On 26 May 2011 the new EU cookie regulations came into force. The Information Commissioner's Office (ICO) has published guidance on how businesses should implement the regulations and have set a one-year deadline for businesses to comply.
Use of Cookies
Under the original E-Privacy Directive, it was enough for website operators to offer users a "right to refuse" cookies and to provide clear information on how to do this, normally through a comprehensive privacy policy. Article 5(3) of the E-Privacy Directive has now been amended to state that a user must give "his or her (active) consent" to the use of cookies. The current practice in the UK is the use of an "opt-out" system which is at odds with this amendment. The new law will require an "opt-in" system unless the "strictly necessary" exception applies. Businesses will be at the mercy of the ICO as to the new law's interpretation of what is "strictly necessary" and the enforcement of the regulations.
The ICO guidance
The key message from the ICO is that businesses cannot ignore the new regulations. The ICO has set out the following steps which all businesses must follow now to demonstrate that they are working towards compliance.
1. Check what type of cookies you use and how you use them
A business will need to complete a comprehensive audit of its website(s) including a check of what cookies are placed on user terminals and why.
A business should analyse whether each cookie it uses is strictly necessary or not. A cookie would be "strictly necessary" if it related to a service requested by a user not if its use would make the website more attractive or if it collected statistical data on the use of the website e.g. cookies that enable customers to shop online using the "add to basket" and "proceed to checkout" functions would be strictly necessary for the use of the website.
A business should 'clean up' its webpages and stop using any cookies that are unnecessary or which have been superseded as the sites have evolved.
2. Assess how intrusive your use of these cookies is
The more intrusive a business' use of cookies is, the more priority a business will need to give to changing how it uses them.
Some of the things a business does may have no privacy impact at all and may even help users keep their information safe. Other technologies may simply allow a business to improve its websites based on information such as which links are used most frequently or which pages get fewest unique views. However, if the use of cookies involves creating detailed profiles of an individual's browsing activity on the website or across a range of sites, it is clear that the business is doing something that could be quite intrusive – the more privacy intrusive the activity, the more priority a business will need to give to getting user consent.
It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. A business must focus its efforts on providing more information and offering more detailed choices at the intrusive end of the scale.
3. Decide what solution to obtain consent will be best in your circumstances
Once a business knows what it does, how it does it and for what purpose, the business needs to think about the best method for gaining consent. The more privacy intrusive the activity, the more a business will need to do to get meaningful consent.
The practical steps
The guidance is not definitive and it is up to businesses to determine how best to obtain the necessary consent. Even though the ICO has given businesses a one year grace period to comply with the regulations all businesses should begin the three step process now because the ICO could taken enforcement action at any time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
