Page 1
Cookies Best Practice
Fedelma Good Head of Marketing Privacy & Information Management
20th September 2012
Page 2
Covering
• The law
• The ICO’s stance
• What Barclays did to ensure compliance
• Yes there were some challenges!
• Current state of play
Page 3
The law
• The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) came into force on 26 May 2011
• For clarity the EU laws have been in place since 2003 and always required anyone using cookies to provide clear information about them
• The changes dramatically tightened the rules: now, anyone depositing cookies is required not just to provide clear information about them but also to obtain consent from users to store a cookie on their device
• Technically all firms in Europe must comply with the law but in the UK we were given until end May 2012 to ensure compliance
• Opinions and advice varied right from the outset…
Page 4
But it’s not just about cookies
• The law isn’t actually about cookies, but because it affects them so much people have always referred to it as the ‘Cookie Law’
• The law covers all technologies which store information in the “terminal equipment" of a user, and that includes so-called Flash cookies (Locally Stored Objects), HTML5 Local Storage, web beacons or bugs…and more
And it doesn’t just apply to websites …
• We also need to think about other instances where similar technologies are used e.g. emails and Apps.
Page 5
This is what the law requires:
• A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
• (2) The requirements are that the subscriber or user of that terminal equipment- a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and b) has given his or her consent.
• There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or b) where such storage or access is strictly necessary for the
provision of an information society service requested by the subscriber or user.
Page 6
In summary
Those setting cookies must:
• tell people that the cookies are there, • explain what the cookies are doing, and • obtain their consent to store a cookie on their
device.
Page 7
The ICO’s advice remains consistent
“It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt
out. The law has changed and whatever solution an organisation implements has to do more than comply with the
previous requirements in this area.”
1. Check what type of cookies and similar technologies you use and how you use them.
2. Assess how intrusive your use of cookies is.3. Decide what solution to obtain consent will be
best in your circumstances.
Page 8
There was real nervousness about impact
Page 9
Particularly when this was released
Page 10
What Barclays did to ensure compliance
• We began our preparatory work in relation to cookies back in 2010 with the development of training materials to help colleagues understand cookies in more detail
• Those same training materials were subsequently shared with many other organisations, including the ICO and DCMS
• In 2011, our compliance journey began in force …
Page 11
A step-by-step group-wide approach
• We read and took the ICO’s advice and guidance to heart and used this as the starting point for own approach.
We’re a big group with lots of different technology and websites in place!
• Thus, our approach to cookie compliance comprised group level elements running in parallel with each business area’s own activity
Page 12
Group Level Activities
• Group wide cookie steering group established• Group Cookie Standard written. This clearly set
out that compliance would be required for: – websites (excluding intranet sites) – mobile apps and – emails (where relevant)
• Regular internal discussions / forums held to share ideas and learnings
• Participation in industry level discussions throughout e.g. the ICC, DMA
• General principles defined for websites, mobile apps and emails …
Page 13
Websites
• Consent can be implied or explicit depending on the underlying technology used
• Consent can be site or linked-site specific (within session)• The ICC cookie classifications will be used as the starting
framework for describing cookies in use on each site• We will display a One Time Message (OTM) in combination
with an Enhanced Cookies Notice • The Cookies notice will be easily accessible to site visitors• On websites which use only strictly necessary cookies we
will, wherever possible, include a relevant information message
• We will work only with Third Parties who are prepared to move towards signing up to the IAB’s Ad Choices principles
Page 14
Mobile apps & emails
Mobile applications:– Agreed approach was acceptance to cookies via mobile
apps Ts&Cs– Standard template clause for inclusion in Ts&Cs was
drafted and signed off
Emails:– Agreed approach, given our current email deployment
strategy, was to include cookie information wording within all emails which made use of relevant technology
– For some consented emails (i.e. where the individual has signed up) to receive the email we have (a) written to inform if cookie type technology is used and (b) adjusted the consent wording for those now signing up.
Page 15
Activity undertaken within each business area
• Accountable executive appointed • Business area steering groups and project team
established• Available cookie audit software reviewed and
partner(s) selected• Full audit of business area’s websites • Inactive websites identified and closed down • Site by site cookie audits conducted• Full audit of businesses area’s emails and use of
cookies in emails
Page 16
Activity undertaken within each business area
• HLD (High Level Design) reviewed and signed off for each site
• Customer facing language (including cookie policy) for each site drafted and signed off
• Each site solution was– Developed in test environment; – Technology Tested; – User Acceptance Tested
• Solution taken through customer usability research
• Business area site / cookie log developed • Customer ‘facing’ staff awareness materials
including FAQs developed and circulated
Page 17
And it wasn’t just about compliance for 26th May• We recognised that we must remain compliant going forward and
have adopted relevant processes and controls, for example:
Maintenance of Cookies Registry and updating sites Enhanced Cookies Notice
Thir
d P
arty
A
gen
cyB
usi
ne
ss
Ow
ne
rV
en
do
r
Phase
1. Submit list of UKRBB websites
to vendor5. Receive reports
2. Receive list of UKRBB websites 3. Run reports 4. Send reports to
Barclays
6. Update cookies registry
7. Is site maintained by Barclays?
9. Raise Demand Request to
Content Team
8. Send details to relevant third party agency
8.1 Receive details regarding
sites ECN
8.2 Make changes to sites Enhanced
Cookies Notice11. End
No
Yes10. Content Team update Enhanced
Cookies Notice11. End
Page 18
Examples:
Page 19
Retail online banking
Page 20
Enhanced cookies notice
Page 21
Enhanced cookies notice
Page 22
Barclays .mobi - public site
Page 23
.mobi - member One Time Message screen design
Page 24
Woolwich.co.uk
Page 25
www.barclays.com
Page 26
www.barclays.com – Cookie Settings
Page 27
Yes there were some challenges! …
Emails
Pre-header•We use cookies in this email to help us understand whether you have opened it and clicked on any links. To accept these cookies simply enable images, or click on any link in this email.•To find out more, please see the information at the end of this email. Footer•We use cookies or similar technologies in this email. If you enable images, or click on any link within the email, cookies will be stored locally on your computer or mobile device. They help us to know a little bit about how you interact with our emails, which we use to help improve our future email communications – both for you and for others.
•To find out more about cookies in emails, please follow the link below. If your email settings have disabled links in this email, you can paste this address into your browser without enabling/accepting cookies.
•For more information visit <URL>
Page 28
How did we do?
Source: www.smartinsights.com – May 28 2012
Page 29
Just when we thought it had all gone quiet • Silktide published this video
• And then this
• An ICO spokesman said, “We welcome any opportunity to help us draw attention to this matter as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations.” An ICO blog post notes education is “key to cookie law progress.”
• And it might have all blown over but the BBC picked up on the story …
Page 30
Page 31
Current state of play
• Since the new EU Cookie Directive came into force in the UK three months ago, around six in ten top websites have taken steps to address the law.
Research carried out by data privacy management solutions firm TRUSTe shows that 63 per cent have made efforts to comply with the legislation.
Of these 51 per cent have implemented "minimal" privacy notices with "limited" cookie controls, while 12 per cent have introduced "prominent" notices with "robust" controls.
Only 37 per cent of those questioned have not taken any steps to address the directive, which directs website publishes to gain consent from users before using cookies.
Chris Babel, chief executive of TRUSTe, said his company's research shows that many companies have begun to take the legislation seriously and have devoted time and resources to dealing with it.
"At the same time it is clear that some companies have yet to put a compliance solution in place," he said.