After a year’s grace to enable websites to “get their house in order”, full enforcement by the Information Commissioner’s Office (ICO) of the amended law on use of “cookies” is due to commence on 25 May 2012. This note sets out what website owners should be doing to prepare for this.
The new law – requirement for consent
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Regulations”) were amended in May 2011 so as to require that cookies, other than those which fall within the strictly necessary category, can only be placed on a user’s terminal where the user has:
- been provided with clear and comprehensive information about the purposes of the storage and intended access to the information gathered; and
- given their consent to such storage.
This differs from the previous position which merely required that websites gave users notice of cookies and the option to “opt-out”.
The ICO gave website owners a 12 month moratorium on enforcement which expires next month. It does have some discretion on how it exercises this enforcement and it has stated that it will take a practical and proportionate approach to enforcing the rules. Ultimately though it has the right to issue fines of up to £500,000.
The Regulations are not prescriptive about what sort of information should be provided. However, in order to meet the key requirements, the ICO guidance states that those setting cookies must:
- tell people that the cookies are there;
- explain what the cookies are doing; and
- obtain their consent to store a cookie on their device.
Pop-ups – although this is perhaps the most restrictive and intrusive approach to gaining consent, the most effective way of complying is likely to be by seeking consent on an initial splash page or pop-up on the user’s first visit to the website.
Message bars – other viable options include prominent message bars or header bars on the web page together with a prominent link to the website’s cookies policy setting out the more detailed information. However, thought needs to be given to what happens if the user does not click to confirm consent.
Feature-led consent – depending on the cookies used, you might also choose to seek consent when each cookie is activated by the user selecting a particular setting or preference that you want to record. This could be practical when you are already providing the user with tick boxes and information on the options presented (such as language or site format).
Icons – the use of iconography may also be appropriate to develop users’ understanding of cookies and where they are used. The Internet Advertising Bureau is currently in discussion with EU authorities on best practice recommendations for the use of icons to improve transparency and user understanding.
The recently issued International Chamber of Commerce UK Cookie guide is designed to help website users to categorise cookies so as to assist them in preparing suitable methods of obtaining consent. These categories are:
Strictly necessary cookies – e.g. those used to recognise when a user has chosen goods they wish to buy and clicks the ‘add to basket’ button. Consent is not generally required for these.
Performance cookies – these collect information about how visitors use a website, for example, by recording which pages users go to most often (usually on an anonymous basis).
Functionality cookies – those cookies which allow the website to remember the choices a user makes, such as a user name or language preference.
Targeting or advertising cookies – these collect information about a user’s browsing habits and are usually placed by advertising networks with the website operator’s permission.
With the ICO stating that it is shifting its attention to “those that do not comply nor attempt to comply”, our advice to clients is that they should, if they have not already:
- conduct a “cookies audit”, checking what type of cookies they use and why;
- assess how intrusive the use of each cookie is based on the ICC classifications;
- decide, with reference to the intrusiveness and user demographic, what solution (on a cookie-by-cookie basis) should be used in order to obtain consent; and
- implement the necessary mechanisms for consent on their website.
As a general rule, the more privacy intrusive the activity, the more priority should be given to getting meaningful consent.
http://www.ico.gov.uk/for_organisations/privacy_and_electron ic_communications/the_guide/~/media/documents/library/P rivacy_and_electronic/Practical_application/guidance_on_the_ new_cookies_regulations.ashx
International Chamber of Commerce UK Cookie guide
http://www.internationalchamber. co.uk/components/com_wordpress/wp/wpcontent/ uploads/2012/04/icc_uk_cookie_guide.pdf