The Information Commissioner’s Office (ICO) has published guidance on the use of cookie technology to assist companies in complying with the new cookie regime that came into force on 26 May 2011. The advice is useful, but is vague on the practical and technological measures that would enable website operators to be compliant with the new law.

BACKGROUND

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implemented, as of 26 May 2011, the various amendments that have been made to the European Electronic Communications Framework. These include amendments to the law on the use of cookies.  

The new law requires UK businesses and organisations running websites in the United Kingdom to, in most cases, get informed consent from visitors to their websites in order to store and retrieve information on users’ computers via cookies or similar technologies. Until now, website operators were only required to give users the opportunity of opting out of the use of cookies.  

The ICO’s advice is no doubt useful, but is vague on the most important aspect of the new requirements: the practical and technological measures that website operators need to take in order to comply with the new law. The document itself states that it is only “a starting point for getting compliant rather than a definitive guide”. The ICO says the advice will be supplemented by additional content as innovative ways to acquire users’ consent are developed over time. In the meantime, the ICO has said that organisations running websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement begins.

THREE SIMPLE STEPS

The ICO advises taking three steps in order to assess and comply with the new regime: check, assess and decide.

  1. Check what type of cookies and similar technologies are being used and how they are being used. This might involve a comprehensive audit of the website concerned to assess which cookies might be “strictly necessary” and therefore not require consent.
  2. Assess how intrusive the use of cookies is. Since the aim of the new legislation is to improve internet users’ privacy, the more intrusive the use of cookies is, the more priority must be given to considering how to change that use. Essentially, this involves assessing the impact the use of cookies has on the privacy of the internet user. Some use of cookies will have no impact and might even assist users in keeping their data safe; other uses will be simply to assess what links are used most frequently or which pages get fewest hits. However, some use might, for example, involve creating detailed profiles of an individual’s browsing activity, which would be considered quite intrusive and would therefore need meaningful consent.
  3. Decide what solution to obtain consent would be best in the circumstances. Information about cookies needs to be provided to users before placing a cookie for the first time. Once consent is gained at that point, website operators will not need to get consent each time the same person uses the same cookie for the same purpose in the future.

It is the third step that is causing website operators the most concern. The Advice gives some assistance by setting out a few options for obtaining consent, including the use of standard terms and conditions, pop-up check boxes, or general browser settings. However, it is clear that the user experience and the type of cookies involved means there is not one simple solution. The method for obtaining consent will vary and will depend on how the cookies are used and how intrusive they are. The less intrusive the cookie, the lower the risk and the need for obtaining specific and active consent.

COMMENT

The key point to be gleaned from the ICO’s advice is that website operators must be upfront with their users as to how the website operates. Consent must be gained by giving users specific information about what they are agreeing to and providing them with a way to show their acceptance. Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant. Further, it is clear that the more directly the use of the cookie or similar technology relates to the user’s personal information, the more carefully the website operator needs to think about how to get meaningful consent.

In light of the 12 month grace period, operators now have time to consider the issues carefully and start thinking creatively about how they will obtain consent.