With full enforcement of new cookie consent laws due from 26 May 2012, the “Government Digital Service” has issued guidance for UK public bodies on how to get compliant. Stephen Groom reports on key points of the guidance including its attitude to “implied consent”.
Topic: On-line advertising
Who: The UK Government Digital Service
Where: Whitehall, London
When: April 2012
Law stated as at: 3 May 2012
The UK "Government Digital Service" published an "Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites" (the "Guide").
The Government Digital Service ("GDS") "is a new team within Cabinet Office tasked with transforming government digital services." It was reported by Computer World in January 2012 to be advertising no less than 42 IT jobs with a total salary package of £3.5m. So much for the bonfire of the quangos.
The Guide supplements Guidance published by ICO in December 2011. It "focuses on ensuring that the main objective of the new regulation, the protection of website users' online privacy, is satisfied by public sector websites."
"Implied consent" eschewed
The Guide opens by commenting that although compliance by way of "implied consent" would be the least intrusive method, ICO does not believe it is possible to take such an approach at present because general awareness of cookies is simply not high enough.
To help increase this awareness, the Guide recommends consistency in the presentation of cookies-related information by public body websites. It also suggests publishers of these publicly funded sites take three principal steps:
- undertake a comprehensive audit of cookies which determines the level of intrusiveness of each one. Then include in the website cookies policy a table categorising them as either "Exempt from changes to the privacy regulations" (for example "stop multiple form submissions", "load balancing" and "transaction specific"), "Minimally intrusive" (for example "web analytics/metrics" and "personalised content/interface") or "Moderately intrusive" (such as "Embedded third party content and social media plug-ins" or "Advertising campaign optimisation");
- look to reduce unnecessary and redundant cookies, prioritising more intrusive cookies for removal;
- establish effective management of cookies. This should include a procedure to prevent the creation and use of new cookies without an assessment of their value weighed against their intrusiveness. Adopting a strict approach, the Guide goes on to state that "data sharing and benchmarking options (offered by some analytics packages) should be switched off despite the fact that no personal data is collected."
On the topic of web analytics cookies, ICO has stated quite clearly in its Guidance that these do not come within the "strictly necessary" category and they are not therefore immune from the consent requirement.
In contrast, GDS at least implies that it takes a different view.
It says that metrics on website usage patterns are "essential" as they enable government departments to assess and demonstrate whether the digital services they offer deliver value for money. GDS says that the most effective way of doing this is to set a cookie. It goes in to assert that ICO supports this view. In its December 2011 Guidance ICO did indeed states that provided clear information is given about their activities, first party cookies used only for analytical purposes are unlikely to be prioritised for regulatory action.
Why this matters: GDS is correct in recording ICO's view of where analytics cookies will sit in the enforcement landscape. This this does not derive from a categorisation of analytics as "strictly necessary", however, but from a pragmatic, risk-based approach to enforcement given the minimally intrusive nature of such cookies.
The Guide is also strangely reticent on the $64,000 question, namely how to approach compliance with the new consent requirement, but it is otherwise a useful reminder of what should be all website publishers' priorities as 26 May 2012 approaches.
The Guide also underlines the dangers of relying on "implied consent" and full disclosure as of themselves a solution to compliance which neatly avoids having to obtain the "freely given, specific and informed consent" which the new rules effectively require.
Two key reasons for treating "implied consent" with suspicion are firstly that at this point, there is lack of clarity as to what "implied consent" entails. ICO makes no attempt to define it in its Guidance when it dismisses it as a silver bullet in at least the near future. Even if implied consent does become capable of delivering consent at some point, there must surely be clarity as to what it involves and how it achieves consent.
Secondly, if "implied consent" only consists of giving full disclosure about cookies' purposes, without providing users with a clearly flagged method of indicating consent on first arrival at the site, then this appears to entirely ignore and negate the new law. How would this differ from what has been the law for nearly 10 years by way of the original PECRs, namely the requirement to provide clear and comprehensive information about the purposes of all cookies?
The Guide can be found at here.