On 26th May 2012 the Information Commissioner's Office will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end. This means that organisations which use cookies on their websites have only three weeks from today to take the practical steps they need in order to obtain consent for their cookie use.
To view the article in full, please see below:
Full Article
On 26th May 2012 the Information Commissioner's Office (the 'ICO') will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end. This means that organisations which use cookies on their websites have only three weeks from today to take the practical steps they need in order to obtain consent for their cookie use.
Reminder of the law
The Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011 (the 'Privacy Regulations')
enacted last summer require that any person setting cookies (or
similar technologies) on the terminal equipment of users, or
accessing any information stored in the cookies, must have provided
users with "clear and comprehensive" information about
the purposes for which the cookies are used and obtained their
consent to the setting and use of the cookies.
The main exemption from this obligation is where the cookies are
"strictly necessary" for a service which the user has
requested. This exception will be narrowly construed. By way of
guidance, the ICO has stated that the following are likely to be
considered strictly necessary: cookies remembering the goods a user
has put in a virtual basket; cookies providing essential security
to comply with data protection law; and cookies ensuring that the
content of a page loads effectively by distributing workload across
numerous computers. The following uses are not strictly necessary
and so require consent: cookies used for analytical purposes (e.g.
counting visitors); first and third-party advertising cookies; and
cookies recognising a user so that the website can be tailored.
What do you need to be doing?
(1) Carry out an audit
The first thing you need to do is make an inventory of the type
of cookies you are using and what you are using them for. You need
to check which cookies are necessary and which might require a
user's consent. You should also consider if your website
displays content from a third party (e.g. advertisements) as that
third party could be setting cookies on your users' devices.
The ICO states that all parties have to ensure that users are aware
of what is being collected and by whom.
(2) Assess how intrusive your use of cookies is
The purpose behind this law is to protect users' privacy, so
the more intrusive your use of cookies, the more urgency there is
for you to put a consent process in place. The International
Chamber of Commerce (the 'ICC') has produced a cookie guide
to help organisations comply with the law. This guide helps you
work out how invasive the cookies you use are by splitting them
into four categories, from least intrusive to most intrusive:
(i) strictly necessary;
(ii) performance cookies;
(iii) functionality cookies; and
(iv) targeting/advertising cookies.
The ICO is most worried about the very intrusive cookies; it
informed The Register that "provided clear
information is given about their activities we are highly unlikely
to prioritise first party cookies used only for analytical purposes
in any consideration of regulatory action."
(3) Decide which method of obtaining consent best suits
your
circumstances
The ICO has made it clear that consent must involve "some form
of communication where the individual knowingly indicates their
acceptance." This means that any form of implied consent, such
as a privacy policy hidden at the bottom of a webpage which states
'by using this website you consent to our use of cookies'
is not compliant.
There are a number of ways you may be able to obtain consent
through:
- pop-ups;
- terms of use (note that users must indicate that they understand and accept any changes to the terms of use);
- settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and
- scrolling text in a header or footer when you want to set a cookie on a user's device which prompts a user to make further choices.
The ICO notes that in the future websites may be able to rely on users' browser settings as a means of consent. However, the ICO has made it clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough. The ICO has suggested that in determining its approach to compliance an organisation should take into account the standard of compliance achieved by others within that organisation's sector: "After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask 'if they can do it, why can't you?'"
Consequences of not complying
Serious breaches of the Privacy Regulations may attract monetary
penalties of up to £500,000. A serious breach is defined as a
serious contravention of the Privacy Regulations likely to cause
substantial damage or distress. Such contravention must have been
deliberate, or the person responsible must have known/ought to have
known that a contravention would occur and then failed to have
taken reasonable steps to prevent it. On this basis, non-compliance
with the cookie law is unlikely to attract the maximum fine.
The ICO has stated that while it does not anticipate "a wave
of enforcement action after the lead-in period ends", it does
expect organisations to have used the year's lead-in period
productively and to have ensured that they are working towards
becoming fully compliant.
If you require further information on how to go about ensuring you
are compliant with the Privacy Regulations in time for the 26th May
deadline, please contact us.
The ICO's guidance on complying with the law can be found here.
The ICC's guidance on complying with the law can be found here.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 04/05/2012.