Thought I would let you all know about the new ICO guidance about the EU cookies and privacy law as per the earlier conversation on Jiscmail – see below.

The good news is that common sense (and some, no doubt, massive lobbyingby Google et al) has lead to a light touch interpretation of the law. The ICO document downloadable at is never going to win a plain English award, but the crux is that it is really repeating what we highlighted the guidance said six months ago with a clear mention of the analytical cookie:

1. p12″Check what type of cookies you use and how you use them”, in other words: Do a site audit! WASP is a good free software that allows you to see cookies on a page, but also do an expert ( i.e. manual!) check of top home pages. Reality for Unis is make sure you only have an analytical cookie not some advertising third party cookie on your site,

2. p12 “Check how intrusive your use of these cookies is”. See below email as to the 1 to 10 sliding scale that was mentioned in the previous guidance and repeated here- they really want to check that you are not “creating detailed profiles of an individual’s browsing activity” Page 13 provides a good check list and is also good guidance as what to put in explaining the cookie. In reality if you are using GA as 99% of Unis are you are a 1/2 (max3) out of 10.

3. p14 and p15 are clear examples of where and how to put your cookie statements, to use “plain english”, even though looking at the report the ICO would struggle to do this…

4. p15 This is the key statement “Which method (of consent) will be appropriate to get for cookies will depend in the first instance on what cookies you use” – In other words- ‘we are not making a blanket ban- check what you are doing, if you are not being evil and creating a profile on the user without them knowing with a persistent cookie, then be sensible, do all that we have told you to do and you will be ok. And to confirm….

On the last page (p 27) specifically on “analytical cookies” they say ” In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement…… Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

So there you go…

As a last point as I know there has been a lot of talk on this, and plenty of scare stories peddled by legal practioners in particular, make sure you and your bosses are aware as to the enforcement of this (p24 of the report). The ICO will first issue an information notice if they think the organisation is doing something wrong, then ask it to take an “undertaking” notice which asks the organisation to change some practice to comply or an “enforcement” notice to make it comply,only finally if your organisationtotally doesn’t listen at all will be fined! In other words, it is about the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down. There are some industries this is going to effect badly…newspapers etc.. but honestly, what you Uni’s do in tracking is very, very low in its privacy implications.

My personal view is don’t be scared of this regulation, but embrace it; its raison d’ĂȘtre was an attempt to make the web space less underhand in it’s tracking and less intimidating for those non technical to understand who/what is tracking them. After all, all this analytical tracking is being done to improve the users experience and save money for your organisation by being more efficient and isn’t that worth shouting (in plain english) about ?