EU Cookies and Blackbaud Software
This issue with cookies is one of the biggest and hottest topics currently doing the rounds in the UK. We’ve had a large number of enquiries from people on how we should handle this issue when using Blackbaud software.
Well, just like you should, the first thing we have completed is to have a Cookie Audit on our software. We looked across the product and looked at how and why we are using cookies within it. After this we spoke to our legal team who enlisted the help of industry security experts to make sure we had gotten things right. Here is what we found:
1. Payment part
3. Language selector
6. User Networking Manager
7. Content comparison
8. Suggested content
After scouring the legislation we identified that areas 1 – 6 are all exempt from the changes because the cookie is “strictly necessary” for service “explicitly requested” by the user. The fact that most of these will be behind a login is also key to this concept. The final two cookies are analytic based cookies and are not strictly exempt but the ICO stance on this is:
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”
No personal data is collected by either Cookies number 7 or 8 so although they still fall under the legislation they are not within the purposes of the law.
The final piece is around Google Analytics – Having spoken with Google on this subject recently their stance is that their software, whilst still coming into the realm of the law is not intrusive enough to merit any changes under the new legislation so will not be getting changed as a result of the new law.
We will monitor the subject over the coming months and change our position if changes are made. The key message from the legal people at the forefront of this work right now is that as long as you are being seen to do something about the law then that is the best we can do at this stage.
So our recommendations for Blackbaud NetCommunity users are as follows:
1. Complete a full cookie Audit on your entire website (not just the Blackbaud NetCommunity piece)
2. Remember that 3rd party plugins or ad software may create their own cookies and you need to be aware of this.
3. Publish the results of this audit on your website.
4. Create a section of your website which has this info and information on what cookies actually are in there, like the BBC does.
5. Make it clear on your website that a user can switch off cookies and perhaps even show them how to do this.
6. Do not try to hide this info away in submenus.
A good industry example of this is from BT, who have created the following on their site:
BT has used a pop up on their site with the option to opt out. There is still some work to be done on clarification on whether this is the best way to do this. The ICO have gone the other route and gone with an opt-in route – this has resulted in a 90% drop off in web tracking by the ICO – a number which would be a major concern to most.
The UK Government digital service has taken another path on the use of analytics which seems to be very sensible.
If we follow all of the items on the list we should be comfortably covered for Blackbaud NetCommunity. We will shortly be publishing a full list of Blackbaud NetCommunity cookie names and uses so that you can use this when showing which cookies are being used.
The Patron Edge Online.
The Patron Edge is far less complex than Blackbaud NetCommunity and creates only one cookie. The Patron Edge Online stores the session ID in an encrypted client side cookie. The cookie is expressly for use when purchasing tickets and thus comes under the same rules of being “strictly necessary” for service “explicitly requested” by the user. So there should be no need to disclose this info. The cookie is auto deleted as soon as the person completes the purchase or closes the browser.
Best practice should be followed however and completing a full cookie audit and being transparent about any cookies used on your site is very important. So our recommendations on actions necessary are the same as those above for Blackbaud NetCommunity.
This has been a long, drawn-out process to get to this place but by complying with these recommendations we are confident that Blackbaud customers will be in the best place moving forward. Please do bear in mind that this is an area of the law that is in flux currently and with no test cases it’s not at all set in stone. We will monitor the situation and adjust where necessary. At a recent DMA conference on this subject, a number of industry experts across the legal, digital and direct marketing industries agreed that this was a largely unworkable law which will be subject to change in the future as the rules change or are firmed up. Ultimately this may eventually come down to being a browser setting but we can only watch and wait.
Finally during our audit review we noticed that some of our cookies had a longer expiry date than we perhaps would like them to and while this is not relevant to what we are talking about today is something we take seriously and will be addressing in a future build of the software.
You can keep up with us on Twitter by following @bbsupport; we use the hashtag #bbnc when we discuss Blackbaud NetCommunity and #bbpe when we discuss The Patron Edge. Take a look at our Twitter Guide for more information.