ARTICLE
16 May 2012

Take On The Cookie Monster: Don't Be Caught Out By 26 May Website Compliance Deadline

CC
CMS Cameron McKenna Nabarro Olswang

Contributor

CMS is a Future Facing firm with 79 offices in over 40 countries and more than 5,000 lawyers globally. Combining local market insight with a global perspective, CMS provides business-focused advice to help clients navigate change confidently. The firm's expertise and innovative approach anticipate challenges and develop solutions. CMS is committed to diversity, inclusivity, and corporate social responsibility, fostering a supportive culture. The firm addresses key client concerns like efficiency and regulatory challenges through services like Law-Now, offering real-time eAlerts, mobile access, an extensive legal archive, specialist zones, and global events.

On 26th May 2012 the Information Commissioner’s Office will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end.
United Kingdom Privacy

On 26th May 2012 the Information Commissioner's Office will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end.  This means that organisations which use cookies on their websites have only three weeks from today to take the practical steps they need in order to obtain consent for their cookie use.

To view the article in full, please see below:



Full Article

On 26th May 2012 the Information Commissioner's Office (the 'ICO') will start enforcing the changes to the cookie law, as the 12-month lead-in period for website owners to put their houses in order will have come to an end. This means that organisations which use cookies on their websites have only three weeks from today to take the practical steps they need in order to obtain consent for their cookie use.

Reminder of the law

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the 'Privacy Regulations') enacted last summer require that any person setting cookies (or similar technologies) on the terminal equipment of users, or accessing any information stored in the cookies, must have provided users with "clear and comprehensive" information about the purposes for which the cookies are used and obtained their consent to the setting and use of the cookies.

The main exemption from this obligation is where the cookies are "strictly necessary" for a service which the user has requested. This exception will be narrowly construed. By way of guidance, the ICO has stated that the following are likely to be considered strictly necessary: cookies remembering the goods a user has put in a virtual basket; cookies providing essential security to comply with data protection law; and cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers. The following uses are not strictly necessary and so require consent: cookies used for analytical purposes (e.g. counting visitors); first and third-party advertising cookies; and cookies recognising a user so that the website can be tailored.

What do you need to be doing?

(1) Carry out an audit

The first thing you need to do is make an inventory of the type of cookies you are using and what you are using them for. You need to check which cookies are necessary and which might require a user's consent. You should also consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom.

(2) Assess how intrusive your use of cookies is

The purpose behind this law is to protect users' privacy, so the more intrusive your use of cookies, the more urgency there is for you to put a consent process in place. The International Chamber of Commerce (the 'ICC') has produced a cookie guide to help organisations comply with the law. This guide helps you work out how invasive the cookies you use are by splitting them into four categories, from least intrusive to most intrusive:

(i) strictly necessary;

(ii) performance cookies;

(iii) functionality cookies; and

(iv) targeting/advertising cookies.

The ICO is most worried about the very intrusive cookies; it informed The Register that "provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

(3) Decide which method of obtaining consent best suits your
circumstances

The ICO has made it clear that consent must involve "some form of communication where the individual knowingly indicates their acceptance." This means that any form of implied consent, such as a privacy policy hidden at the bottom of a webpage which states 'by using this website you consent to our use of cookies' is not compliant.
There are a number of ways you may be able to obtain consent through:

  • pop-ups;
  • terms of use (note that users must indicate that they understand and accept any changes to the terms of use);
  • settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and
  • scrolling text in a header or footer when you want to set a cookie on a user's device which prompts a user to make further choices.

The ICO notes that in the future websites may be able to rely on users' browser settings as a means of consent. However, the ICO has made it clear that you cannot yet rely on this method, as most browser settings are not sophisticated enough. The ICO has suggested that in determining its approach to compliance an organisation should take into account the standard of compliance achieved by others within that organisation's sector: "After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask 'if they can do it, why can't you?'"

Consequences of not complying

Serious breaches of the Privacy Regulations may attract monetary penalties of up to £500,000. A serious breach is defined as a serious contravention of the Privacy Regulations likely to cause substantial damage or distress. Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it. On this basis, non-compliance with the cookie law is unlikely to attract the maximum fine.

The ICO has stated that while it does not anticipate "a wave of enforcement action after the lead-in period ends", it does expect organisations to have used the year's lead-in period productively and to have ensured that they are working towards becoming fully compliant.

If you require further information on how to go about ensuring you are compliant with the Privacy Regulations in time for the 26th May deadline, please contact us.

The ICO's guidance on complying with the law can be found here.

The ICC's guidance on complying with the law can be found here.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 04/05/2012.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More