Page tree
Skip to end of metadata
Go to start of metadata

The new EU legislation on cookies that Philip Wilson blogged about In April came into effect on 25 May 2011.

This means features like automatically storing a visitor's location in a cookie, or whether they have already visited the international homepage is illegal. Instead we should be asking visitors if they are OK with us storing non-essential cookies before doing so.

The ICO have said that they won't start enforcing this for twelve months (May 26 2012), but we need to think about this when we want to do anything similar, and also need to decide what we're going to do about our current usages.

The ICO have decided to put something in their banner to make their cookie policy clear, but have emphasised that they do not ask people to follow this particular practise: http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx

Icon

Current JISC advice is:

  1. Check what type of cookies and similar technologies are being used and how they are used.
  2. Assess how intrusive the use of the cookie is.
  3. When consent is needed: you should decide what the best way to obtain consent is in each particular circumstance of cookie use.

Potential problem areas will be:

  • the bought applications (such as the wiki and all of the MIS apps) which will have cookie "problems" but we can't fix (although this is mentioned in the ICO docs)
  • areas of the site we do not directly own (user spaces, department pages, professional services sites) which might be a problem

It is worth noting that the ICO have said they are unlikely to prioritise problems with first-party cookies - this includes Google Analytics.

The BBC have also blogged about they intend to do to meet the new regulations, and as part of that they have a comprehensive list of the cookies they store on visitors' computers.

Some references (PDFs):

Advice on the cookie regulations from the ICO
ICO cookie regulation inforcement

Cookie review

We should ignore authentication cookies for the time being.

Service

Purpose

Essential to use the service?

Other comments

Action required

Confluence

Session tracking, favoured tabs

cannot be changed

Atlassian have provided guidance

upgrade to latest confluence release

Personfinder

remember basic / advanced search preference

no

 

change handling

Website text resizing

remember the user-specified text size

no

 

remove functionality

Google Analytics

web usage stats gathering

no

first-party

paper states no action required

Scholarships

session id to enable session handling

yes

first-party

none

CMS

nothing to personally identify a user

?

Can't change these, internal tool

none

Personinfo

none

 

internal tool

none

LMF

 

 

auth only

none

Group manager

theme selection

no

 

remove functionality

Blogs.bath

 

 

wordpress

none

CMS video tool

 

 

internal tool

none

PG prospectus

none

 

 

none

UG prospectus

none

 

 

none

URL alias

none

 

 

none

YouGuru

?

?

 

 

Pfact

 

 

unknown, but internal only

none

Netcommunity

various

could reconfig to be behind log in

Blog post on compliance

none

Photoweb

 

 

unknown, but internal only

none

Estates doc management system - alchemy

 

 

unknown, not yet live

 

Account manager

 

 

Session and authentication only

none

SAMIS

 

 

Tribal statement claims compliance

none

ESD

 

 

Tribal statement claims compliance

none

Cacti

seems to just be session handling

yes

unlikely to be able to change it - internal

none

RT

 

 

internal tool

none

Calendar

 

 

internal tool

none

Sympa

session

yes

There appears to be one additional cookie set with no content

none - if we try to do anything we are recommending replacing the service

Calweb

 

 

internal tool

none

Library catalogue

session ID, library card number when logged in

yes

internal tool

none

EZproxy

session ID

yes

Also stores and sets cookies by proxy for library content-hosting sites (e.g. journal publishers)

none

Inter-library loan request form

Remember library card number for session

no

 

could remove this functionality

Past exam papers database

Remember department selection

no

 

could remove functionality

Moodle

session, remember username

yes, no

non-compliant cookie will disappear when Moodle v2 is rolled out (summer)

await upgrade (do nothing)

Xerte

session

 

 

none

Mahara

session

 

 

none

phpmyfaq

session

 

 

none

agresso

session

 

internal application

none

marketplace

session

 

internal application

none

jobs

 

 

have contacted stonefish looking for a statement

 

wpm (store.bath)

 

 

have contacted Simon Holt who is going to get a statement

 

Eventbriteremember preferences, web usage stats gatheringnohttp://www.eventbrite.co.uk/cookies/none. 3rd party system - can't change this usage
Vimeoremember preferences, video usage stats gatheringnohttps://vimeo.com/cookie_policynone. 3rd party system - can't change this usage
Soundcloudremember preferences, audio usage stats gatheringnohttps://soundcloud.com/pages/cookiesnone. 3rd party system - can't change this usage
  • No labels

5 Comments

  1. Good that the BBC has a policy on cookies - or at least documentation. We perhaps should have some sort of standard documented cookie where "we" set them - maybe a suggested prefix of UOBWC_ for something like "University of Bath Web Cookie". If some of these questionable cookie laws suggested come into force, we'll need to be a lot sharper on this - and the effects of having to work without them if users opt out or refuse them.

    1. The EU law is active, just not enforced yet, we've got 11 months left!

  2. Clarification on Google Analytics from JISCLegal "Cookies - Six Months Until Enforcement (25/11/2011)"

    http://www.jisclegal.ac.uk/ManageContent/ViewDetail/ArticleType/ArticleView/ArticleID/2244.aspx