On 26 May 2011, the law governing the use of cookies on websites and similar technologies by a website operator, as a method of gathering information about a website's users, was changed across the EU.

The requirements under the changes to the legislation require website operators to:

  • clearly and comprehensively inform users of the purposes behind the use of cookies on their website
  • obtain the user's permission before storing any information about that user (whether on the user's device or elsewhere)

Due to the fact that airlines and other operators in the aviation industry rely heavily on website data and the provision of services online (for example, online ticket transactions) websites in this sector often use a large number of different cookies in order to track individual transactions and store information about user history. This has resulted in these websites and operators being directly affected by this change in law.

It is therefore particularly important that airlines and other members of the aviation industry familiarise themselves with the new legal requirements relating to the use of cookies, review and consider their current use of cookies and their privacy policy and take steps to ensure that their websites incorporate appropriate methods of obtaining the user's permission.

Changes

Prior to 26 May 2011, website operators who used cookies were required to inform users of this fact and to clearly and comprehensively explain the reasons for storage of, and access to, information. Operators were also required to afford users the opportunity to refuse the use of cookies. Website operators were, for example, thus well within their rights to store cookies on a user's device as long as the user had not specifically opted out of allowing them to do so.

Before the recent change in legislation, website operators complied with their obligations regarding cookie usage by putting the required information in their privacy policy and giving users the opportunity to 'opt out' of accepting cookies.

The major change in the law (which took place in May 2011) is that website operators were not only required to fully inform the users about the purpose of the cookies which it used but also to obtain the user's permission before storing most types of cookie on the user's device.

There are some limited exceptions to this requirement to obtain the user's consent (including where the storage of information is 'strictly necessary' for a service which has been requested by the user). For example, when a customer books and pays for a flight online, the site will use "session" cookies to store and remember the customer's selections throughout the transaction. In this case, the website operator would not need to ask for the user's permission to use these cookies as they are temporary and expire after the user has ended their browsing session. This means that a main functionality of airline websites will be undisrupted by the change in legislation; having said that, website operators will still have some significant issues which need to be addressed in order to comply with the law where other types of cookie are used.

Compliance

Although the new legislation officially came into force in the UK on 26 May 2011, the UK Information Commissioner's Office (ICO) (which has responsibility for enforcing the law in the UK relating to the use of cookies) has given website operators a period of 12 months to become compliant with the new law before it takes enforcement action. However, the website operator must, when challenged, be able to demonstrate to the ICO that it is using or has used this period to develop a realistic plan to adapt and comply with the legislation. The key message is that inaction is not acceptable.

Clearly then, the first step for operators to take is to assess which types of cookie they use, and how they use them. Thereafter, cookies which are unnecessary or have been superseded as the site has evolved should be removed. Others should be categorised into those which are 'strictly necessary' for site functioning and the provision of certain services, and those which require user permission.

Obtaining consent from the website users

Although a user could signify its consent by changing or setting controls on its internet browser, or using another application or programme which indicates consent, these settings and applications are not necessarily that reliable and should not be relied on (well, not yet in any event) to indicate user consent or the absence thereof (currently, most browser settings are not sophisticated enough to make assumptions about a user's decision on cookies in all circumstances). For the time being at least, website operators need to obtain the user's consent through alternative means.

This is not always that easy given the variety of cookies and the overarching requirement not to degrade or disrupt the user's experience; however, some suggestions for obtaining consent are:

Pop-up windows. These may prove to be too disruptive if a site is likely to require permissions for a number of different cookies. Pop-ups are also discouraged by the

Web Content Accessibility Guidelines and users can block pop-ups by default, making this method unreliable

  • Terms of use. The user could be required to accept the website's terms of use incorporating the required information on the use of cookies, or ask users to accept all cookies when they register to use the website
  • Settings-led consent. This can be obtained when a user makes a choice about how a site works for them; for example language choice. The user could, at this stage, be informed that the site can remember their preference, and explain that by choosing this option, they are consenting to the use of a cookie
  • Feature-led consent. Some sites store cookies when a user chooses a particular feature of the site (for example, watching a video-clip, or when it remembers a user's previous activities to personalise the experience. Assuming the user is choosing a particular outcome (such as opening a link, clicking a button or agreeing to a functionality being activated), the user can be asked for consent to set a cookie at this time
  • Functional uses. Collecting information about how visitors use the site by using analytic cookies requires consent. Whether additional information should be made available to users about what cookies are used and their functions so that the user can make an informed choice about what the user will allow should be considered. If any information gathered is passed onto a third party, this fact must be made clear to the user
  • Third party cookies. Airline websites often display content from third parties; for example from an advertising network. In these cases, the third party may store its own cookies on 'your' user's device. All parties should take responsibility for informing users of what information will be collected from them and allowing users the opportunity to consent to this

The ICO's own website (see www.ico.gov.uk) places cookies and now has a consent "opt-in" box at the top of its homepage requiring users to check a box to consent to the placing of cookies. Airlines and other members of the aviation industry need to consider what mechanism for gaining their users' consent would work for them, given the nature and use of their website.

The requirements in the rest of Europe remain as yet unclear as some Member States (for example, Germany) have yet to implement the relevant EU Directive, claiming that full implementation into national laws can only be achieved when technical and industry-led compliance solutions become available.

Penalties for non-compliance

From May 2012 the ICO will determine whether enforcement action is appropriate by considering the impact of the breach of the law on the privacy and other rights of the website user and not just whether there has been a technical breach of the law. Subject to the view of the relevant information authorities across Europe, similar positions may apply across the Community.

Summary

The change in the law relating to the use of cookies has left website operators with the considerable problem of how to ensure compliance with the law by obtaining the user's consent. This has created a situation where the law is ahead of the technical capabilities of website operating systems and so a temporary "fix" needs to be decided on by website operators. All website operators should be considering now the impact of the changes in law and what they need to do to ensure compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.