Précis - The enforcement of new cookies laws which came into force last year is due to commence on 26 May 2012 after a 12-month grace period by the ICO to allow organisations time to prepare for the changes.

What? The e-Privacy Directive was updated in 2009 and implemented in amendments to the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003. Those amendments came into force on 25 May 2011. A key change is that organisations making use of cookies in their websites not only still have to provide clear notice about the cookies being used, but must change their previous approach of user consent to cookies being implied and applying unless and until an objection was received. Instead, an organisation is now expected to obtain consent to cookie use in advance. The only exception to this requirement is where the cookie is “strictly necessary” either for electronic transmission, or to provide a requested “information society service” to the user (which, in effect, means where essential to provide a service to process or store data at the user’s request, normally for remuneration, provided at a distance and electronically).

So what? The ICO issued initial guidance on the impact of the changes in May 2011 and this stressed that organisations would “need to take steps now to prepare and ensure you are ready to comply”. Preparation should include:

  • Checking what cookies are used and how they are used; and
  • Assessing how intrusive the cookies are.

This would provide the necessary details to enable the organisation to decide what information about cookie use should be provided to users; whether (if the cookies collected personal information) their use could be justified under related data protection legislation; and the type of consent needed to authorise use in the future. Organisations were hopeful that browser settings which continued to permit cookie use would be sufficient to claim the necessary consent had been provided.  However, the ICO disagreed due to the lack of sophisticated browsers and the variety of browsers which users would be relying upon. When the legislation was introduced at the last moment to meet the deadline imposed by the Directive, it was also made clear that the ICO would, to be fair, as a result allow organisations 12 months to understand and implement the changes before enforcing the new rules.

ICO advice was then updated in December 2011. More details on compliance were made available, including confirming that the form or method of consent could vary to match the type of cookie involved. There could be different approaches depending upon the facts, such as whether the cookies were temporary, limited to the browsing session only, or more permanent. It was also confirmed that the use of implied consent from browser settings still did not appear feasible to the ICO.

What was made clear was that doing nothing was not an option for organisations using cookies.  Despite the uncertainty about how to obtain a suitable user consent in the on-line arena without disrupting the user experience, it was emphasized that organisations were expected to audit cookie use, trim cookie use as a result where appropriate and to do more to bring cookie use to the attention of users. Updated cookie details should not be buried in terms or a policy at the bottom of a page but somehow highlighted to users, such as by specifically mentioning cookies in the link, or moving the link to a more prominent position.

The clock has been ticking and the 26 May 2012 is almost upon us, when the ICO will end its voluntary suspension of possible enforcement of these changes.   However, we are no closer now than we were in December 2011, or in May 2011 to having a magic bullet to make obtaining consent simple and user friendly for all on-line organisations. Suitably sophisticated browsers and technology are not yet routinely available to help with this requirement.

So where does that leave organisations, especially since the ICO may be counting down the days through its last month of restraint?

The good news is that although there has been no official statement or update, there are reports that the ICO has confirmed that it will not be focusing its enforcement  strategy on all cookies: those which carry a low risk of harm to individuals are likely to be low down any list of priorities. This would include many analytic cookies, assuming that they do not collect personal information and so are not privacy intrusive. However, the need to give clear notice about analytic cookies remains and it appears that the ICO may release more guidance about these types of cookies and the appropriate form of consent to their use in due course.

This risk based approach appears to be confirmed by recent guidelines issued by the Government Digital Service which suggests different risks and approaches depending upon whether the cookie is moderately intrusive, minimally intrusive or exempt, which they attempt to define. There is no ICO commentary available on these suggestions at present so care will still be needed.

We will shortly release our cross-border cookie analysis.