The Cookie Monster Cometh

First published on the Irish Computer Society Data Protection Blog. Republished here as it is my original work and I’m putting all my Data Protection musings in one place.

So, this day next week (26th May) will see the introduction into Irish Law of Directive 2009/136/EC. It’s a tweak to the existing electronic privacy regulations. The ones that relate to spamming by fax, email and SMS and carry penalties of up to €5000 per breach.

[update: Well the deadline came and went without the Irish Government enacting the legislation. We await further developments]

[Update 2: Legislation in effect from 1st July 2011. See Data Protection Commissioner website for Guidance Note]

These new regulations relate to Cookies, those little text files which are written to your computer by websites. Of course, it’s not just text files. Flash also has a version of ‘cookies’ to help track your interactions with flash movies or activites (so if you go away you can restart where you left off rather than having to go back to the beginning – for example in an e-learning package). The intention of the Directive is (amongst other things) to improve the personal privacy of internet users by controlling the use of cookies.

While the intent of the Directive (to come into effect in a Statutory Instrument next Thursday) is relatively straightforward, the practicalities of implementing it may be challenging for organisations. Added to that there is a level of unawareness about the issue in Ireland, particularly on the business side of organisations. This will actually be the biggest challenge to Compliance.

Organisations now need to step back and stop thinking of cookies and web development as a techie issue. Cookies are a data asset of the organisation which you use to achieve certain goals and purposes. The key key issues that need to be considered are:

  • What are your processes and their objectives?
  • How do cookies help you achieve those goals?
  • What information do you need to be writing to cookies to achieve your goals?
  • What things/services that people want to use on your site won’t work without cookies?

The Regulations set out two sets of conditions where the use of the cookies is permitted. Either:

  1. You have gotten informed consent from the Data Subject by way of providing prominent and accessible information about your use of cookies and providing some means of recording the consent to those purposes (fyi: this cannot be a ‘passive’ process) OR
  2. Being able to identify that the use of the Cookies is strictly necessary for the delivery of services explicitly requested by the subscriber

Being a little bit blunt about this, the first condition is only slightly more onerous than the existing requirements on websites who process personal data about individuals who have to provide a coherent statement of what they are going to use the personal data for (most don’t in my experience – the standards of some that I have looked at over the past few years often leaves a lot to be desired and is indicative of a ‘tick the box’ approach to Compliance).

The second condition however gives a conditional pass, similar to the Lawful Processing condition of ‘Necessary to complete a contract’ under section 2 of the Data Protection Acts 1988 and 2003. Basically if you can demonstrate that the thing that the customer wants to do (and has asked to do) can’t be done without having a cookie to temporarily store some data on the subscribers ‘terminal equipment’.

So. How do you do that? And how do you identify which of the cookies your site and processes are writing fall into the camp of needing to be flagged and consented to and which ones fall into the ‘doable because we can’t deliver without it’?

By stepping back and looking at the MEANING and PURPOSE of the information you are writing to the devices of people who are visiting your site you can start to make informed business driven choices about what needs to be changed and why in terms of how your websites work. This means having to look at the process flow and information flow underpinning your website and informing yourself about what is being done where, why, how, and by whom.

I can’t upload graphics to this blog, but over the next few weeks I’ll post some articles over on my company website that will examine some of the approaches to doing that kind of analysis as part of an Information Governance framework that will support Data Protection goals. However, it is important to note that this is not a job (just) for techies because you need to be very clear on the “Just because you can doesn’t mean you should” aspects of Data Protection. This must be lead by the Business leadership of the organisation because, ultimately, they are the people who will have to explain to the Data Protection Commissioner, the Courts, and Joe Duffy what the cookies on the website were doing.

When you write a cookie to someone’s device (pc, phone etc.) you are essentially renting space from them to store information about them or their behaviour or what their interactions might be. Individuals can limit your ability to rent that space using browser settings to block cookies, but at the current state of the art these are somewhat crude tools and, in the case of Flash, are not actually a complete set of tools (you need to do different things to block Flash Cookies).

The forthcoming regulations seek to introduce a rebalancing of the rights and duties relating to the information stored by and represented in cookies in line with the spirit and practice of Data Protection law and Privacy rights. It will take time for that balance to settle, but those who take the time now to understand the meaning and purpose of cookies they are using and their role in the processes running on their websites will be in a much stronger position to meet future Compliance standards under these regulations.