Community Guidelines
Do not reveal personal information inadvertently.
You may be "shedding" personal details, including e-mail addresses and other contact
information, without even knowing it unless you properly configure your Web browser.
In your browser's "Setup”, “Options" or "Preferences" menus, you may wish to use
a pseudonym instead of your real name, and not enter an e-mail address, nor provide
other personally identifiable information that you don't wish to share. When visiting
site you trust you can choose to give them your info, in forms on our site; there
is no need for your browser to potentially make this information available to all
comers. Also be on the lookout for system-wide "Internet defaults" programs on your
computer (some examples include Window's Internet Control Panel, and MacOS's Configuration
Manager, and the third-party Mac utility named Internet Config). While they are
useful for various things, like keeping multiple Web browsers and other Internet
tools consistent in how the treat downloaded files and such, they should probably
also be anonymized just like your browser itself, if they contain any fields for
personal information.
Turn on cookie notices in your Web browser, and/or use cookie management software
or infomediaries.
"Cookies" are titbits of information that Web sites store on yourcomputer, temporarily
or more-or-less permanently. In many cases cookies are useful and innocuous. They
may be passwords and user IDs, so that you do not have to keep retyping them every
time you load a new page at the site that issued the cookie. Other cookies however,
can be used for "data mining" purposes, to track your motions through a Web site,
the time you spend there, what links you click on and other details that the company
wants to record, usually for marketing purposes. Most cookies can only be read by
the party that created them. However, some companies that manage online banner advertising
are, in essence, cookie sharing rings. They can track which pages you load, which
ads you click on, etc., and share this information with their entire client Web
sites (who may number in the hundreds, even thousands.)
Consumer understanding of cookies
A clear understanding of users’ levels of awareness of what cookies are, what they
are used for and how they can be managed, is fundamental to any consideration of
the level of detail that needs to be provided about cookies, and the way in which
the requirement to obtain consent can be satisfied. Research into consumers’ understanding
of the internet and cookies demonstrates that current levels of awareness of the
way cookies are used and the options available to manage them are limited. The Department
for Culture, Media and Sport commissioned PricewaterhouseCoopers LLP (PWC) to conduct
research into the potential impact of cookies regulation1. PWC conducted an online
survey of over 1000 individuals in February 2011. Despite the report acknowledging
that the most intensive internet users are overrepresented in the sample, the results
illustrate that significant percentages of these more ‘internet savvy’ consumers
have limited understanding of cookies and how to manage them:
- 41% of those surveyed were unaware of any of the different types of cookies (first
party, third party, Flash / Local Storage). Only 50% were aware of first party cookies.
- Only 13% of respondents indicated that they fully understood how cookies work, 37%
had heard of internet cookies but did not understand how they work and 2% of people
had not heard of internet cookies before participating in the survey.
- 37% said they did not know how to manage cookies on their computer.
- The survey tested respondents’ knowledge of cookies, asking them to confirm if a
number of statements about cookies were correct or not. Out of the sixteen statements
only one was answered correctly by the majority of respondents.
Those who use the internet less regularly, or have a generally lower level of technical
awareness, are even less likely to understand the way cookies work and how to manage
them. The report concluded that ‘broader consumer education about basic online privacy
fundamentals could go a long way toward making users feel more comfortable online
and also enable them to take more control of their privacy while online’ and that
‘online businesses will need toevolve their data collection and usage transparency
in order to illustrate to consumers the benefits of opting-in.’
Terminology and definitions
The Regulations apply to cookies and also to similar technologies for storing information.
This could include, for example, Local Shared Objects (commonly referred to as “Flash
Cookies”), web beacons or bugs (including transparent or clear gifs).
A cookie is a small file, typically of letters and numbers, downloaded on to a device
when the user accesses certain websites. Cookies allow a website to recognise a
user’s device.
For more information see:http://www.allaboutcookies.org/
Session and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser
window to when they exit the browser) or they can be stored for longer.
The Regulations apply to both types of cookies:
Session cookies – allow websites to link the actions of a user during a browser
session. They may be used for a variety of purposes such as remembering what a user
has put in their shopping basket as they browse around a site. They could also be
used for security when a user is accessing internet banking or to facilitate use
of webmail. These session cookies expire after a browser session so would not be
stored longer term. For this reason session cookies may sometimes be considered
less privacy intrusive than persistent cookies.
Persistent cookies – are stored on a users’ device in between browser sessions
which allows the preferences or actions of the user across a site (or in some cases
across different websites) to be remembered. Persistent cookies may be used for
a variety of purposes including remembering users’ preferences and choices when
using a site or to target advertising.
First and third party cookies – Whether a cookie is ‘first’ or ‘third’ party
refers to the website or domain placing the cookie. First party cookies in basic
terms are cookies set by a website visited by the user - the website displayed in
the URL window. Third party cookies are cookies that are set by a domain other than
the one being visited by the user. If a user visits a website and a separate company
sets a cookie through that website this would be a third party cookie.
Storing Personal Information and Tracking User Behaviour
While cookies by themselves cannot dig or research your information or search your computer, they
do store personal information in at least two ways—form information and ad tracking.
This personal information is not generated by the cookies themselves but by your
own input into websites' order forms, registration pages, payment pages, and other
online forms. Often used for ecommerce, this information is often encoded and protected
from hacking by the remote server through limited interaction via security features
like secure sockets layers (SSL) certified pages and similar network security schemes.
Maximizing advertising effectiveness through cookie-based user profiling
Google's ad-serving platform embodies many of the technological innovation
used by other ad serving companies—it uses a user profiling system that tracks and
models a particular user's browsing and ad clicking habits. Google has long
provided contextual advertising—ads are triggered by the words on a page. Google's
ad serving system has added another layer to this technology—user preference modelling/tracking.
Simply put, when a user visits particular websites or reads particular content,
Google's ads will try to serve ads to that user that matches their content browsing
preferences. The preferences are not consciously or explicitly set by the user but
modelled after the user's browsing history, page viewing, and ad clicking history.
Accordingly, when a user reads “dog training” pages and moves on to another Google
ad-powered page that might not be related to dog training, dog training ads might
follow the user to the new page. There is no obvious notice or notification sent
to the user that the user's actions online are being tracked for ad-serving purposes.
As observed by some online consumer privacy groups, this ubiquitous tracking and
ad-specificity increase the effectiveness of ads. However, they urge that such increased
ad effectiveness must be weighed against the impact on user privacy and the fact
that there is no obvious consent given for such tracking. Given the rapid evolution
of cookie-based ad-serving and behaviour-tracking technology, consumer privacy activists
are urging a reconsideration of the default standards for cookies. The rise and
fall of flash cookies intensified the privacy debate.
What can I do to manage cookies stored on my computer?
Different browsers offer differing ways to configure your browser's cookie
settings. Due to the wide range of differences among differing websites' privacy
policies, many browsers allow for universal privacy settings which users can choose
from.
Users choose differing privacy settings based on their differing privacy concerns.
Most commercial and/or professionally-created websites like Yahoo and Google
have privacy policy pages that disclose how the sites handle, gather, and/or pass
on user information to third parties. These are known as “P3P” features (Privacy
Preferences Platform).
Some modern browsers have a feature that will analyse website privacy policies and
allow a user to control their privacy needs. These are known as "P3P" features (Privacy
Preferences Platform). Get more information on P3P.
If you are a commercial website owner or operation and need help on how to implement
a technically sound yet ethical cookie and privacy policy that protects your website's
visitors while maintaining the effectiveness of your website, such as
and other websites, please get in touch with Wolf Software for custom
assistance. They have a number of options suitable and compliant with the European
regulations on privacy.
If the commercial website you are visiting lacks a privacy policy, be very careful
with any information you enter into any forms within the site.
You can easily remove any cookies that have been created in the cookie folder of
your browser. For example, if you are on Windows machine, here are the steps on
how to use Windows Explorer to erase cookie files:
- Click on ‘Windows Explorer'
- Select the ‘Search’ button on the tool bar
- Enter ‘cookie’ in to the search box field for ‘Folders and Files’
- Choose ‘My Computer’ in the ‘Look In’ drop down menu
- Click on ‘Search Now’
- Select and open the folders that are retrieved
- Click to highlight any cookie file
- Click the ‘Delete’ key to erase the cookie file.
If you don't have Windows Explorer, click the “Help” function on your “Start” button
and enter “cookies” to search for information on how to locate the folder.
There are a number of ways to manage cookies. You can clear cookies, prevent cookies,
delete cookies and enable cookies at your will and for differentcircumstances. If
you use different computers in different locations you will need to ensure that
each browser is adjusted to suit your cookie preferences.
THE LAW
As of the 26th May 2012 all UK websites must comply with the new cookie regulations.
The law requires:
a person shall not store or gain access to information stored,
in the terminal equipment of a subscriber or user unless the requirements of paragraph
(2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) Is provided with clear and comprehensive information about the purposes
of the storage of, or access to, that information; and
(b) has given his or her consent.
Those setting cookies must:
- tell people that the cookies are there,
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.
The Information Commissioners Office (ICO) is responsible for ensuring that organisations comply with the cookie law. The ICO has issue two sets of guidelines, so far, with the most recent reminding those concerned how the law ‘will not go away.’
Exceptions from the requirement to provide information and obtain consent
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
(a) For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) Where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user
Practical advice for those wishing to comply
The Information Commissioner wants to provide as much flexibility as possible for organisations to design solutions that meet their business needs and provide users with the choices they require. It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.
First steps
If you have not started work on complying with these rules it is important to do
So now the First steps should be to:
- Check what type of cookies and similar technologies you use and how you use them.
- Assess how intrusive your use of cookies is.
- Where you need consent - decide what solution to obtain consent will be best in your circumstances.
- Check what type of cookies you use and how you use them, you should already know what cookies you are using but it would be sensible to recheck that at this point. This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your web pagesand stop using any cookies that are unnecessary or which have been supersededas your site has evolved.
- Assess how intrusive your use of these cookies is
Although the law makes no distinction between different types of cookie it is intended to add to the level of protection afforded to the privacy of internet users. Therefore it follows that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it. Some of the things you do will have no privacy impact at all and may even help users keep their information safe. Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views. However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent. It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
The Information Commissioner recognises that ‘how intrusive’ an activity will depend to an extent on the view taken by the user so it can be difficult to judge. This difficulty, however, should not be a barrier to making a sensible judgement about which of your activities might cause users concern and which will not.
- Decide what solution to obtain consent will be best in your circumstances
Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent.
Conducting a cookies audit
An audit of cookies could involve the following steps and considerations:
- Identify which cookies are operating on or through your website
- Confirm the purpose(s) of each of these cookies
- Confirm whether you link cookies to other information held about users -
- such as usernames
- Identify what data each cookie holds
- Confirm the type of cookie – session or persistent
- If it is a persistent cookie how long is its lifespan?
- Is it a first or third party cookie? If it is a third party cookie who is setting it?
- Double check that your privacy policy provides accurate and clear
- information about each cookie
Keep a "clean" e-mail address.
When mailing to unknown parties; posting to newsgroups, mailing lists, chat rooms and other public spaces on the Net; or publishing a Web page that mentions your e-mail address, it is best to do this from a "side" account, some pseudonymous or simply alternate address, and
to use your main or preferred address only on small, members-only lists and with known, trusted individuals. Addresses that are posted (even as part of message headers) in public spaces can be easilydiscovered by spammers (online junk mailers) and added to their list of targets. If your public "throw away" address gets spammed enough to become annoying, you can simply kill it off, and start a new one. Your friends, boss, etc., will still know your "real" address. You can use
a free (advertising-supported) e-mail service provider like Yahoo Mail or Hotmail for such "side" accounts. It is best to use a "real" Internet service provider for your main account, and to examine their privacy policies and terms of service, as some "free mail" services may have
poor privacy track records. You may find it works best to use an e-mail package that allows multiple user IDs and addresses (a.k.a. "personalities", "aliases") so that you do not have to switch between multiple programs to manage and use more than one e-mail address (though you may have to use a Web browser rather than an e-mail program to read your
mail in your "throw away" accounts - many freemail providers do not allow POP or IMAP connections).
Beware sites that offer some sort of reward or prize in exchange for yourcontact information or other personal details
There's a very high probability that they are gathering this information for direct marketing purposes. In many cases your name and address are worth much more to them because they can sell it to other marketers (who can do the same in turn...) than what you are (supposedly) getting from them. Be especially wary ofsweepstakes and contests. You probably won't win, but the marketer sure will if you give them your information.
Do not reply to spammers, for any reason.
"Spam", or unsolicited bulk e-mail, is something you are probably already familiar with (and tired of). If you have a good Internet service provider, you may be able to forward copies of spam e-mail to the system administratorswho can route a complaint to the ISP of the spammer (or if you know a lot about mail headers and DNS tools, you can probably contact these
ISPs yourself to complain about the spammer.)
Be conscious of Web security.
Never submit a credit card number or other highly sensitive personal information without first making sure your connection is secure (encrypted). In Netscape, look for a closed lock (Windows) or unbroken key (Mac) icon at the bottom of the browser window. In Internet Explorer, look for a closed lock icon at the bottom (Windows) or near the top (Mac) of the browser window. In any browser, look at the URL (Web address) line - a secure connection will begin https:// instead of "http://". If you are at page that asks for such information but shows "http://" try adding the "s" yourself and hitting enter to reload the page (for Netscape or IE; in another browser, use whatever method is required by your browser to reload the page at the new URL). If you get an error message that the page or site does not exist, this probably means that the company is so clueless - and careless with your information and your money - that they don't even have Web security.Take your business elsewhere.