This week new rules governing the use of cookies (and similar information storage technologies) came into force: if you want to store a cookie on your computer or device, you will have to obtain the user's consent first. Although the UK regulator, the Information Commissioner's Office ('ICO') has allowed for a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements, now is the time to start auditing your systems and putting your house in order. The ICO has made it clear that it does not condone organisations taking no action in the period up to May 2012.
To view the article in full, please see below:
Full Article
This week new rules governing the use of cookies (and similar
information storage technologies) came into force: if you want to
store a cookie on your computer or device, you will have to obtain
the user's consent first. Although the UK regulator, the
Information Commissioner's Office ('ICO') has allowed
for a lead-in period of 12 months for organisations to develop ways
of meeting the cookie-related requirements, now is the time to
start auditing your systems and putting your house in order. The
ICO has made it clear that it does not condone organisations taking
no action in the period up to May 2012.
Guidance on complying with the new law
The ICO has recently published non-binding advice
on complying with the new law. The change in law follows the
publication of the Privacy and Electronic Communications (EC
Directive) (Amendment) Regulations 2011 (the
'Regulations'), which implements amendments to the
E-Privacy Directive (2009/136/EC). The requirement for
consent is much stricter than the old 'inform the user and give
them the option to opt out'. Under the new regime, the
only circumstance in which you can store a cookie on your computer
without obtaining the user's permission is if this is
"strictly necessary" for a service which the user has
requested. The example given by the ICO is: if the user of an
online shop places an item they wish to purchase in a virtual
'basket' and then clicks 'proceed to checkout',
consent will not be required for the use of cookies to remember the
chosen item. The ICO warns that this exception will be
narrowly construed; it will only apply when the user has explicitly
asked for the related service.
What do you need to be doing now?
The ICO advises that you take the following steps to prepare for this change in the law:
- Carry out an audit: What type of cookies are you using? How are you using them? Check which cookies are necessary and which might require a user's consent. You also need to consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom;
- Address how intrusive your use of cookies is. The purpose behind this law is to protect users' privacy, so the more intrusive your use of cookies is, the more urgency there is for you to put a consent process in place; and
- Decide what solution to obtain consent best suits your circumstances. There are a number of ways you may be able to obtain consent: through pop-ups; terms of use (note that users must indicate that they understand and accept any changes to the terms of use); settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and scrolling text in a header or footer when you want to set an analytic cookie on a user's device which prompts a user to make further choices. The ICO notes that in the future websites may be able to rely on users' browser settings as a means of consent, but it has made clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough.
Consequences of not complying
The ICO has recognised that three weeks (the time
between publishing the guidance to the law and it actually coming
into force) is not a sufficient period for you to comply with the
law. The ICO guidance on enforcement therefore states that
there is a lead-in period of 12 months for you to develop ways to
ensure compliance with the new rules, during which the ICO will not
penalise you for non-compliance. During this period you need
to have looked at the cookies your organisation uses and, where
necessary, put in place steps to obtain users' consent.
If the ICO believes you are not taking appropriate steps in this
period, it will ask you to explain what you are doing to be in a
position to comply by May 2012. From May 2012 the ICO will
handle complaints about websites in the normal manner.
The ICO has new powers to enforce this law. Serious breaches
of the Regulations may attract monetary penalties of up to
£500,000. A serious breach is defined as a serious
contravention of the Regulations likely to cause substantial damage
or distress. Such contravention must have been deliberate, or
the person responsible must have known/ought to have known that a
contravention would occur and then failed to have taken reasonable
steps to prevent it. The ICO has committed to producing
further guidance on how it intends to use these powers; it is
likely that this guidance will be published in October
2011. This date, like the May 2012 deadline, may seem a long
way off. However, don't be lulled into a false sense of
security: the ICO has made it clear that organisations should be
taking steps to ensure they can properly comply with the revised
rules for cookies by May 2012 and the ICO may start to gather
evidence of non-compliance prior to this date. If you require
further information on how to go about undertaking an audit, please
contact us.
The new law the Privacy and Electronic
Communications (EC Directive) (Amendment) Regulations 2011 can be
found here.
The ICO's guidance on complying with the new law can be
found here.
The ICO's guidance on enforcing the new law can be
found here.
For further information on the differences between the old and new
law, a previous Law Now can be found
here: Cookie Consent: Opt-In or Opt-Out?
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 27/05/2011.