To view the article in full, please see below:
Reminder of the law
The Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011 (the 'Privacy Regulations')
enacted last summer require that any person setting cookies (or
similar technologies) on the terminal equipment of users, or
accessing any information stored in the cookies, must have provided
users with "clear and comprehensive" information about
the purposes for which the cookies are used and obtained their
consent to the setting and use of the cookies.
The main exemption from this obligation is where the cookies are "strictly necessary" for a service which the user has requested. This exception will be narrowly construed. By way of guidance, the ICO has stated that the following are likely to be considered strictly necessary: cookies remembering the goods a user has put in a virtual basket; cookies providing essential security to comply with data protection law; and cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers. The following uses are not strictly necessary and so require consent: cookies used for analytical purposes (e.g. counting visitors); first and third-party advertising cookies; and cookies recognising a user so that the website can be tailored.
What do you need to be doing?
(1) Carry out an audit
The first thing you need to do is make an inventory of the type
of cookies you are using and what you are using them for. You need
to check which cookies are necessary and which might require a
user's consent. You should also consider if your website
displays content from a third party (e.g. advertisements) as that
third party could be setting cookies on your users' devices.
The ICO states that all parties have to ensure that users are aware
of what is being collected and by whom.
(i) strictly necessary;
(ii) performance cookies;
(iii) functionality cookies; and
(iv) targeting/advertising cookies.
The ICO is most worried about the very intrusive cookies; it informed The Register that "provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
(3) Decide which method of obtaining consent best suits your
There are a number of ways you may be able to obtain consent through:
- scrolling text in a header or footer when you want to set a cookie on a user's device which prompts a user to make further choices.
The ICO notes that in the future websites may be able to rely on users' browser settings as a means of consent. However, the ICO has made it clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough. The ICO has suggested that in determining its approach to compliance an organisation should take into account the standard of compliance achieved by others within that organisation's sector: "After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask 'if they can do it, why can't you?'"
Consequences of not complying
Serious breaches of the Privacy Regulations may attract monetary
penalties of up to £500,000. A serious breach is defined as a
serious contravention of the Privacy Regulations likely to cause
substantial damage or distress. Such contravention must have been
deliberate, or the person responsible must have known/ought to have
known that a contravention would occur and then failed to have
taken reasonable steps to prevent it. On this basis, non-compliance
with the cookie law is unlikely to attract the maximum fine.
The ICO has stated that while it does not anticipate "a wave of enforcement action after the lead-in period ends", it does expect organisations to have used the year's lead-in period productively and to have ensured that they are working towards becoming fully compliant.
If you require further information on how to go about ensuring you are compliant with the Privacy Regulations in time for the 26th May deadline, please contact us.
The ICO's guidance on complying with the law can be found here.
The ICC's guidance on complying with the law can be found here.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 04/05/2012.