News of the new cookie regime is slowly filtering its way through to website owners, but whilst many have taken active steps towards compliance, many more have yet to take any action, despite new laws on cookies coming into force in the UK more than a year ago.
What are Cookies?
Cookies are small data files which most website operators place on the browser or hard drive of their user's computer. Cookies may gather information about the user's use of the website or enable the website to recognise the user as an existing customer when he/she returns to the website at a later date. They have also been used to collect information about the user which allows the website operator or a third party to create a profile of the user, his/her preferences and his/her interests for the purpose of serving the user with targeted, interestbased advertising.
What is the new Cookie Regime?
The new cookie regime has come about as a result of revisions to the EU Privacy and Electronic Communications Directive (2002/58/EC) as revised by the Citizen's Rights Directive (2009/136/ EC) and has been implemented in the UK through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations).
- has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
- has given his/her consent.
This represents a substantial change from the previous regime which operated on the basis that cookies were placed on a user's machine unless and until such time as the user â€Üopted out' and requested them to be removed.
Why has the law changed?
The law has changed in an attempt to provide greater privacy for users of the internet which was prompted partly due to concerns about online tracking of individuals. The new regime will prevent information being stored on a user's computer and used to recognise them via the device they are using, without their knowledge and agreements.
When do you have to comply with the new regime?
The Regulations have been in force in the UK since 25 May 2011. The Information Commissioner's Office (ICO), which is responsible for enforcing the Regulations, granted businesses a lead in period of 12 months to allow them to develop ways of meeting the new regime as it understood that this was never going to be an easy task for businesses. This lead in period ended in May 2012 so all website owners should now be complying with the new regime.
What practical steps should you take?
Review the ICO Guidance
Conduct a Cookie Audit
The ICO recommends conducting a cookie audit as the first step towards achieving compliance. The focus of your cookie audit should be to ascertain what cookies are operating on your website, the purpose of each cookie, what data each cookie holds, the type of cookie it is (persistent/ session), it's lifespan and whether it is a first party or third party cookie.
Information about cookies must be displayed on your website in a clear, user friendly manner. Your cookie audit will help you to identify the information that you will need to display. The ICO has suggested two main ways of displaying information about cookies:
- by including a broader explanation of the way cookies operate and the categories of cookies used on your website (may be more appropriate for the majority of users given the lack of knowledge and understanding of cookies).
Make sure you bring information about Cookies to your user's attention Information about cookies now needs to be brought to a user's attention when they access your website. A link to information on cookies must be prominently displayed.
- before the cookie is set; and
- through an affirmative step on the part of the user.
This suggests that "opt in" consent to cookies must be obtained and makes it difficult for website operators to obtain consent in an "implied" way. However the 2012 Guidance published by the ICO suggests that implied consent (obtained through privacy policies or default privacy or browser settings) is a reasonable proposition in the context of the storage of or access to information when using cookies at least where non-sensitive personal data is concerned. However in forming this opinion, the ICO has taken a different view from the majority of data protection regulators in other member states as well as the Article 29 Working Party which ruled out the use of implied consent. Decisions to rely on implied consent should not therefore be taken lightly. One problem is that it could cause problems for UK website operators who place cookies on the equipment of non-UK EU citizens on the basis of implied consent. It will be important to continue to monitor developments in this area carefully.
Ways of obtaining "Opt In" Consent
The ICO has stressed that there is no â€Üone size fits all approach' and they believe that organisations themselves are best placed to develop their own solutions as they will know how and why their customers use their websites better than anyone else.
Relying on Implied Consent under the 2012 Guidance
The 2012 guidance issued by the ICO states that you can only rely on implied consent on the basis that:
- it is specific and informed; and
- there is some action on the part of the user from which consent can be inferred.
The 2012 Guidance confirms that if a website includes a clear and unavoidable notice that cookies will be used if the user enters the website and if the user, on that basis, clicks through and continues to use the website, this would be sufficient to imply consent.
Third Party Cookies
Third party cookies present difficulties and if third party cookies are used on your website you should consult the 2012 Guidance and seek further advice in respect of obtaining a user's consent to those cookies.
What are the consequences of failing to comply with the new Cookie Regime?
Where organisations refuse or fail to comply voluntarily with the Regulations, the ICO has a range of options available in order to take formal action which include, amongst other things, formal undertakings, enforcement notices and monetary penalties. However the ICO have indicated that their existing strategy on enforcement is focused on achieving compliance by the most appropriate means thus monetary penalties are only likely be used in very serious cases. Website owners are advised to continually monitor the new cookie regime and how it is adopted and enforced and comply with current practice as it develops
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.