prior consent.)

There are two exceptions to the regulations:

1. Cookies which are used only on an intranet are not covered, in the ICO's view, due to the way in which a "user" is defined. (However, other legislation and regulations (such as the Data Protection Act 1998) would, of course, apply as usual.)
2. Where the use of a cookie is "strictly necessary" for the provision of a service.

ALL other use of cookies is covered by the regulations.

Where do we start?

The ICO offers some "practical advice for those wishing to comply" (though there's nothing similar for those who would like to avoid compliance!):

1. Check what types of cookies you use and how you use them.
2. Assess how intrusive your use of cookies is.
3. Where you need consent - decide what solution to obtain consent will be best in your circumstances.

The University has now issued some advice.

Questions?

1. Do we have to?

   Yes. We have no choice. The regulations require it, and there are penalties for not complying.

2. Which of our sites are covered?

   We should assume that all of them are. We can't just apply the "intranet" exemption. We have to work on the basis that outside users can and will access them. (From a FoI perspective, we should be assuming that everything is freely available in general.)

3. Self-managed sites too?

   Yes. Everything which is published from a University-provided network connection has to comply, as do sites owned by University groups but hosted on external providers.

4. We need to use cookies for our site to work properly?

   The ICO's guidance makes the distinction "essential, rather than reaonably necessary". If your use is strictly "essential" then prior consent may not be required. However, you should still notify your users that cookies are being used.

5. Can we embed identifiers in the URLs we hand out?

   These are covered by the "or similar technologies" aspect of the regulations, so the requirements are the same. They do at least have the advantage of being obvious to the user.

6. What about our cosign-authenticated pages?

   Since the whole point of cosign is to authenticate by use of cryptographically-hard-to-forge cookies, their use is certainly essential. However, we should still make this clear on the login page.

7. What about google analytics and the like?

   This use is explicitly addressed in the ICO's guidance. Prior consent is required.

8. How do we obtain consent?

   The University's advice pages are here.

   The ICO's guidance offers a number of suggestions. Their own site currently has a header bar with a notice and a tick-box.

9. Can we rely on browser settings?

   Not yet, according to the ICO's guidance. "For now, you will need to work on implementing another solution."

10. Has the University provided any guidance?

    It's here. See also the March 2012 ITC paper on cookies and the implications of the amended regulations.

11. What about content hosted on the University's central servers?

    Our understanding is that this is being handled centrally, though a number of actions are marked as still "ongoing". The University's website privacy policy includes a statement on the use of cookies.

Links

• The ICO's summary of the new PECR rules.
• The ICO's guidance on the rules on the use of cookies and similar technologies.
• Q&A: The ICO's Dave Evans on EU cookie law compliance
• Pinsent Masons' guidance on the new regulations, with useful links.
• The Register's thoughts on Google Analytics
• ... and the ICC guide that it refers to.
• An out-law.com opinion piece on the ICO's guidance.
• Andrew Cormack's blog
  • ... including a reference to some Cabinet Office documents, which are said to be "well worth reading"
• Those Cabinet Office documents:
  • general approach to cookies
  • how to classify cookies (and other technologies)
  • guide for implementers
• A BBC news piece on tracking by cookie.
• Wikipedia's article on HTTP cookies.
• JISClegal guidance:
  • Implied consent
  • Cookie FAQ
• Cookies article on our systems blog pages.
• Neil's "guidance" wiki page.
• The University's approach to the new regulations.
• The March 2012 ITC paper on cookies and the implications of the amended regulations.
• The University's advice page is here, with additional links to:
  • Guidance for web managers and administrators
  • Revised "Privacy and cookies" web page content
  • Potential user experience discussion document
  • Cookie audit results search
• The University's website privacy policy, including a statement on the use of cookies
• EPCC's privacy policy, including a statement on the use of cookies
• (While there are quite a few other "privacy" links to be found from the www.ed.ac.uk search box, some of which do mention the use of cookies, they do appear to have been written prior to the 2009 directive.)

Cookies.html,v 1.44 2012/06/07 14:41:42 gdmr Exp