The new Privacy and Electronic Communications(EC Directive) (Amendment) Regulations 2011 are now in force. Controversy surrounds changes these make to cookie laws but the Information Commissioner’s Office has tried to help with a note on how to comply. Hannah Willson reports.
Topic: Online advertising
Who: Information Commissioner's Office
When: 26 May 2011
Law stated as at: May 2011
Forget the garibaldi, chocolate bourbon or plain digestive, the new 'cookie directive' (also known at the Privacy and Electronic Communications (EC) Directive Amendment Regulations 2011) is here and came into force on 26 May, a copy can be found here.
The new rule: As well as providing the information in the old rule, you will now only be able to place a cookie on terminal equipment where the user or subscriber has given their consent.
Exceptions to the rule
The new rule has only one, very limited, exception, namely that you do not require consent if what you are doing is 'strictly necessary' for a service explicitly requested by a user. An example of this would be for retail websites so the check out will remember what has been 'added' to the basket during the shopping experience. Any cookie that merely enhances (or at least in the view of the website operator) the user experience of the site will not be caught by the exception.
What do I need to do
i) assess what types of cookie (or other similar technology) are used on your website, and how they are used;
ii) assess how intrusive the use of the cookies is; and
iii) decide which solution to obtain consent will be most appropriate.
i) Audit of cookie use
Any audit should also assess what cookies might come within the 'strictly necessary' exception described above and whether there are any unnecessary cookies or any which have been superseded as the website has evolved.
ii) How intrusive?
The cookie directive is directly linked to protecting the privacy of users; it therefore follows that where a cookie has limited or no effect on the privacy of the user the less intrusive it will be considered by the ICO.
The ICO has suggested thinking of it as a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other – the more privacy intrusive the activity of the cookie, the more priority that should be given to getting meaningful consent.
iii) How to get consent
'Consent' in the cookie directive is defined as 'any freely given specific and informed indication of his wishes' however there are no time constraints on when consent may be given and therefore could occur during or after processing.
There are several different methods in which to obtain consent, the ICO pop-up is an apparently easy method, however it may 'spoil' the user experience. At the moment the ICO guidance suggests that it is not advisable to rely on the user's browser settings method due to most browser setting not yet being sophisticated enough to allow you to assume that the user has given their consent. The government is currently working with the major browser manufacturers to enable this consent solution, however for now an alternative method is required.
Some other methods that you may wish to consider are:
- Functional uses – some cookies that you use may be for analytical purposes. You may want to consider adding details about each cookie's purpose and having a notification in the header or footer of the webpage that alerts the user when you want to set a cookie on the user's device.
Third party cookies
Third party cookies are also commonly used on websites and the process for obtaining consent to these will be more complex than for a first party cookie. The ICO have acknowledged that there will be several parties involved in obtaining consent for third party users and there are initiatives looking into the best method to achieve compliance. In the mean time, if your website allows or uses third party cookies you should make sure you are doing everything that you can to provide adequate information to users to allow them to make informed choices.
Why this matters:
The government is taking a phased approach to the implementation of the cookie directive and the ICO are therefore taking the approach that if they receive a complaint about a website then they will expect to receive a response from an organisation setting out how they have considered the new requirements and to demonstrate that the organisation has a realistic plan to achieve compliance. Clear communication to and education of staff and users will be a key feature for a business in achieving compliance.
Good news for business is that the UK regulations are not too prescriptive and are considered to be a light-touch, business friendly implementation of the EC Directive and have set a benchmark in Europe.
The guidance is clear – you cannot ignore the cookie directive but there will be some flexibility whilst you achieve compliance.