Further to our previous e-update (please click here), anyone with a website should be aware of the new EU rules (Directive 2009/136/EC) regarding the use of internet text-files called 'cookies'. The UK will implement the Directive on the 26 May this year, imposing strict rules on website providers on the way in which cookies are used.
This week the Information Commissioner's Office published advice for the benefit of organisations which sets out the steps that they need to take to ensure that they comply with the new EU Rules.
From the 26 May, website providers will need to receive explicit consent from users in order to store cookies on website users' devices so that the website can recognise the user's device in future. The ICO have produced a non-exhaustive list of methods of obtaining consent, providing a stepping stone for businesses preparing for the new rules.
Under the Directive, web-users will need to 'opt-in' to the storage of data using cookies and there will be a requirement for users to be fully informed as to the content and extent of the information which is going to be stored. In order for the web-user to be fully informed, the cookie consent boxes will need to be easily accessible and highly visible. Therefore, we should expect to see many more pop-up boxes on our screens.
According to the Government's recent consultation response, "through clicking on the icon, the consumer will be informed about: each specific internet advert; the advertiser; the server; who the advert was customised by; and an option to refuse those and other cookies (including an option to refuse all cookies from that server)".
The only exception to the new rules will be where the user information is 'strictly necessary' for the service provided by the website. The Information Commissioner has advised that the application of this exception will be quite limited in practice and the use of cookies must be directly related to the service provided by the website i.e. for online shopping, the use of cookies will be 'strictly necessary' for the site to 'remember' what is in your shopping basket.
So what are the essential steps to be taken according to the ICO?
1. Web providers need to check what cookies are currently used by carrying out a website audit or checking what data is placed on the user's computer. This should be followed up with an analysis of whether the information gathered is 'strictly necessary' and whether it is gathered by informed consent.
2. Check how intrusive the cookies are to the individual's privacy. If the information gathered creates a detailed browsing profile, more comprehensive consent methods may need to be adopted.
3. Decide how consent will be obtained i.e. through pop-ups, terms and conditions when entering the website, or scrolling text footers or by some other method.
Christopher Graham, the Information Commissioner, has recognised that many businesses rely on the use of cookies for legitimate business reasons, and although the advice published this week provides some guidance, it is only a work in progress and does not provide all the answers on compliance. Graham has stated that he will work proactively with the Government, businesses and the public sector to find a practical solution that 'reflects real world practice'.
With the new rules coming into force in less than 3 weeks, businesses should be giving immediate consideration as to how they will ensure compliance with the new EU rules and communicate effectively with their website users about the use of cookies and the storage of cookie data.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.