Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Cookies: are some easier than others?

Wednesday, June 6, 2012 - 10:50

The law graduate in me having gone to lie down with a headache from trying to understand the implications of the new UK cookie law, the maths graduate is having a look at it. So the following bears no relation to legal thinking; since it's ten years since I ran a web server it may also bear little relation to what's actually feasible! So please don't quote me in discussions of those aspects. What I hope may be useful is to pick out some patterns that may help in improving information and controls around cookies, so comments (and suggestions of cookies that don't fit my patterns) are even more than usually welcome. This post is also very much thinking-out loud, so I plan to update it in response to comments and further information.

Types of Cookies

The Information Commissioner's (ICO) guidance suggests that there are five classes of cookie: those essential to deliver a service, those storing a setting requested by the user, those implementing a function requested by the user, those implementing a background function, and third party cookies. For now I'm going for a simpler division into three: essential cookies, user-optional cookies, server-optional cookies, as follows:

Essential cookies

These are the cookies without which a web service simply can't function. If the user doesn't accept them then they might as well go away. The ICO suggests that shopping cart cookies are of this type; it seems to me that cookies for authentication/authorisation (AA) also fall into the same category. The AA cookies highlight the main problem with this group - that unless the user allows the cookie, they may not be able to see the site at all! Providing the user with a "choice" of whether to proceed without cookies doesn't seem meaningful so it seems to me that the right place to document them is in Terms and Conditions, either of the particular service or of the account that gives access to it.

In theory I suppose that sites could insert a T&C page before every access (including those coming direct to deep links, rather than to the home page), but this feels like the pop-up hell that both the ICO and Government seem keen to avoid :(

User-optional cookies

These are cookies that support some additional function that the user can realistically choose whether or not to use. "Save my details/choices/searches for next time" feels like a canonical example (the ICO divides these into separate classes, but I'm not sure that this makes any significant difference for implementation). In each of these examples, and all the others I can think of, there is a clear point where the user "turns on" the function, so where they can also be informed of the cookie-consequences of doing so. As above, there seems little point in offering a "proceed without cookies" option, so I hope it's sufficient to tell the user the consequences of their action and presume that if they carry on with the action then they have accepted the consequences.

Server-optional cookies

These are cookies whose main benefit is on the server side. The user may get a secondary benefit (e.g. analytics cookies may improve the structure of the web site in future, advertising cookies may allow the host not to charge users for access) but this is not their main function. These seem significantly harder to manage, since it is meaningful to offer the user a "proceed without cookies" option (the site will still work, though the server operator will presumably want to persuade the user to proceed with cookies) but there's no obvious "start page" where that can be done since the whole point of the cookie may well require it to be present on all pages of the site. The ICO's guidance says that web servers should provide a full description of any cookies of this type (presumably including information about how to disable them and why the server would prefer you not to) and provide prominent links to the description from the site (presumably at least the main pages where users are likely to arrive). Giving sites the responsibility of documenting their cookie use seems reasonable, since they are probably best placed to do this, but I'm not at all sure that sites are best placed to actually implement cookie controls for users. The ICO's website now has an "I accept cookies" button that appears to let visitors turn off its use of Google Analytics, however this seems to duplicate a function that is already provided in web browsers, and in fact does it less well since the moment a user moves to a page outside the ICO's content management system Analytics will presumably start up again. For third party advertising cookies (as far as I can see the ICO's site doesn't use these!) the weakness of controls implemented by a single website is even more apparent. I very much hope we can find a better way to do this :(

Robin Wilton's compliance notice points out that a number of web hosting services use analytics and other "server-optional" cookies outside the control of the organisations that actually put their web pages on those services. So who is responsible for documenting these cookies? I'm not sure whether it's technically possible, this also makes me wonder what happens if user-generated content can generate cookies independent of the site hosting the content?