Back in May 2011, the UK data protection watchdog published advice on compliance with new consent laws for users of cookies and other technologies to access or store information on devices such as laptops, tablets and smart phones. Now it has published a revised version as Stephen Groom reports.
Topic: On-line advertising
Who: Information Commissioner's Office
When: December 2011
Where: Wilmslow, Cheshire, UK
Law stated as at: 5 January 2012
These new rules have had the force of law in the UK since 26th May 2011 by way of amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECRs"). These changes were needed to bring UK law into line with EC Directive 2009/136/EC ("the Directive").
The gist of the change is that when "cookies" or similar devices such as clear gifs are dropped on web users' laptops, tablets, mobiles etc to access or store information on those devices, two key requirements have to be met. These are that the subscriber (the person paying the bill for the telecoms service allowing web access) or user (the person using the device to access the web):
(a) is provided with clear and comprehensive information about the process of storage of, or access to, that information [the original rule in the 2003 Regulations] and
(b) has given his or her consent.
When the revised regulations ("Regulations") became law in May 2011, ICO announced that to allow cookie users time to get their houses in order, the new cookie law would not be fully enforced until "after 26 May 2012."
In May 2011, ICO also published a document entitled "Changes to the rules on using cookies and similar technologies for storing information." Strangely the paper stopped short of describing itself as "guidance" as such, but it did say that the situation would be kept under review and that consideration would be given to issuing more detailed advice if appropriate in the future.
New Guidance and blog published
Three times the length of the original document, the Guidance was accompanied by a blog from Information Commissioner Christopher Graham entitled "Half term report on cookies compliance."
In the blog, Mr Graham expresses disappointment that a list of the sites that perfectly complied with the Regulations from day one "would be very short indeed" and that progress since then can best be summed up "could do better".
The blog explodes common myths such as "consent is impossible online," "it will take years to comply," and "consent needs pop ups and everyone hates pop-ups." It warns cookie users that are hanging back from taking action that they are at risk and describes initiatives that others have taken to work towards compliance. ICO says that if it approaches cookie users now after, for example receiving consumer complaints, it will expect to be told what action has been taken so far, how compliance will be assured and how long it will take.
The blog concludes by giving pointers as to what it will expect, including the simplistic "switching all your cookies off until users tell you to switch them on again."
Three steps will also help take website operators down the right path, the blog says in closing:
- following ICO advice
- looking for implementing "quick wins"
- keeping an eye out for industry or sectoral standards or codes, although presumably this excludes the IAB/EASA Best Practice Recommendations on Behavioural Advertising which the Article 29 Working Party has recently condemned as non-compliant with the new rules.
Revised Guidance addresses new issues
Turning to the Guidance itself, this addresses a number of issues that have come up since May 2011.
On the question of whether consent given after the cookie has been dropped on a device will satisfy the Regulations, ICO says that it is difficult to see that a good argument could be made in favour of this.
This contrasts with a letter published by Government Minister Ed Vaizey on the day the Regulations came into force. This pounced on the absence of the word "prior" before "consent" in both the Directive and the Regulations and was very receptive to the concept of consent being given after the event.
However, the Guidance goes on to lean back in the direction of the Rt Hon Mr Vaizey. It recognises that currently many websites set cookies as soon as a user accesses the site and says that where it is not at present possible to delay the setting of cookies until after consent has been given, it may be acceptable for websites to "demonstrate that they are doing as much as possible to reduce the time before the user receives information about cookies and is provided with options."
Although cookie users should note that this is based on it not being technically possible to postpone the setting of the cookie until after consent has been indicated, this looks like a major concession.
Before cookie users fix on this as suggesting that the standard may drop based on their site users' level of general awareness, however, they should remember that that based on the Directive, the level of consent required must at all times be "freely given, specific and informed" as per Data Protection Directive 95/46/EC, words which do not appear to encompass easily "implied consent".
Contracts should make clear who must take steps needed for compliance
In terms of who is responsible for compliance, ICO says plainly that the person setting the cookie must be primarily responsible, with both parties being liable in the case of third party cookies. Therefore third parties setting cookies, or providing a product that requires the setting of cookies, should consider putting a contractual obligation into agreements with website publishers obliging the latter to take appropriate steps to provide information about third party cookies and obtain third party consent.
Moreover website designers and developers should ensure that their deliverables allow their customers to comply with the law.
Which country's cookie laws apply?
On the question of jurisdiction, the Guidance gives two pointers in an area that is not tackled directly in either the Directive or the Regulations. First it states that even if a website that drops cookies is hosted overseas, the UK Regulations will still apply if the organisation operating the site is based in the UK.
What about organisations based outside of Europe which target the European market or provide products or services to users "in the UK and Europe" (but we thought the UK was part of Europe)? These, says the ICO, "should consider that their users will expect information and choices about cookies to be provided."
Unfortunately neither piece of advice answers the question that has become increasingly important as marked differences appear in how EU states are implementing the Directive. This is what EU state's law applies for example when a website hosted on a UK server drops a cookie on a laptop located in Germany? No assistance is given on this issue in the Guidance.
Marketing emails using clear gifs?
What about marketing emails which drop clear gifs or web beacons on recipients' terminals that have tracking and storing functions? No mention is made of these in the Guidance although this activity would seem to be caught by the wide terms of the Regulations.
Is there any connection between this reticence and the dropping from the old general "Guidance for marketers on the Privacy and Electronic Communications (EC Directive) Regulations 2003" of the following passage when the new version entitled "Guide to Privacy and electronic communications" was published last year? Perhaps we should be told.
"Email tracking. We put clear gifs in our marketing emails. They help us work out how successful our campaign has been. Is that activity caught by the Regulations?
Yes it is…The important point to note is that if you are using such tracking devices in your marketing emails, you must let the recipient know about it in the message itself and explain to them how to switch off the web beacon or clear gif."
New examples provided
As for the rest of the new content in the Guidance, space prevents us from going into more detail here, but particular attention should be paid to a number of specific examples provided of how web pages might be configured to accommodate the disclosure and consent requirements.
One example which might be especially encouraging to first party cookie users is based on the appearance at the bottom of the homepage of the following prominent panel:
The commentary in the Guidance states that ideally no cookies should be dropped until the user clicks on "I agree." However what if the user does not click on either option and goes straight into the site?
ICO says that it may be possible to still drop the cookie and "infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site." Although this does appear to apply to first party cookies only and ICO does suggest cookie users might want the reassurance of putting notices elsewhere on the site that remind users that cookies are being set, this does suggest a very flexible approach to how consent might be obtained.
Why this matters:
Although there continue to be omissions and blind spots, businesses cannot complain that they are being left to their own devices by the regulator as the end of the period of grace allowed by ICO fast approaches.
In conclusion and to quote from the slides which Information Commissioner Christopher Graham spoke to at Osborne Clarke's "Look Back, Face Forward" marketing law forum on 15 December 2011:
- Decent solutions require innovation and imagination-surely not too much to ask?
- It's about not burying your head in the sand-the regulatory approach will take into account of the efforts people are going to
- We continue to support industry-led attempts to get this right
- We know there are organisations out there doing this properly –and their efforts will make the "do nothings" stand out.
The new Guidance is at http://www.ico.gov.uk/news/blog/2011/half-term-report-on-cookies-compliance.aspx