As we have previously discussed 26 May 2011 saw a change to the laws covering the use of cookies and similar technology used to store information on a user's equipment. Under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (the "Regulations") user consent is now required by website providers who wish to use non-essential information storage technologies, like cookies, as part of their website operations.
There was an initial twelve month moratorium following the enactment of the Regulations during which the ICO expected websites to take steps to become compliant. Following that moratorium, users have had the opportunity to inform the Information Commissioner's Office ("ICO") of websites that were not complying with the Regulations. The ICO has recently published its first activity report ("Report") on these user concerns.1
The number of users reporting concerns (in the period 25 May - 21 November 2012) regarding websites accessed from the UK was only 550. To put this into perspective in the same period there were 53,000 individuals registered concerns with the ICO over unwanted marketing communications.
Findings
While there were significant variations within the user complaints two overarching themes prevailed, namely:
- dissatisfaction with the use of implied consent mechanisms; and
- a lack of information about how users could decline cookies or manage them at a later date.
The findings of the Report showed that:
- more than half (55%) of the respondents stated that the relevant website did not provide any information about the use of cookies; and
- over 4 in 5 (84%) of the respondents stated the website did not ask permission to place the cookies.
The 388 responses received prior to 6 September related to 207 separate websites. A review by the ICO found that since that September date:
- 90 have taken steps to be fully compliant;
- 68 have taken limited steps to be fully compliant;
- 48 have not taken any steps to be compliant; and
- 1 could not be reviewed.
In addition, in relation to the 200 most visited sites in the UK, 34 received at least one concern. Since the ICO contacted these 34, half of those based within the UK (and therefore under auspices of the ICO) have taken significant steps to make users aware of the presence of cookies and seek the necessary consent. Only 1 website has taken no steps to achieve compliance. The ICO has set a compliance deadline for the non-compliant websites which fall within the 200 most visited websites as they feel these website will have the greatest effect on users.
How are most websites dealing with the Regulations?
In compiling the Report, the ICO has confirmed that the most popular method of compliance is through the use of a cookie consent banner that is displayed when the user enters the website. The banner is used to gain implied consent from a user, and generally provides a clear link to additional and easily digestible information concerning what cookies are used, for what purposes and how to stop their use.
While a number of websites have adopted the banner approach the ICO has re-confirmed that mere use of the banner in itself is not sufficient to ensure compliance. The ICO points out that the banner must enable the user to make a clear and informed choice about accepting the use of cookies and similar technologies. Where the necessary information is not easily available and understandable, the ICO has re-iterated that informed consent will not be deemed to have been given.
Gentle persuasion or severe penalty?
The ICO has significant powers to sanction infringing websites through their regulatory powers (see Data Protection Action Policy and Guidance2 for further details) such as naming of non-compliant websites, enforcement notices of monetary penalties of up to £500,000. It appears to be the continued stance that the stringent penalties will be reserved for the use of "particularly privacy-intrusive use of cookies without informing consumers".
However the ICO has clarified its approach to enforcement. In the first instance , commonly, the ICO will undertake a basic visual audit of the website followed by a written communication to the website operator requesting information. Where the ICO feels that the website is not compliant it will write to the website operator and require changes to be made within a fixed time period. In the circumstance where there is a non-compliant website which is based outside the ICO's jurisdiction the relevant national authority will be contacted and any further steps will be handled by such body.
Conclusion
As exemplified by the limited number of users raising concerns over the implementation of the Regulations regarding cookies, it could be argued that the ICO has taken a balanced and pragmatic stance. It has focussed, and states that it will continue to focus, on websites that fail to raise the users' awareness of the presence of cookies or gain the users consent prior to placing of the cookies. As such, while cookies do not appear to be high on the ICO's list of compliance priorities, website operators may find that users will increasingly expect websites to be compliant and in time be more reluctant to use those not displaying evidence of compliance – at least this is what the ICO would hope for!.
Footnotes
2 available at http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
