Cookies

14 Oct 2011Fedelma Good

Head of Marketing Privacy & Information Management

…Practical steps to compliance

1. Check what type of cookies and similar technologies you use and how you use them.

2. Assess how intrusive your use of cookies is.

3. Decide what solution to obtain consent will be best in your circumstances.

ICO Guidance

Check what type of cookies you use

• This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why.

• You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.

Sample audit questions (1 of 2)

• Date questionnaire completed

• Business area

• Form completed by (name, job title), email address, telephone number

• Website name / URL

• What EU countries is the website aimed at?

• Does the site provide access to a Privacy policy (if yes provide link)

• Does the site provide access to a Cookie policy (if yes provide link)

• If yes does your cookie policy provide information to the individual about how to switch cookies off?

• Does the site provide access to any other privacy/cookies/security related policy (if yes provide link)

Sample audit questions (2 of 2)

• Cookie 'name' or id (to facilitate any subsequent conversations about a specific cookie)

• Cookie Purpose (description)

• Is the cookie being used to support the delivery of targeted marketing or advertising communication?

• What data does the cookie hold?

• What is the Cookie expiry date?

• Is it a First or Third party cookie?

• If Third Party please state third party name

• What type of cookie is it? Temporary? Persistent? Flash?

Assess cookies on a privacy scale …

• ….It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

Decide what solution to obtain consent will be best in your circumstances

• Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent….

Barclays Approach

Barclays approach to compliance consists of four key elements:

1. Understanding Barclays existing landscape

2. Determining what changes are needed to the information provided to users

3. Determining what changes are needed to Barclays technology

4. Determining what process changes are needed internally within Barclays

Underpinning all of this is an ongoing evaluation of what legal compliance looks like.

Barclays Existing Landscape

Our initial audit was a catalyst for additional activities:

• Making easy and immediate changes to customer policies

• Developing action plan and prioritising work for high privacy impact cookies

• Starting to consider how our Cookie policies will need to be updated

• Engaging with other organisations and sharing knowledge

Barclays Existing Landscape

Enhanced due diligence

• Initial response are being reviewed to ensure that all “live sites” have been captured

• Exploring the option of having a third party independently verify initial findings

• Mapping customer journeys

• Need to give more detailed consideration to the steps that are necessary in relation to third party websites e.g. white labelled, partnership sites, internal sites that face out to the world, etc.

• Will consider how to audit other technologies e.g. email, mobile apps, social media etc

A quick checklist

• Ensure the issue is understood by senior stakeholders

• Inform and educate internally

• Set up a cross functional task force (IT / Digital, Legal, Compliance, PR, Marketing …) to manage the process through to completion

• Ensure customer facing staff know what to say if customers ask what your company is doing to comply

• Make easy and immediate changes e.g. adding a single line entry in your cookie policies to tell your customers what you are doing e.g. With regards to the new requirements on Cookies following the revision of the e-Privacy Directive, Barclays is working towards implementing the new requirements in line with guidance from the Information Commissioner's Office

• Audit all cookies across all sites (don’t forget about third party cookies, and third parties with whom you work in the online world)

• Review the audit findings and develop your action plan, prioritising action for high privacy-impact cookies

• Update your cookie and related policies

• Keep your staff updated as you progress

• Put in place a process for managing / monitoring cookies use going forward

• And above all … keep talking to other organisations and share the knowledge you gather along the way