Regulatory Developments

Last updated: 
6 days 22 hours ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Cookies: Multi-national Guidance

Wednesday, June 6, 2012 - 11:06

I've been looking around to see what information other countries' authorities are providing about the new EC cookie regulations. So far I've found UK, Ireland and France (summary in English). Although there's a surprising amount of variation in the detail - this legislation is supposed to be consistent across Europe, after all - there does seem to be emerging an approach that could satisfy all of them. There seems to be general agreement that cookies need to be handled in three different ways: some can just be described, some also need to be highlighted at the point where they are about to be used, and some need to have an explicit consent box/button/etc.

The first group, where it seems to be enough to provide a clear and accessible description, are those strictly necessary for the delivery of the on-line service the user has requested. All regulators provide examples, with the French having the longest list: Shopping carts; Session cookies (where these are required to provide the service); Security cookies; Cookies to save language preference (though the UK regard this one as falling in the second category with other saved preferences); Cookies necessary for media players (again the UK regard these as falling into the second category). All agree that there may be other types of cookies that can be treated in this way - none claims to offer a complete list - but all stress that "strictly necessary" is a narrow definition. Interestingly Ireland suggests that cookies that persist between browser sessions cannot fall into this category, apparently contradicting the French "language preference" example. The French also note that the information about cookies should not  be "hidden in the general terms and conditions" of the site!

The second group of cookies is those associated with a specific function or operation that the user requests. The UK guidance has most detail on these, stating that they include both cookies used to save preferences and those used to watch a video (it seems to me that another example is the cookies used to store position, scale and other parameters to display an interactive map). These cookies need the same information as the first group, but also need a warning at the point where the user is able to request, select or otherwise "turn on" that function. The idea here seems to be that if the user is informed that a particular action will result in a cookie being stored, and carries on and takes the action anyway, then they can be taken to have consented to the cookie.

Finally there is the group that everyone agrees is the hardest: cookies that deliver a service to the website operator or someone else, not to the user. The obvious examples are analytic and advertising cookies. Again these cookies need to be described and consent obtained - the problem is that, unlike the second group, there is no obvious place to request that consent or to infer it from some other action.  All the regulators agree that popups are unlikely to be suitable as they are "potentially frustrating" (UK) and "often blocked" (FR) and that the controls in current web browsers are insufficient (not least because they implement an "opt-out" rather than "opt-in" approach). The UK Commissioner has implemented a consent box that appears at the top of every page, which is referenced as a possible approach by the French, but all agree that there are other ways to do it.  However any do-it-yourself approach seems to imply considerable knowledge of, and control over, what are often third-party applications.

At least all the authorities recognise that most sites will need to prioritise which cookies to deal with first; the UK Commissioner recommends doing them in order of privacy intrusiveness and notes that analytic cookies (unlike advertising ones) come relatively far down this scale. With a bit of luck that will give the providers of such tools long enough to develop compliant versions before we all have to decide if it's worth trying to reverse-engineer them.

PS If you know of guidance in other countries then I'd be interested to hear, especially if it's significantly different from this summary

Cookies
Privacy
ePrivacy Directive
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo