The UK authority tasked with enforcing the new laws, the Information Commissioner’s Office (ICO), agreed to delay fully enforcing them for a period of 12 months. The delayed deadline for compliance (25 May 2012) is now fast approaching and it is important that all organisations are fully prepared to comply with the new laws by May or risk being fined up to £500,000.
Overview of Action Needed
The new rules on cookie use are relatively straightforward. However, translating them into practical action and implementing compliance measures may take some time.
Initially, businesses will need to undertake an audit of what cookies they use, how and why. Then decisions will need to be made about what practical measures will be used to comply with the new laws. This may involve consultation between different areas of the business, such as management and the marketing department. Once a decision has been made, it will then be the task of the technical staff to develop the agreed solution. This process is likely to take several weeks or even months.
What Is a Cookie?
Businesses should be aware that the new laws are drafted broadly to cover not only conventional cookie use, as described above, but “the storing of information, or the gaining of access to information already stored”. In this briefing, ‘cookie’ refers to both cookies per se and any other type of web tracking activity that is caught by this definition.
What Changes Do the New Laws Introduce?
The new laws maintain the need for clear and comprehensive information to be given, but instead of the ‘opt-out’ website owners need to obtain a user’s consent to setting the cookies (effectively an ‘opt-in’).
Wherever possible, consent should be obtained before the cookie is set.
Unless the Cookie is ‘Strictly Necessary…’
There are limited exceptions to the need to obtain consent, most notably where the cookies are ‘strictly necessary’ to provide a service which has been requested by the user. An example of this is the ‘shopping basket’ cookie which is needed to remember what items an online shopper has put in their shopping basket when they reach the checkout. A cookie which is set purely for that purpose would be considered to be strictly necessary and exempt from the requirement of consent.
This exemption will not cover cookies which are required just to improve or enhance the user’s visit to the site, but it may include cookies which are required in order to provide adequate security measures for the user’s details.
How to Obtain Consent in Practice
Some cookies are more intrusive than others, depending on their purpose. Cookies which are used in order to set user preferences, for example, will be less intrusive than cookies which track a user’s browsing activity across the website itself or across multiple sites.
In December 2011, the ICO issued new guidance on what businesses should do to comply with the new laws. In essence it said that the more intrusive the cookie, the greater priority should be given to obtaining consent for its use.
The ICO went on to say that businesses already use various mechanisms on their websites to draw matters to users’ attention, for example, pop up boxes, banners, headers and footers, notices, tick boxes and so on. The ICO recommended that businesses simply use the same mechanisms to obtain consent to cookies.
The question for many businesses, however, is how to comply with the new law by giving an appropriate level of prominence to the information and request for consent, without ruining the look and feel of the website. Organisations are keen to avoid multiple pop-ups or splash pages, particularly on websites which deal with more serious subjects, such as investments, insurance or medical care.
If that approach is used, the more intrusive cookies must be given greater prominence and clear and full information must be provided about how and why those cookies are used.
Third Party Cookies
Occasionally, cookies will be set not by the website owner themselves but by a third party. Websites may display third party content, such as advertisements, video links or even credit card payment screens which can allow third parties to set their own cookies. These cookies are often used to track a user’s movements over time so as to be able to serve targeted advertisements on them.
The third party setting the cookie will be primarily liable for compliance with the laws. However, according to the ICO, there is potential for both the website owner and the third party to be liable for any noncompliance. In practice, it will be the website owner that is likely to be able to control when and how consent is obtained, rather than the third party. The website owner is also likely to be in receipt of any complaints relating to cookies which are set via its site.
Website owners are, therefore, advised to identify not just what cookies they set via the site, but also what cookies any third parties set and what the purpose of those cookies is. They then need to decide how to provide the necessary information about and obtain consent for the use of those cookies as well as their own.
Third party content providers are likely to want website owners to accept responsibility for getting consent. However website owners may not accept this, and traditionally, liability is excluded for third party content. Where a website owner fails to co-operate, a third party content provider may have no option but to either remove their content, disable the cookie, or try to find a way of obtaining its own consent where possible.
If they have not already done so, website owners should take the following steps as soon as possible:
- Audit what cookies your business uses and what third party cookies are set via your website.
- Identify what those cookies are used for. Are any of them unnecessary and can be removed? Are any of them strictly necessary to provide a service requested by the user?
- List all remaining cookies in order of intrusiveness.
- Decide how to obtain consent for those cookies and ensure that sufficient information is provided about their use, giving priority to the more intrusive cookies.
- Implement the solution identified by 25 May 2012.