From today (26 May), new rules come into force on the use of website cookies (and similar technologies such as spyware) which mean that website operators can no longer justify their use by solely relying on website users to change their browser settings to “opt-out” if the website users do not want to receive them.
A cookie is a piece of text stored on a website user’s computer by his or her browser that allows the website to store certain information about the website user’s use of the site and to recognise the website user when he or she returns to the website in the future. The new rules amend Article 5(3) of the e-Privacy Directive (2000/58/EC).
Website operators have been concerned since the adoption of the new rules because it was unclear how the new rules will operate in practice and there has been a lot of pressure on the government to offer some helpful guidance. The latest guidance was released earlier this month by the Information Commissioner’s Office, the data protection regulator for the UK (the “ICO”).
The guidance offers some useful advice but does not provide a comprehensive guide for website operators and the ICO has said that further guidance may follow. The key points from the ICO’s guidelines are as follows:
- The new rules will apply to cookies and similar technologies that are not strictly necessary for provision of services. “Strictly necessary” is not defined. However, according to the ICO, cookies used for the collection of statistical data and to remember a website user’s preference settings (including behavioural advertising cookies) will not be considered “strictly necessary” whereas shopping basket functionality cookies for example will fall within the scope of “strictly necessary”.
- The ICO states that website operators will not be expected to fully comply with the new rules immediately and there will be a “grace period” (although the ICO does not say how long that this will last for). During the grace period, if the ICO receives a complaint, it will expect a non-compliant website operator to produce a plan that demonstrates it has considered what type of cookies and similar technologies it uses and how frequently, how intrusive this use is and what is the most appropriate solution for it to implement so that it is compliant with the new rules in the future.
The ICO guidance can be found in full at the following link: http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx