Reminder of the law
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the ‘Privacy Regulations’) enacted last summer require that any person setting cookies (or similar technologies) on the terminal equipment of users, or accessing any information stored in the cookies, must have provided users with “clear and comprehensive” information about the purposes for which the cookies are used and obtained their consent to the setting and use of the cookies. The main exemption from this obligation is where the cookies are “strictly necessary” for a service which the user has requested. This exception will be narrowly construed. By way of guidance, the ICO has stated that the following are likely to be considered strictly necessary: cookies remembering the goods a user has put in a virtual basket; cookies providing essential security to comply with data protection law; and cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers. The following uses are not strictly necessary and so require consent: cookies used for analytical purposes (e.g. counting visitors); first and third-party advertising cookies; and cookies recognising a user so that the website can be tailored.
What do you need to be doing?
- Carry out an audit
The first thing you need to do is make an inventory of the type of cookies you are using and what you are using them for. You need to check which cookies are necessary and which might require a user’s consent. You should also consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom.
- strictly necessary;
- performance cookies;
- functionality cookies; and
- targeting/advertising cookies.
The ICO is most worried about the very intrusive cookies; it informed The Register that "provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
- Decide which method of obtaining consent best suits your circumstances
- scrolling text in a header or footer when you want to set a cookie on a user's device which prompts a user to make further choices.
The ICO notes that in the future websites may be able to rely on users’ browser settings as a means of consent. However, the ICO has made it clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough. The ICO has suggested that in determining its approach to compliance an organisation should take into account the standard of compliance achieved by others within that organisation’s sector: “After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask ‘if they can do it, why can’t you?’”
Consequences of not complying
Serious breaches of the Privacy Regulations may attract monetary penalties of up to £500,000. A serious breach is defined as a serious contravention of the Privacy Regulations likely to cause substantial damage or distress. Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it. On this basis, non-compliance with the cookie law is unlikely to attract the maximum fine.
The ICO has stated that while it does not anticipate “a wave of enforcement action after the lead-in period ends”, it does expect organisations to have used the year’s lead-in period productively and to have ensured that they are working towards becoming fully compliant.
The ICO’s guidance on complying with the law can be found here.
The ICC’s guidance on complying with the law can be found here.