On 26th May 2012 the Information Commissioner’s Office (the ‘ICO’) will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end.  This means that organisations which use cookies on their websites have only three weeks from today to take the practical steps they need in order to obtain consent for their cookie use.

Reminder of the law

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the ‘Privacy Regulations’) enacted last summer require that any person setting cookies (or similar technologies) on the terminal equipment of users, or accessing any information stored in the cookies, must have provided users with “clear and comprehensive” information about the purposes for which the cookies are used and obtained their consent to the setting and use of the cookies.   The main exemption from this obligation is where the cookies are “strictly necessary” for a service which the user has requested.  This exception will be narrowly construed.   By way of guidance, the ICO has stated that the following are likely to be considered strictly necessary: cookies remembering the goods a user has put in a virtual basket; cookies providing essential security to comply with data protection law; and cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.  The following uses are not strictly necessary and so require consent: cookies used for analytical purposes (e.g. counting visitors); first and third-party advertising cookies; and cookies recognising a user so that the website can be tailored.

What do you need to be doing?

  1. Carry out an audit

The first thing you need to do is make an inventory of the type of cookies you are using and what you are using them for.  You need to check which cookies are necessary and which might require a user’s consent. You should also consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom.

  1. Assess how intrusive your use of cookies is

The purpose behind this law is to protect users’ privacy, so the more intrusive your use of cookies, the more urgency there is for you to put a consent process in place. The International Chamber of Commerce (the ‘ICC’) has produced a cookie guide to help organisations comply with the law.  This guide helps you work out how invasive the cookies you use are by splitting them into four categories, from least intrusive to most intrusive:

  1. strictly necessary;
  2. performance cookies;
  3. functionality cookies; and
  4. targeting/advertising cookies. 

The ICO is most worried about the very intrusive cookies; it informed The Register that "provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action." 

  1. Decide which method of obtaining consent best suits your circumstances

The ICO has made it clear that consent must involve “some form of communication where the individual knowingly indicates their acceptance.”  This means that any form of implied consent, such as a privacy policy hidden at the bottom of a webpage which states ‘by using this website you consent to our use of cookies’ is not compliant.  There are a number of ways you may be able to obtain consent through:  

  • pop-ups;
  • terms of use (note that users must indicate that they understand and accept any changes to the terms of use);
  • settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and
  • scrolling text in a header or footer when you want to set a cookie on a user's device which prompts a user to make further choices.

The ICO notes that in the future websites may be able to rely on users’ browser settings as a means of consent.  However, the ICO has made it clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough.  The ICO has suggested that in determining its approach to compliance an organisation should take into account the standard of compliance achieved by others within that organisation’s sector: “After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask ‘if they can do it, why can’t you?’”

Consequences of not complying

Serious breaches of the Privacy Regulations may attract monetary penalties of up to £500,000. A serious breach is defined as a serious contravention of the Privacy Regulations likely to cause substantial damage or distress. Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it.  On this basis, non-compliance with the cookie law is unlikely to attract the maximum fine.

The ICO has stated that while it does not anticipate “a wave of enforcement action after the lead-in period ends”, it does expect organisations to have used the year’s lead-in period productively and to have ensured that they are working towards becoming fully compliant.

The ICO’s guidance on complying with the law can be found here.

The ICC’s guidance on complying with the law can be found here.