ARCHIVED: Cookies - Six Months Until Enforcement (25 November 2011)

This document is ARCHIVED. For an up-to-date document please see our FAQ 'What does the new ''Cookie'' Legislation Require us to do?'


Google Analytics and Cookies - Action Required (Updated 12 January 2012)

The law has changed that applies to how cookies are used by websites. Essentially the new legal requirement is that cookies and similar technologies can only be placed on a user’s machine where the user has given their consent.  Organisations, including FE and HE institutions, have been given up to one year to get their house in order.

A number of question that are important for FE and HE institutions are -

1. Does the new law about cookies apply to web analytics? 
2. Is it legal to use Google Analytics on our website?   
3. How are we supposed to gather and analyse user information now?”   
4. What is a cookie?   
5. What should we be doing about the new cookie law?

1. Does the new law about cookies apply to web analytics?
The short answer is yes.  Web analytics is the measurement, collection, analysis and reporting of internet data for the purposes of understanding and optimising web usage.  In many cases a cookie is simply used to measure traffic and activity.   Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity.  Where a cookie is used to track people from one website to another this is considered intrusive in terms of privacy and the legislation now requires informed consent from users for the use of this type of cookie.  That is the view of the legislator, the UK Government Department that was responsible for drawing up the law – the Department for Culture, Media and Sport (DCMS).

The consensus view is that as enacted the new regulations also apply to what are sometimes considered more harmless functions that cookies perform including some web user analysis cookies that carry out no task other than the generation of anonymous statistical information.

2. Will it be legal to use Google Analytics on our websites without confirming prior consent of each user?

Google Analytics uses first-party cookies to help the website operator analyse how users use their site.  This means that all cookies set by Google Analytics for a domain send data only to the servers for that domain.  This effectively makes Google Analytics cookies the personal property of the website domain which sets the cookie, and the data cannot be altered or retrieved by any service on another domain.

Further information on how Google Analytics uses cookies is available here - http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies.

Helpfully December 2011 guidance from the ICO states that cookies used for analytical purposes to count the number of unique visits to a website are caught by the requirement to obtain prior consent, it also states that provided clear information is given about their activities the ICO is highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

The guidance also states that it would be highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. 

Some debate remains as to whether this consent can be obtained prior to the placing of the cookie by the website or can be obtained subsequently.  Consent could be obtained during the placing of the cookie if browser settings were sophisticated enough to distinguish between cookie activity.  And work is under way by browser manufacturers in co-operation with the DCMS to make changes to browsers for users to enable and facilitate lawful consent.  It is anticipated that progress in this regard will be announced early in 2012.

This leaves some ambiguity, with the use of Google Analytics without prior explicit consent likely to be non-compliant, but not the focus of enforcement.  As a priority, you should ensure that information about the use of website cookies at your college or university is clear and prominent.

3. How are we supposed to gather and analyse user information now?
Not all web analytics software use cookies to generate reports or measure traffic and activity of users.  Some investigation into how to gather useful traffic and activity information without using cookies may be necessary.  For example, server generated statistics may be sufficient in many cases to assist FE and HE website operators to determine page popularity and traffic statistics.

4. What is a cookie?
A cookie is a text file created by a browser at the request of a website and stored on the visitor's device (unless the browser has been set to refuse the cookie).  The cookie is then returned by the browser to the website on subsequent visits (subject to the cookie's parameters such as duration) which allows the website to recognise the returning visitor.

Cookies allow a website to recognise a user’s device and are often used to direct marketing and advertising at individual users.  They can also make online interaction more efficient by remembering things such as our browsing habits and payment details.  The regulations do not require user consent where the cookie is "strictly necessary" to allow the website to provide a service, for example, adding to online shopping baskets.

The use of cookies has for some time been commonplace and cookies are important to provide many online services.  The ICO recognises that cookies perform a number of legitimate functions and that gaining consent will, in many cases, be a challenge.  Using cookies is not prohibited by the new regulations but they do require that users should be given the choice as to which of their online activities are monitored by the use of cookies.

Although cookies that enable the processing of personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the regulations apply to all uses of cookies, not just those involving the processing of personal data. 

5. What should we be doing about the new cookie law?

Guidance from the ICO indicates what can and should be done now.  It is advised that you take the following steps:

(1) Check what type of cookies and similar technologies your websites use and what the cookies are being used for.
This might be a fairly detailed audit of your websites or it could be as simple as checking what data files are placed on user terminals and why.  It is important to consider internal staff and student facing websites too.  You should decide which cookies are strictly necessary and might therefore not need consent from the user.  Identify the function of each cookie and determine whether there is a good business reason to keep each one. It is not unusual to find that some cookies are being placed without an obvious reason.

(2) Assess how intrusive your use of cookies is.
It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other.  You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

(3) Decide what solution to obtain consent will be best in your circumstances.
Essentially the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.

(4) Improve the clarity, completeness and prominence of information about cookies which is provided to users of your websites.
Providing information to users on your use of cookies is key as is the ability to demonstrate you are reviewing the use of cookies and are developing a plan for compliance.

Further Information

See further the JISC Legal guidance - What Does the New "Cookie" Legislation Require us to do? - http://www.jisclegal.ac.uk/cookies.

JISC Legal – 25 November 2011 - (Updated 12 January 2012)

Posted on 25/11/2011