With only 5 days to go to the grace period ends for complying with the updated EU Privacy and Electronic Communication Directive, here is our latest blog post on how to comply.
The following post will help you assess how intrusive your cookies are once you have completed a full audit.
A quick recap
In our last post on cookiesI explained what the changes to the directive were and the 4 steps you need to take to ensure that your website complies.
The four steps that you should take prior to the 26th of May 2012 are:
- Conduct a cookie audit
- Determine the invasiveness of your cookies
- Work out your compliance strategy
- Update your legals
In March this year François’ post “We’re going on a cookie hunt” shared how to conduct your cookie audit in either Firefox or Chrome.
Once you have completed your audit you will need to assess how intrusive you think the cookies you use are. To be able to do this you first have to understand a little bit about the different types of cookie.
Note: There are other technologies that store and use information in this way such as local shared objects and web beacons. These are also covered by the EU Directive and should be treated as cookies when conducting an audit and assessment of invasiveness.
Cookies: The basics
Cookies are small files, mainly made up of letters and numbers, that are downloaded and stored on a device for a given period of time when a user accesses a website. There are two types of cookie and the regulations apply to both:
Session Cookies:
- Expire after the browsing session is ended e.g. the window is closed or the user moves to another website.
- Tend to allow websites to link the actions of users during a browsing session.
- Are used for a variety of purposes e.g. remembering items in shopping carts, security for banking etc.
- Generally considered less privacy intrusive then persistent cookies.
Persistent Cookies:
- Are stored on a user’s device after a user has finished using a website.
- Tend to allow user’s preferences and actions to be remembered.
- Are used for a variety of purposes eg. to provide an enhanced browsing experience or targeted advertising.
- Generally considered to be more privacy intrusive then session cookies.
In addition to this you need to consider whether the cookie is classed as a 1st or 3rd party cookie.
A 1st party cookie is a cookie that is placed by your website (or the domain that the user has visited) on to a user’s device. This can be a session or persistent cookie. A 3rd party cookie is placed on to a user’s device from another website (or domain) than the one that the user has visited directly. For example, cookies that are stored when a user clicks on a video that is embedded on your website by a third party service such as YouTube.
You can get full details about cookies and how they work at www.allaboutcookies.org
Determine the Invasiveness of your cookies
It is clear from the ICO’s guidance on the rules of use for cookies and other technologies that the law applies to all types of cookies.
The Information Commission does also recognise that the whole point of the directive is to protect the privacy of internet users and not to limit the functionality of websites. This means that whilst you must detail all the cookies in use you can still utilise them where necessary as long as you gain the appropriate level of consent from the user should they be considered intrusive.
To help us and our clients determine the invasiveness of the cookies we use we follow this simple process:
1. For every cookie found in the cookie audit you need to ask the following questions:
- If the purpose of the cookie is to help keep user’s information safe or enhance their browsing experience it should be counted as less privacy intrusive then a cookie that tracks the browsers action to generate targeted advertising.
- If a cookie is linked to other information held e.g. usernames it will largely be considered a privacy intrusive cookie as it stores information about the user.
- If the data that is held by the cookie is anonymised then it is considered to be less intrusive then a cookie that associated your data to certain login details or IP addresses.
- If the cookie is a session cookie it is generally considered less intrusive then a persistent cookie.
- A 1st party cookie can be as intrusive as a 3rd party cookie and so each cookie should be considered based on it’s purpose as well as origin.
- Persistent cookies with long life spans (without a valid reason) are generally considered more intrusive then cookies with short life spans.
2. Once you have a list of the cookies with all of the details above you should sort the cookies into order of most privacy intrusive to least privacy intrusive on the following sliding scale.
3. Once you have ordered your cookies in terms of their invasiveness you should document this and then you can assess what are the appropriate actions to take.
Do you need help to determine how invasive your cookies are?
Once you’ve completed your cookie audit we’ll help you assess the invasiveness of your cookies and document the steps you’ve taken and need to take to fully comply. Pricing starts from £120.00 (excluding VAT) so if you would like to know more about how we can help you achieve compliance please contact us for more information.