This week new rules governing the use of cookies (and similar information storage technologies) came into force: if you want to store a cookie on your computer or device, you will have to obtain the user’s consent first. Although the UK regulator, the Information Commissioner’s Office (‘ICO’) has allowed for a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements, now is the time to start auditing your systems and putting your house in order. The ICO has made it clear that it does not condone organisations taking no action in the period up to May 2012.

Guidance on complying with the new law

The ICO has recently published non-binding advice on complying with the new law. The change in law follows the publication of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the ‘Regulations’), which implements amendments to the E-Privacy Directive (2009/136/EC). The requirement for consent is much stricter than the old ‘inform the user and give them the option to opt out’. Under the new regime, the only circumstance in which you can store a cookie on your computer without obtaining the user’s permission is if this is “strictly necessary” for a service which the user has requested. The example given by the ICO is: if the user of an online shop places an item they wish to purchase in a virtual ‘basket’ and then clicks ‘proceed to checkout’, consent will not be required for the use of cookies to remember the chosen item. The ICO warns that this exception will be narrowly construed; it will only apply when the user has explicitly asked for the related service.

What do you need to be doing now?

The ICO advises that you take the following steps to prepare for this change in the law:

  • Carry out an audit: What type of cookies are you using? How are you using them? Check which cookies are necessary and which might require a user’s consent. You also need to consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom;
  • Address how intrusive your use of cookies is. The purpose behind this law is to protect users’ privacy, so the more intrusive your use of cookies is, the more urgency there is for you to put a consent process in place; and
  • Decide what solution to obtain consent best suits your circumstances. There are a number of ways you may be able to obtain consent: through pop-ups; terms of use (note that users must indicate that they understand and accept any changes to the terms of use); settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and scrolling text in a header or footer when you want to set an analytic cookie on a user's device which prompts a user to make further choices. The ICO notes that in the future websites may be able to rely on users’ browser settings as a means of consent, but it has made clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough.

Consequences of not complying

The ICO has recognised that three weeks (the time between publishing the guidance to the law and it actually coming into force) is not a sufficient period for you to comply with the law. The ICO guidance on enforcement therefore states that there is a lead-in period of 12 months for you to develop ways to ensure compliance with the new rules, during which the ICO will not penalise you for non-compliance. During this period you need to have looked at the cookies your organisation uses and, where necessary, put in place steps to obtain users’ consent. If the ICO believes you are not taking appropriate steps in this period, it will ask you to explain what you are doing to be in a position to comply by May 2012. From May 2012 the ICO will handle complaints about websites in the normal manner.

The ICO has new powers to enforce this law. Serious breaches of the Regulations may attract monetary penalties of up to £500,000. A serious breach is defined as a serious contravention of the Regulations likely to cause substantial damage or distress. Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it. The ICO has committed to producing further guidance on how it intends to use these powers; it is likely that this guidance will be published in October 2011. This date, like the May 2012 deadline, may seem a long way off. However, don’t be lulled into a false sense of security: the ICO has made it clear that organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012 and the ICO may start to gather evidence of non-compliance prior to this date. If you require further information on how to go about undertaking an audit, please contact us.

The new law the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 can be found here.

The ICO’s guidance on complying with the new law can be found here.

The ICO’s guidance on enforcing the new law can be found here.

For further information on the differences between the old and new law, a previous Law Now can be found here: Cookie Consent: Opt-In or Opt-Out?