The Information Commissioner’s Office (ICO) has published guidance on the use of cookie technology to assist companies in complying with the new cookie regime that came into force on 26 May 2011. The advice is useful, but is vague on the practical and technological measures that would enable website operators to be compliant with the new law.
The ICO’s advice is no doubt useful, but is vague on the most important aspect of the new requirements: the practical and technological measures that website operators need to take in order to comply with the new law. The document itself states that it is only “a starting point for getting compliant rather than a definitive guide”. The ICO says the advice will be supplemented by additional content as innovative ways to acquire users’ consent are developed over time. In the meantime, the ICO has said that organisations running websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement begins.
THREE SIMPLE STEPS
The ICO advises taking three steps in order to assess and comply with the new regime: check, assess and decide.
- Check what type of cookies and similar technologies are being used and how they are being used. This might involve a comprehensive audit of the website concerned to assess which cookies might be “strictly necessary” and therefore not require consent.
- Decide what solution to obtain consent would be best in the circumstances. Information about cookies needs to be provided to users before placing a cookie for the first time. Once consent is gained at that point, website operators will not need to get consent each time the same person uses the same cookie for the same purpose in the future.
It is the third step that is causing website operators the most concern. The Advice gives some assistance by setting out a few options for obtaining consent, including the use of standard terms and conditions, pop-up check boxes, or general browser settings. However, it is clear that the user experience and the type of cookies involved means there is not one simple solution. The method for obtaining consent will vary and will depend on how the cookies are used and how intrusive they are. The less intrusive the cookie, the lower the risk and the need for obtaining specific and active consent.
The key point to be gleaned from the ICO’s advice is that website operators must be upfront with their users as to how the website operates. Consent must be gained by giving users specific information about what they are agreeing to and providing them with a way to show their acceptance. Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant. Further, it is clear that the more directly the use of the cookie or similar technology relates to the user’s personal information, the more carefully the website operator needs to think about how to get meaningful consent.
In light of the 12 month grace period, operators now have time to consider the issues carefully and start thinking creatively about how they will obtain consent.