Page 1

Cookies Best Practice

Fedelma Good Head of Marketing Privacy & Information Management

20th September 2012

Page 2

Covering

• The law

• The ICO’s stance

• What Barclays did to ensure compliance

• Yes there were some challenges!

• Current state of play

Page 3

The law

• The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) came into force on 26 May 2011

• For clarity the EU laws have been in place since 2003 and always required anyone using cookies to provide clear information about them

• The changes dramatically tightened the rules: now, anyone depositing cookies is required not just to provide clear information about them but also to obtain consent from users to store a cookie on their device

• Technically all firms in Europe must comply with the law but in the UK we were given until end May 2012 to ensure compliance

• Opinions and advice varied right from the outset…

Page 4

But it’s not just about cookies

• The law isn’t actually about cookies, but because it affects them so much people have always referred to it as the ‘Cookie Law’

• The law covers all technologies which store information in the “terminal equipment" of a user, and that includes so-called Flash cookies (Locally Stored Objects), HTML5 Local Storage, web beacons or bugs…and more

And it doesn’t just apply to websites …

• We also need to think about other instances where similar technologies are used e.g. emails and Apps.

Page 5

This is what the law requires:

• A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

• (2) The requirements are that the subscriber or user of that terminal equipment- a) is provided with clear and comprehensive information about the

purposes of the storage of, or access to, that information; and b) has given his or her consent.

• There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: a) for the sole purpose of carrying out the transmission of a

communication over an electronic communications network; or b) where such storage or access is strictly necessary for the

provision of an information society service requested by the subscriber or user.

Page 6

In summary

Those setting cookies must:

• tell people that the cookies are there, • explain what the cookies are doing, and • obtain their consent to store a cookie on their

device.

Page 7

The ICO’s advice remains consistent

“It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt

out. The law has changed and whatever solution an organisation implements has to do more than comply with the

previous requirements in this area.”

1. Check what type of cookies and similar technologies you use and how you use them.

2. Assess how intrusive your use of cookies is.3. Decide what solution to obtain consent will be

best in your circumstances.

Page 8

There was real nervousness about impact

Page 9

Particularly when this was released

Page 10

What Barclays did to ensure compliance

• We began our preparatory work in relation to cookies back in 2010 with the development of training materials to help colleagues understand cookies in more detail

• Those same training materials were subsequently shared with many other organisations, including the ICO and DCMS

• In 2011, our compliance journey began in force …

Page 11

A step-by-step group-wide approach

• We read and took the ICO’s advice and guidance to heart and used this as the starting point for own approach.

We’re a big group with lots of different technology and websites in place!

• Thus, our approach to cookie compliance comprised group level elements running in parallel with each business area’s own activity

Page 12

Group Level Activities

• Group wide cookie steering group established• Group Cookie Standard written. This clearly set

out that compliance would be required for: – websites (excluding intranet sites) – mobile apps and – emails (where relevant)

• Regular internal discussions / forums held to share ideas and learnings

• Participation in industry level discussions throughout e.g. the ICC, DMA

• General principles defined for websites, mobile apps and emails …

Page 13

Websites

• Consent can be implied or explicit depending on the underlying technology used

• Consent can be site or linked-site specific (within session)• The ICC cookie classifications will be used as the starting

framework for describing cookies in use on each site• We will display a One Time Message (OTM) in combination

with an Enhanced Cookies Notice • The Cookies notice will be easily accessible to site visitors• On websites which use only strictly necessary cookies we

will, wherever possible, include a relevant information message

• We will work only with Third Parties who are prepared to move towards signing up to the IAB’s Ad Choices principles

Page 14

Mobile apps & emails

Mobile applications:– Agreed approach was acceptance to cookies via mobile

apps Ts&Cs– Standard template clause for inclusion in Ts&Cs was

drafted and signed off

Emails:– Agreed approach, given our current email deployment

strategy, was to include cookie information wording within all emails which made use of relevant technology

– For some consented emails (i.e. where the individual has signed up) to receive the email we have (a) written to inform if cookie type technology is used and (b) adjusted the consent wording for those now signing up.

Page 15

Activity undertaken within each business area

• Accountable executive appointed • Business area steering groups and project team

established• Available cookie audit software reviewed and

partner(s) selected• Full audit of business area’s websites • Inactive websites identified and closed down • Site by site cookie audits conducted• Full audit of businesses area’s emails and use of

cookies in emails

Page 16

Activity undertaken within each business area

• HLD (High Level Design) reviewed and signed off for each site

• Customer facing language (including cookie policy) for each site drafted and signed off

• Each site solution was– Developed in test environment; – Technology Tested; – User Acceptance Tested

• Solution taken through customer usability research

• Business area site / cookie log developed • Customer ‘facing’ staff awareness materials

including FAQs developed and circulated

Page 17

And it wasn’t just about compliance for 26th May• We recognised that we must remain compliant going forward and

have adopted relevant processes and controls, for example:

Maintenance of Cookies Registry and updating sites Enhanced Cookies Notice

Thir

d P

arty

A

gen

cyB

usi

ne

ss

Ow

ne

rV

en

do

r

Phase

1. Submit list of UKRBB websites

to vendor5. Receive reports

2. Receive list of UKRBB websites 3. Run reports 4. Send reports to

Barclays

6. Update cookies registry

7. Is site maintained by Barclays?

9. Raise Demand Request to

Content Team

8. Send details to relevant third party agency

8.1 Receive details regarding

sites ECN

8.2 Make changes to sites Enhanced

Cookies Notice11. End

No

Yes10. Content Team update Enhanced

Cookies Notice11. End

Page 18

Examples:

Page 19

Retail online banking

Page 20

Enhanced cookies notice

Page 21

Enhanced cookies notice

Page 22

Barclays .mobi - public site

Page 23

.mobi - member One Time Message screen design

Page 24

Woolwich.co.uk

Page 25

www.barclays.com

Page 26

www.barclays.com – Cookie Settings

Page 27

Yes there were some challenges! …

Emails

Pre-header•We use cookies in this email to help us understand whether you have opened it and clicked on any links. To accept these cookies simply enable images, or click on any link in this email.•To find out more, please see the information at the end of this email. Footer•We use cookies or similar technologies in this email. If you enable images, or click on any link within the email, cookies will be stored locally on your computer or mobile device. They help us to know a little bit about how you interact with our emails, which we use to help improve our future email communications – both for you and for others.

•To find out more about cookies in emails, please follow the link below. If your email settings have disabled links in this email, you can paste this address into your browser without enabling/accepting cookies.

•For more information visit <URL>

Page 28

How did we do?

Source: www.smartinsights.com – May 28 2012

Page 29

Just when we thought it had all gone quiet • Silktide published this video

• And then this

• An ICO spokesman said, “We welcome any opportunity to help us draw attention to this matter as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations.” An ICO blog post notes education is “key to cookie law progress.”

• And it might have all blown over but the BBC picked up on the story …

Page 30

Page 31

Current state of play

• Since the new EU Cookie Directive came into force in the UK three months ago, around six in ten top websites have taken steps to address the law.

Research carried out by data privacy management solutions firm TRUSTe shows that 63 per cent have made efforts to comply with the legislation.

Of these 51 per cent have implemented "minimal" privacy notices with "limited" cookie controls, while 12 per cent have introduced "prominent" notices with "robust" controls.

Only 37 per cent of those questioned have not taken any steps to address the directive, which directs website publishes to gain consent from users before using cookies.

Chris Babel, chief executive of TRUSTe, said his company's research shows that many companies have begun to take the legislation seriously and have devoted time and resources to dealing with it.

"At the same time it is clear that some companies have yet to put a compliance solution in place," he said.