Joe's Blog : (Updated 30/04/12) School websites and the new EU cookie law06/07/2011

The latest news from behind the scenes at Firefly

Please note that the content of this page was updated on Monday 30 April 2012, to include amendments and clarifications that have since emerged regarding the legislation discussed.

We've had a number of clients ask about the new EU cookie law and how it affects their school website. I thought I'd put together some quick information on the cookie law and how it may or may not affect yours.

cookies.jpgWhat are cookies?

Cookies are small pieces of information that are stored by your computer as a way of remembering a visitor between webpages. Cookies are often used for login, remembering settings, analytics and tracking and more.

What is the new law?

From May 2011 a new privacy law came into effect across the EU requiring all websites ask visitors for consent before using certain types of cookies. Note that cookies that are deemed "strictly necessary" to a particular task the user is performing - for example keeping track of what is in a user's shopping basket on an online shop - do not require prior consent.

As the law is going to create a lot of work for website owners and developers, the UK government has said that it will not be taking any action before May 2012.

How can websites get consent?

This is where the law is let down by practicalities (did that ever happen before?). In theory as consent must be given before cookies are used, websites using cookies that are not "strictly necessary" will have to place some kind of pop up or prominent message as soon as the user enters the site asking whether they give consent to cookies being used. This will result in every website displaying the same/very similar splash screens that users get used to just clicking "OK", scared that the site will not function correctly if they choose the "No thanks" option.

Is my school website affected?

You need to ask the developers of your website whether and how cookies are used. For Firefly schools, we only use one cookie out of the box for guest users, and this is a cookie managed by our web framework, Microsoft's ASP.NET, that tracks the visitor's session between pages but does not store any user identifiable information.

Tracking the session is necessary for any functionality that needs to 'remember' what the user is doing between web pages - eg adding items to your Firefly shopping cart. As this cookie is part of the underlying Microsoft framework, it's likely that it will be regarded as "strictly necessary". Indeed, that is the approach that the Information Commissioner's Office have taken on their newly updated website: "One of the cookies we use is essential for parts of the site to operate and has already been set" refers to the same cookie we use.

This cookie is also used when/if users, such as current parents or staff, log in to keep track of their login session.  Further cookies are also used by the edit tools to remember recently inserted pictures, the position of the toolbar, and so on.  Consent for these can easily be added to your terms & conditions/acceptable use policy/parental agreements that you already have before giving a login to school systems.

If you use Google Analytics in your website to get statistics on incoming visitors, this uses cookies that are unlikely to be classed as "strictly necessary".  As useful as the statistics are to you, it's difficult to see how you could argue they are necessary for your site to function for the visitor.  As a result, if the law comes into force in May 2012 in its current form, you would have to get consent before using the Google Analytics tracking cookie.  This means it is highly likely that a significant proportion of your users (those that decline) will go untracked by Google.  They may still be tracked by your site's built in tracking system if it has one (Firefly has a built in hit statistics module).

Do I need to do anything?

It would be sensible, if you haven't already, to do an audit of what cookies are used by your site.  Ask the developers of your site and post a clear summary on the terms and conditions page of your website.  If you use Google Analytics, mention this and explain that it uses cookies to gather non personally-identifiable statistics on visitors.  If you have secure areas of the site, include in your terms and conditions of getting an account that the user agrees that cookies will be used to secure access and for various pieces of functionality on the site.  Remember that you only need consent ahead of time for cookies that are not strictly necessary.

Find out more

The ICO has published further advice on the new cookies regulations

Please note, we are not your lawyers!  To find out more please seek legal advice from your school's legal team or solicitor.

Contact us on 020 8133 4415, hi@fireflysolutions.co.uk, or follow @fireflyteam on Twitter

Powered by Firefly.NET

Acknowledgements

© 2005-2012 Firefly Solutions LLP

1 Lyric Square, London W6 0NB
Registered in England and Wales with partnership number OC336950. VAT registration number 981 8080 93.