The new
cookie laws:
how aware
are you?

Has your institution responded to the new ‘cookie’ legislation? As Brian Kelly of the Innovation Support Centre at UKOLN reminds us, after being given one year to get their house in order, learning providers are now required to comply by 26 May 2012. While it is unlikely that a single privacy policy will be suitable for use for everyone across the sector, we hope that these approaches will provide a useful starting point if you wish to develop your own institutional privacy guidelines.
Brian Kelly
Brian Kelly
Brian Kelly works for the Innovation Support Centre based at UKOLN, University of Bath. Brian established the Institutional Web Management Workshop (IWMW) series in 1997 which continues to support those responsible for providing institutional web services.

Why not sign up for the IWMW 2012 event in Edinburgh on 18-20 June for an opportunity to share experiences in addressing cookie legislation?
JISC Legal
If you’d like to know about where you stand on this and other legal issues, contact JISC Legal.

What the law says

A cookie is information which a web server stores on a user’s computer to record their preferences and other pieces of information.

Legislation regulating use of cookies becomes enforceable in May. The changes implement revisions to the European Directive on which the UK legislation is based. They mean that, as a web site operator, your institution needs to provide information about the cookies you use and needs to obtain consent before a cookie is set on a user’s computer for the first time.

The background

The directive was developed for the laudable reasons of increasing users’ control over their own privacy when they access web sites. The main concern is that cookies may be shared across and between web sites so that, for example, if a learner visits your institution’s web site and provides some information online, they don’t want to see commercial web sites using that information subsequently to target them with adverts.

Why we use cookies

Cookies can provide great benefits to users, of course. If you disable cookies and spend some time visiting commercial web sites you may find that you are presented with more ads than normal since the web sites are not able to record information that you have already seen their ads. Similarly web sites could also use cookies to store your preferences regarding, say, the layout of the screen display. But if cookies are disabled this information will have to be re-entered on every visit.


The difficulties of complying with the legislation are acknowledged by the UK government’s Information Commissioner's Office (ICO). In December 2011 the ICO published guidance on how organisations should respond to the legislation. As described in The Half Term Report on Cookie Compliance on the UK Web Focus blog the guidelines appear to suggest that organisations can take achievable and pragmatic approaches which address the spirit of the legislation.

While taking a prior consent approach is certainly compliant, it can make web sites less attractive to use. It can also destroy the value of analytical cookies. It would appear to remain a matter of judgement (in line with an institution’s risk appetite) what exact level and circumstances of valid consent is set in place.

The use of Google Analytics without prior explicit consent is likely to be non-compliant, but not the focus of enforcement. This is the conclusion in the JISC Legal article What Does the New “Cookie” Legislation Require us to do? However it is emphasised that, as with other cookie use, it is necessary to provide users with a clear and prominent description of how the collected data is used.

How are other universities and colleges responding?

The ICO has stated that organisations should provide clear and comprehensive information on use of cookies on web sites. But what form should such information take and how should it be provided?

A group of UK university web managers is working to provide feedback on a template privacy policy which can be freely reused by others. The draft policy, which is based on one being developed at the University of Bradford, is hosted on the JISCPress service where you can also comment.

If you’d like to see what others have already done, the JISC-funded Jorum repository service has already published its privacy policy policy here.

What can we do before May?

Audit your web site – so that you know what cookies you are using and for what purposes. It is likely that many cookies being used are redundant and serve no useful business purpose. Stop your web server using them and get rid of the information collected by them.

Assess how intrusive your use of cookies is. It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

Ensure information about cookie use is clear and prominent. This involves providing a simple explanation of what the information collected by the cookie is to be used for, who has access to it and how long the information will be retained. Having this cookie information in a consistent location and in language similar to other institutions is advisable.

Devise an appropriate mechanism for obtaining informed consent from your web site users – in advance of you placing a cookie on their device. ICO guidance suggests a number of methods which are frequently used to obtain prior consent from users.

Look wider. Don’t forget that you will need to go beyond the main web site which may be managed by a central web team. Intranet web pages which are not available to the public are not covered by the legislation – but web pages that are directed internally will be covered if they are available to the public.



Comment on this article…

You might like…

If you liked this article you might also find these of interest:

JISC Legal’s advice on what the new cookie legislation requires us to do.