The new Privacy and Electronic Communications(EC Directive) (Amendment) Regulations 2011 are now in force. Controversy surrounds changes these make to cookie laws but the Information Commissioner’s Office has tried to help with a note on how to comply. Hannah Willson reports.
Topic: Online advertising
Who: Information Commissioner's Office
Where: UK
When: 26 May 2011
Law stated as at: May 2011
What happened:
Background
Forget the garibaldi, chocolate bourbon or plain digestive, the new 'cookie directive' (also known at the Privacy and Electronic Communications (EC) Directive Amendment Regulations 2011) is here and came into force on 26 May, a copy can be found here.
The old rule: Essentially it was split into two requirements for using cookies and storing the information and you had to tell people how you use cookies and how they could 'opt out' if they objected, and was usually set out in the privacy policy.
The new rule: As well as providing the information in the old rule, you will now only be able to place a cookie on terminal equipment where the user or subscriber has given their consent.
Exceptions to the rule
The new rule has only one, very limited, exception, namely that you do not require consent if what you are doing is 'strictly necessary' for a service explicitly requested by a user. An example of this would be for retail websites so the check out will remember what has been 'added' to the basket during the shopping experience. Any cookie that merely enhances (or at least in the view of the website operator) the user experience of the site will not be caught by the exception.
What do I need to do
The Information Commissioner's Officer (ICO) has published guidance on what steps should be taken if you currently use cookies on your website which in summary is as follows:
i) assess what types of cookie (or other similar technology) are used on your website, and how they are used;
ii) assess how intrusive the use of the cookies is; and
iii) decide which solution to obtain consent will be most appropriate.
i) Audit of cookie use
Depending on the extent that cookies are used on your website you may need to undertake an in-depth audit addressing questions such as where cookie is used on site, which EU countries it is aimed at, are there links to privacy and cookie policies, does the cookie policy provide information about 'opting out' of cookies, cookie name/ID, purpose of the cookie, is it being used for direct marketing, what data is collected/stored, is it a first or third party cookie, what type (temporary, persistent, flash) etc. However it may only be necessary to carry out a simple audit to check what data files are placed on user's machines and why.
Any audit should also assess what cookies might come within the 'strictly necessary' exception described above and whether there are any unnecessary cookies or any which have been superseded as the website has evolved.
ii) How intrusive?
The cookie directive is directly linked to protecting the privacy of users; it therefore follows that where a cookie has limited or no effect on the privacy of the user the less intrusive it will be considered by the ICO.
The ICO has suggested thinking of it as a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other – the more privacy intrusive the activity of the cookie, the more priority that should be given to getting meaningful consent.
iii) How to get consent
'Consent' in the cookie directive is defined as 'any freely given specific and informed indication of his wishes' however there are no time constraints on when consent may be given and therefore could occur during or after processing.
The guidance encourages businesses to be open and clear in gaining consent to the use of cookies and it is unlikely that consent that is based on a user's ignorance will be considered acceptable.
If you visit the ICO website you will see a clear demonstration of how you can achieve compliance. At the top of the website is the following notice with an opt-in tick box to confirm that the user accepts the use of cookies from the site.
"On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice."
There are several different methods in which to obtain consent, the ICO pop-up is an apparently easy method, however it may 'spoil' the user experience. At the moment the ICO guidance suggests that it is not advisable to rely on the user's browser settings method due to most browser setting not yet being sophisticated enough to allow you to assume that the user has given their consent. The government is currently working with the major browser manufacturers to enable this consent solution, however for now an alternative method is required.
Some other methods that you may wish to consider are:
- terms and conditions – when the user first signs up the terms and conditions they will consent to the use of cookies. If you change the ts and cs now, for existing users, you will need to expressly make the users aware of the changes and gain a positive understanding that they understand and agree to the changes.
- Settings-led – where the use of the website is based on settings chosen by the user, the use of cookies could become an additional setting.
- Feature-led – Where only certain features of your website use cookies, you could obtain consent at the point at which the relevant feature is selected, alternatively you could provide information to the extent that by the user enabling/clicking on a particular feature they are giving consent to the use of cookies on their machine. The more intrusive the feature, however, the less likely this will be acceptable.
- Functional uses – some cookies that you use may be for analytical purposes. You may want to consider adding details about each cookie's purpose and having a notification in the header or footer of the webpage that alerts the user when you want to set a cookie on the user's device.
Third party cookies
Third party cookies are also commonly used on websites and the process for obtaining consent to these will be more complex than for a first party cookie. The ICO have acknowledged that there will be several parties involved in obtaining consent for third party users and there are initiatives looking into the best method to achieve compliance. In the mean time, if your website allows or uses third party cookies you should make sure you are doing everything that you can to provide adequate information to users to allow them to make informed choices.
Why this matters:
The government is taking a phased approach to the implementation of the cookie directive and the ICO are therefore taking the approach that if they receive a complaint about a website then they will expect to receive a response from an organisation setting out how they have considered the new requirements and to demonstrate that the organisation has a realistic plan to achieve compliance. Clear communication to and education of staff and users will be a key feature for a business in achieving compliance.
Good news for business is that the UK regulations are not too prescriptive and are considered to be a light-touch, business friendly implementation of the EC Directive and have set a benchmark in Europe.
The guidance is clear – you cannot ignore the cookie directive but there will be some flexibility whilst you achieve compliance.
