The International Chamber of Commerce UK ("ICC UK") has launched an official guide to help companies comply with new EU rules on the use of website cookies (for full details of the changes to the law please see our previous e-updates All Eyes on the Cookie Jar and Cookie Breathing Space). This welcomed guide follows a year of confusion for companies, who have been unsure of the measures to take to ensure they are not in breach of the new law. The EU-wide privacy law provides internet users with more control over the personal data they provide whilst browsing the internet by requiring website operators to obtain "informed consent" when placing certain kinds of cookie on users' devices.

The guide categorises cookies, enabling website operators to define the purpose and description of their own cookies, and in turn enables the operators to inform users of what their cookies "do" - allowing users to make "informed choices".

Cookie Categories

The guide categorises cookies as follows:

  1. Strictly necessary cookies - the requirement of user consent is excluded for these cookies, since they are necessary for the website to function (such as online shopping baskets).
  2. Performance cookies - these cookies collect anonymous information about how a website is used. This information is then used to enhance the general performance of the website.
  3. Functionality cookies - these cookies store the choices that a user makes to improve a users' personal experience of visiting the website, particularly when re-visiting.
  4. Targeting cookies or Advertising cookies - these collect information regarding a specific users browsing behaviour to tailor advertising to a user's interests. Although it is likely in this instance that a third party will have set up the cookie, both the third party and the website operator bear the responsibility for providing information to the user and retrieving the required "informed consent".

Obtaining Consent

The guide refers to various methods by which the website operator can obtain consent from the user. In summary these are, obtaining consent:

  • in the course of acceptance of website terms and conditions;
  • as users select website settings;
  • as users register for or "switch on" website features;
  • as a result of users initiating or activating website functions; and
  • through notice and choice mechanisms, such as pop ups or header bars.

The choice of method used will depend on the intrusiveness of the cookie involved and its impact on the privacy of the user. This is particularly onerous for website operators, given that there are no clear cut rules provided.

Companies are also afforded the additional obligation of providing users with a mechanism to withdraw consent they have previously given.

Comment

Virtually every website makes use of cookies, meaning that almost every UK Company which operates a website will be affected by the 'cookie' law. The Government has made it clear that it is the responsibility of the companies to self-regulate and self-audit. With less than eight weeks to go until a hefty fine could become reality, it is imperative that companies ensure they put the necessary compliance procedures in place.

The ICC UK guidance can be found here.

Further guidance published by the Information Commissioner's Office can be found here.

© MacRoberts 2012

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.