Has your institution responded to the new ‘cookie’ legislation? As Brian Kelly of the Innovation Support Centre at UKOLN reminds us, after being given one year to get their house in order, learning providers are now required to comply by 26 May 2012.
What the law says
A cookie is information which a web server stores on a user’s computer to record their preferences and other pieces of information.
The directive was developed for the laudable reasons of increasing users’ control over their own privacy when they access web sites. The main concern is that cookies may be shared across and between web sites so that, for example, if a learner visits your institution’s web site and provides some information online, they don’t want to see commercial web sites using that information subsequently to target them with adverts.
The difficulties of complying with the legislation are acknowledged by the UK government’s Information Commissioner's Office (ICO). In December 2011 the ICO published guidance on how organisations should respond to the legislation. As described in The Half Term Report on Cookie Compliance on the UK Web Focus blog the guidelines appear to suggest that organisations can take achievable and pragmatic approaches which address the spirit of the legislation.
While taking a prior consent approach is certainly compliant, it can make web sites less attractive to use. It can also destroy the value of analytical cookies. It would appear to remain a matter of judgement (in line with an institution’s risk appetite) what exact level and circumstances of valid consent is set in place.
The use of Google Analytics without prior explicit consent is likely to be non-compliant, but not the focus of enforcement. This is the conclusion in the Jisc Legal article What Does the New “Cookie” Legislation Require us to do? However it is emphasised that, as with other cookie use, it is necessary to provide users with a clear and prominent description of how the collected data is used.
How are other universities and colleges responding?
What can we do before May?
- Audit your web site – so that you know what cookies you are using and for what purposes. It is likely that many cookies being used are redundant and serve no useful business purpose. Stop your web server using them and get rid of the information collected by them.
- Ensure information about cookie use is clear and prominent. This involves providing a simple explanation of what the information collected by the cookie is to be used for, who has access to it and how long the information will be retained. Having this cookie information in a consistent location and in language similar to other institutions is advisable.
- Devise an appropriate mechanism for obtaining informed consent from your web site users – in advance of you placing a cookie on their device. ICO guidance suggests a number of methods which are frequently used to obtain prior consent from users.
- Look wider. Don’t forget that you will need to go beyond the main web site which may be managed by a central web team. Intranet web pages which are not available to the public are not covered by the legislation – but web pages that are directed internally will be covered if they are available to the public.
This article originally featured in issue 33 of Jisc Inform (UK web archive).