Cookies and Website Take-up Service

1. Introduction

The purpose of this note is to update advice to local authorities about how subscribers to the Website take-up service should respond to the EU cookie legislation in respect of this service. It may be of wider interest in certain aspects of guidance.

2. Pre-requisites

Before looking at the use of cookies by the Website take-up service, it is critical to carry out a comprehensive audit of cookies and from this to produce a policy page about use of cookies on your site, listing what they do and why you need to use them. The policy page should also be easily accessible from all parts of the site in order to reinforce awareness with your users. (The audit will also enable you to remove unnecessary cookies).

Not only are these actions essential for managing cookies according to the legislation, but they clearly demonstrate your organisation's good intentions in treating the issue of online privacy seriously, which is important should you ever need to handle a complaint about use of cookies.

A good example of a council that has done this is Argyll & Bute, referring also to advice that Socitm Insight produced last June (see Appendix 1).

3. Informed consent

3.1 Intrusion of privacy

The main task in regard to the Website take-up service is to manage the process of informed consent. In considering this it is useful to take account of what the Information Commissioner's Office (ICO) said about this in its note of 9 May 2011.

Assess how intrusive your use of these cookies is

The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it.

Some of the things you do will have no privacy impact at all and may even help users keep their information safe. Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views. However, some uses of cookies can involve creating detailed profiles of an individual's browsing activity.

If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive - the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.

It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

The Government Digital Service developed this point in a blog published 19 March 2012 (see Appendix 2), providing guidance about minimal to moderate intrusion of privacy. It is clear from that the privacy intrusiveness of the cookies that our service set is minimal. Any personal information given in the survey itself (eg postcode) is, of course, entirely voluntary and outside the scope of the setting of cookies.

Moreover, since the law was passed (26 May 2011) we have had no example reported to us of a member of the public complaining about the pop-up mechanism contravening the cookie legislation.

In short, it is a matter of judgement for each organisation to make about how it assesses the risks of any complaints against the benefits of the management information. In assessing the risks, it will consider the minimal privacy disruption from this particular cookie.

3.2 Options for managing consent

Option 1 Council advises visitor about use of cookies

The WTS introductory screen would be changed by the WTS subscriber to inform the user that this service uses cookies as part of its essential function, whether or not the user says 'Yes' in accepting the survey. It would have to advise the user to disable cookies via a browser setting in order to prevent being asked again. Either on the introductory screen or via a link to the cookie policy, the user would have to be informed of:

• which cookies are dropped, their contents and purpose
• the exemption that is being used to allow these cookies to be dropped
• how to disable cookies in their browser
• how to delete the cookies using their browser.

It might also point out that the information from the survey is important for improving the website (ie, the same point that it should also make in its cookie policy page)

Option 2 Council obtains informed consent via an earlier mechanism

The WTS system will provide a mechanism which will allow the WTS survey to implement a choice made about cookie use by the user on the subscriber's website, using some method similar to that currently used by the ICO website (see below).

The mechanism is planned to consist of two vars:

• Var socitm_2009/136/EC_enable
  • If defined and set to true this enables the checking detailed in the second var below. If undefined or set to false it disables the processing below  
• var 'socitm_survey_enable' (Only implemented if socitm_2009/136/EC is defined and true)
  • If false (default) prevents the survey operating and dropping cookies  
  • If true allows the survey to operate, including dropping cookies  

Subscribers will have to include details and purpose of the WTS related cookies as part of the details they provide when asking a user to allow cookies. It may be good practice to also include the same text relating to cookies in the WTS introductory screen as detailed in Option 1 above.

It is likely that the number of responses will drop sharply, because such an invitation (eg by banner prominently displayed at top of every page) is likely to be ignored, as most users will not be able to see immediately the benefits of agreeing. The numbers of responses to WTS may well drop sharply. The ICO website itself has such an invitation. Examples of three councils who have done so include (none are WTS subscribers):

• http://www.clacksweb.org.uk/
• http://www.eastdevon.gov.uk/
• http://www.torridge.gov.uk

Policy changes


We reserve the right to update and make changes to this privacy notice.

Contact us

If you have any comments or questions regarding this policy or the Website take-up service then please contact us at: Insight@socitm.net.

For more information about how our subscribers use the information collected on their websites, please see their privacy policy.

This privacy and cookie policy was last updated on 26th March 2012.

Cookies

(*)A cookie is a small text file containing a random and unique identifier (e.g., #12345) that is sent to your browser from a Web server and then stored onto your computer's hard drive. Through modification of browser preferences, a user can elect to accept all cookies, receive notification when a cookie is set or decline all cookies. Alterations to these settings may, however, affect the functionality of certain websites.

Note. rol is also known as govmetric

APPENDIX 1 ADVICE GIVEN IN JUNE 2011

The following guidance is given to local authorities that subscribe to our Website take-up service. It may be of wider interest in certain aspects of guidance.

Privacy and cookie policy for the Socitm Insight Website take-up service

Overview

The Website take-up service provides information to participating subscribers about the total number of unique visitors to their sites, as well as other information about the reasons visitors are going to the site, how they got there, what the experience was like and whether they are likely to visit again. The information is collected through a short exit survey added to participating subscribers' websites and launched as every fifth visitor leaves the site. The survey takes just a few minutes to complete. Supporting software collects the answers and analyses results in a variety of ways, allowing subscribers to look at findings from their own website and compare them with findings from the rest of the subscriber group. The survey is administered by Socitm Insight (www.socitm.net) and is provided by rol solutions ltd (www.rol.co.uk).

Privacy

The technology used is not intended to collect personally identifiable information. In some limited circumstances some personally identifiable information may be captured, for example when personal information such as an email address is incorporated into a URL string. However, if the user chooses to enter a post code as part of the survey then that information could allow the user's location to be narrowed down to (typically) around 17 households. The user may also choose to enter contact details in one or more of the comments boxes. In this case the subscribing authority will receive this information as part of the monthly reporting. Note that as the reporting is monthly a response from the subscribing authority cannot be guaranteed. Any personally identifiable information inadvertently captured will never be used by rol or Socitm to advertise, promote or market goods or services to you.

Collection and use of information

We embed a piece of code (sometimes referred to as "1x1 clear pixel," "Web beacon" or "clear GIF") in the pages of subscriber websites in order to gather statistical site usage information. The types of statistical information we may gather on behalf of our subscribers include the number of visitors to their websites and details on browsers (including Internet Protocol 'IP' addresses or browser configurations). We use this information to provide our subscribers with detailed reports and analyses of the traffic to their websites. All of this information is provided to subscribers on a completely anonymous basis. The optional survey requests additional demographic, non-personally identifiable information. Your participation in a survey is always voluntary, and, therefore, you have a choice as to whether or not to provide the requested survey information. We use the information collected in the survey to provide our subscribers with a detailed understanding of their internet audience. We may also combine the information collected on our subscribers' websites with other data and research tools to perform additional research and analyses concerning internet audience demographics, behaviour and use.

Cookies

The Socitm Insight Website take-up service uses cookies(*) to determine whether a customer has participated in the WTS survey on a subscriber's website or has rejected taking part. The survey uses this information to prevent the same customer using the same user account on the same computer from being asked to participate in the survey again during the current survey year. The cookies are placed from the subscriber's domain and are set to expire one year after placement.

• Note 1: If the customer clears cookies, either manually or automatically at the end of a session then they may be invited to participate again the next time they visit the subscriber's website.
• Note 2: If a customer visits a subscriber's website from a different system or using a different user name then they may be invited to participate again.
• Note 3: If a customer has cookies turned off then the system will never invite them to participate in the survey.

The system places multiple cookies, all of which only contain a true or false value. These are listed below. In all cases the last character of the cookie name [x] is replaced by the version of the survey, currently 7.

Socitm_include_me[x] - indicates that a customer has accepted the survey and is either in the process of completing it or has completed it. The customer will not be asked to participate in this version of the survey again.

Socitm_exclude_me[x] - indicates that a customer has rejected the survey and will not be invited to participate in this version of the survey again until the cookie expires. This cookie is also placed when the system processes the code to invite a customer to participate but detects the socitm_include_me[x] cookie while doing so and does not present the survey again as a result.

Socitm_exclude_alt[x] - indicates that a customer should be excluded from an alternate survey. This cookie is placed when the system processes the code to invite a customer to participate in an alternate/additional survey but detects the

socitm_include_me[x] cookie while doing so and does not present the alternate survey as a result. Note this cookie will be placed whether or not the subscriber's implementation includes alternate surveys.

The only use made of the cookies is to prevent customers being invited to participate multiple times in the same survey. They contain no personally identifiable information.

Opting out


If you wish to opt out of the survey then please select the 'No - not at this time' link on the survey introduction screen when it appears. This action will place cookies(*) on your computer that, providing they are not removed, will prevent you, when using the same user account on that computer, from being requested to take part in the survey until the question set is changed which normally occurs once per year.

Note that if you use a different computer, or a different account on the same computer, then you may be given the opportunity to take part in the survey. If you use browser settings to prevent cookies from being placed then you will not be invited to participate in the Website take-up service.

APPENDIX 2 ADVICE GIVEN BY GOVERNMENT DIGITAL SERVICE,

19 MARCH 2012

It's not about cookies, it's about privacy

by Dafydd Vaughan on 19/03/2012

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which came into effect last year has presented UK website owners with a few challenges in moving to compliance. Those of us who work on public sector websites are no exception. We wrote about some of the ways we were working towards compliance here at GOV.UK, in a previous post.

In spite of the challenges, the new regulations have pushed online privacy firmly into the spotlight and this is no bad thing. In fact this online privacy was the focus of a meeting last week of UK government website managers, developers, policy advisers and communications experts. The meeting was hosted by GDS so that people with responsibility for the operation of central government departments' and agencies' websites could discuss and learn from one another about some of the ways we could work towards compliance with the new regulations.

We talked about cookies (how could we not?) but we didn't get hung up on them - other relevant technologies e.g. HTML5 Local Storage and web beacons came up too. We shared our experiences of comprehensively auditing our sites in order to be certain we knew which cookies were being set by us or via our sites (in the case of third-party cookies).

We also discussed how best to probe the use of such cookies in order to correctly classify them (i.e. "moderately intrusive", "minimally intrusive" or "exempt from changes to privacy legislation") in terms of their "privacy intrusiveness". While we were at it, we touched on how best to be transparent about third-party cookies and their impact on visitors' privacy.

Inevitably, analytics and the vital role analytics-related cookies play in allowing public sector websites to be held to account on the cost-effectiveness of the way we deliver government information and services came up. Even more importantly, analytics are essential to our "continual improvement" approach to developing digital public services, which is critical to delivering the government's digital by default agenda.

The consensus was, especially in the case of first-party analytics cookies, these types of cookies are "minimally intrusive" (in line with the ICO guidance) and that the bulk of our efforts to rationalise our use of cookies should be focused on cookies classified as "moderately intrusive".

We touched on data-sharing and benchmarking options offered by some analytics vendors' packages and agreed that despite the fact that no personal data was collected, it was good practice not to share analytics information with third parties in order to reassure government websites' users.

We also discussed the alternatives to cookie-based analytics and the benefits and risks associated with them. This included device fingerprinting and javascript tagging which carry the risk of being potentially more privacy intrusive and are more difficult for users to block.

The conversations were technical but the protection of users' online privacy remained at the forefront. We're still working towards compliance but our focus on transparency and education while helping users make informed choices about their privacy seems the right way to go. Finally, we agreed to put together a short implementer guide containing some pointers to a best practice approach, here it is.

All in all, it was a useful meeting and as we continue to work towards compliance there will probably be a few more.

Implementer Guide to Privacy & Electronic Communications

Regulations (PECRs) for public sector websites

This document sets out guidance from the Government Digital Service (GDS) to government departments and other public sector bodies which are required to comply with the new Privacy & Electronic Communication Regulations (PECR) which came into effect in May 2011.

This guidance builds on existing guidance provided by COI in May 2011 and updated guidance from the Information Commissioner's Office (ICO) issued in December 2011. This guidance focuses on ensuring that the main objective of the new regulation, the protection of website users' online privacy, is satisfied by public sector websites.

This guidance is for information only. Website owners are responsible for ensuring their own compliance with the updated PECRs.

Background

Following changes to PECRs in May 2011 all website owners with a UK presence, are now required to obtain informed consent from website users and subscribers in order to store information on their devices. The primary impact of these changes for websites is that only cookies (and related technology such as HTML5 local storage) that are deemed 'strictly necessary' for a service requested by the user are exempted from this requirement.

The ICO guidance material considers some methods for obtaining user consent such as pop-ups. However, these can be quite disruptive to the user experience and are likely to make the sites less usable. Website owners should consider how opportunities for users to provide consent can be maximised without undermining usability.

The preferred method of compliance with the new regulations i.e. least disruptive to the user experience, would be one based on users' "implied consent". In this context "implied consent" can be taken to mean that a user is aware of the implications of taking a certain action and that by choosing to take such action are implicitly giving their consent to the related outcomes. However, the ICO does not believe it is possible to take such an approach at present because "evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent ".

This emphasises the need to raise the awareness levels amongst users of government websites about the uses and functions of cookies. Consistency in the presentation of cookies-related information will help towards achieving the aim of educating users, so this document sets out a recommended template for departments' 'Use of Cookies' policy

Transparency about which cookies websites set and why remains central to the ICO requirements and consequently to this guidance.

Recommendations for Website Owners

The initial measures public sector websites should undertake in order to protect users' online privacy (which is the main objective of the new guidelines) and raise awareness levels are set out below.

1. Undertake a comprehensive audit of cookies

All government departments, their agencies and relevant NDPBs must complete a comprehensive audit of the cookies and related technologies used by their sites and their usage. Where it is not possible for a department's web team to definitively list all the cookies (both first- and third-party), an external organisation can be commissioned to carry out an audit.

This audit should determine the intrusiveness (in privacy terms) of each cookie. A table to help you do this is attached (ANNEX 1).

You should publish the results of this audit on your website as part of your 'Cookies Policy'. Some examples of best practice are included to help you do this (ANNEX 2). Links to this policy should be made prominent. You should consider options for publicising this policy e.g. through news articles or on-site promotion.

2. Look to reduce unnecessary and redundant cookies

Website owners should look to remove unnecessary or redundant cookies based on their level of intrusiveness. Removal of the more intrusive cookies in this category should be prioritised.

3. Establish effective management of cookies

Website owners should ensure ongoing, effective management of cookies across their websites. This should include a procedure to prevent the creation and use of new cookies without an assessment of their value (in terms of user experience / analytics etc) weighed against their intrusiveness.

Regular checks of cookies should be undertaken and the published list of cookies updated to ensure that a user will never find a cookie in their device that is not listed. Data-sharing and benchmarking options (offered by some analytics packages) should be switched off despite the fact that no personal data is collected.

Please note that the PECRs cover any technology that store or retrieves information from the users' computer. This includes cookies, HTML5 local storage and locally stored objects (Flash cookies).

Other steps towards compliance

The wide and varied uses of cookies means that many different stakeholders must be involved in finding the best routes to compliance, including considering in the longer term alternatives to cookies in website management. The ICO has been supportive of this type of multi-stakeholder engagement. In recognition of this GDS will seek to work with DCMS to:

• Engage in discussion with various vendors of Analytics packages in order to monitor
• industry developments which may facilitate compliance with the new privacy regulations.
• Continue to monitor and promote the efforts of major Internet browser vendors to develop products which help users indicate their consent to the setting of cookies by a website.

ANNEX 1: Cookie Intrusiveness Guide

Intrusiveness Functionality Types

Moderately intrusive - Embedded third-party content and social media-plug-ins

• Advertising campaign optimisation
• Minimally intrusive - Web analytics / metrics
• Personalised content / interface

Exempt from changes to privacy regulations - Stop multiple form submissions

• Load balancing
• Transaction-specific

Website owners should focus their efforts when reviewing, and where necessary revising the use of cookies, on the most intrusive types. This approach reflects the balance between valuable use cookies (e.g. for analytics and improving the user experience which enable continual improvement of digital services) and the need to protect users' privacy.

Rationale - 'Moderately Intrusive'

Limited control over used of information: Website owners have no direct control over how the information stored within third-party cookies is used. While all attempts should be made by web managers of government sites to provide information about relevant third-parties' cookie policies, it is probable that users will have a more convoluted journey in attempting to access this information. This might result in users not accessing the information thereby reducing their understanding of how cookies work and reducing the opportunity of providing informed consent.

User expectations when visiting the first-party site: A visitor to any first-party site has a relationship primarily with the site they have visited. Consequently, it is unlikely that visitors have an expectation that other parties might also be able to store information on their terminals.

The setting of third-party cookies might be considered particularly intrusive when, in theory at least, they enable third-party websites e.g. Facebook, to track user behaviour across several sites. The fact that the visitor does not have to click on the plug-in or be a member of the social media networking site for the cookie to be set on their device, increases the perception that they are particularly intrusive.

Rationale - 'Minimally Intrusive'

Their usage tends to be controlled by the first-party and as such departments are able to be fully clear and transparent about how the cookies and the information stored in them are set and used respectively

The scope of their use and information they store are limited to the first-party websites i.e. they are not used in relation to a user's activities on other sites.

Use of web-analytics/metrics: The use of metrics are integral are to departments' being able to provide the best possible user experience in order to encourage citizens to use more cost-effective channels for accessing government services. They also allow departments to assess and demonstrate whether the digital services they offer provide "value-for-money" as demonstrated by the recent National Audit Office (NAO) report.

Consequently, collecting these metrics are essential to the effective operation of government websites, at present the setting of cookies is the most effective way of doing this.

The ICO guidance supports this view as it states "...it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action"

Personalised content/interface: Consistently presenting users with the version of the site (or features within the site) which they find most convenient increases their enjoyment of the site and thus, the likelihood that they'll use the service/website in the future.

ANNEX 2: Examples of Good Cookie Policy Pages

The following are examples of existing good cookie policy pages:

• https://www.gov.uk/help/cookies
• http://www.culture.gov.uk/4902.aspx
• http://www.consumerfocus.org.uk/cookies