A new law on cookies was introduced in May 2011 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Regulations”). The key change to existing law was a new requirement to obtain the consent of users to the use of cookies on websites.
The Information Commissioner (the UK regulator for data protection and e-privacy) gave organisations a 12 month “lead-in” period to allow organisations time to develop appropriate ways of achieving compliance. With 2012 now upon us and four months left to the end of this period, it appears there is still a lot to be done on the road to compliance (indeed, very few sites have clearly asked for my consent to use cookies). Last month, the Information Commissioner considered that whilst there are “pockets of good practice”, in general people are not yet doing enough1.
The Regulations do not use the term “cookie”2 but it is generally acknowledged that cookies are the most common technology captured by the relevant requirements. A cookie is a small text file stored by a web browser and containing information about a user’s visit to a website. Cookies may be “session” based (meaning they expire when you close your browser) or “persistent” (meaning they are remembered on subsequent visits).
Cookies are frequently used by website operators, online advertisers and online service providers for a variety of reasons, including: to help with website navigation, analyse site usage, provide specific features and/or remember a user’s details when they re-visit a site. The use of cookies has become more sophisticated in recent years, with services becoming more personalised, and an increase in activities such as behavioural advertising and social networking.
The key requirements under the Regulations are that users must:
(a) be provided with clear and comprehensive information about the purposes of the cookie; and
(b) have given their consent to the use of the cookie.
The appropriate method(s) by which information is given and consent obtained has been the topic of much consideration and debate within business forums since the introduction of the new law. The method may vary from case to case, depending on the nature of the cookies being used, how intrusive they are on the privacy of the user, and what is clear and practical for the website in question. A couple of specific considerations:
(a) Providing information
Research3 has shown that users are generally not yet sophisticated in understanding what a cookie is and what it may do, so very clear information on what the cookie means for a particular website is required. It may be insufficient to “hide” such information within a privacy policy (to which there is a tiny link at the bottom of a website) and clearer specific information at the time (or before) the cookie is created should be considered.
(b) Obtaining consent
To constitute an effective consent, a user must fully understand that they are giving consent and to what they are giving consent. Options to obtain consent may include a specific pop-up on cookies, or, if a cookie is being created as part of a new website feature, combining cookie consent with the notification/acceptance of the feature. Consent could be obtained as part of acceptance of other terms and conditions relating to the website, as long as the information provided is sufficiently obvious and clear.
The Regulations provide that consent may be signified more generally by internet browser settings or other applications. However, the Information Commissioner’s Office has indicated that most browser settings are not yet sophisticated enough in terms of ensuring that users have clearly considered their options. Therefore, for now, relying solely on browser settings will not be sufficient for compliance4.
There are limited exceptions to these requirements, including where the cookie is strictly necessary (N.B. “necessary” not “desirable”) to provide an online service requested by the user. For example, this may apply where it is necessary to use a cookie to remember what a customer has placed in their “shopping basket”.
If you use cookies on your website, you should already be in the process of ensuring compliance with the Regulations. It may seem obvious, but you should ensure you understand what cookies you use (or wish to use) on your site and the impact on a user’s privacy, so you can consider in context what information it may be appropriate to provide and how consent can most effectively and practically be obtained.
To the extent you use a third party to develop or maintain your site, or include third party advertisements or materials on your website (or vice versa), you should ask them what cookies may be included and user information may be obtained, so that these form part of your compliance considerations. Similarly, if you provide materials relying on cookies to third party web publishers, you may wish to work with them to provide required information and obtain consents. You should also look to address privacy compliance issues in the terms of your agreements with all such third parties.
The Information Commissioner has acknowledged that there is a challenge in compliance; however, as noted above, he will expect compliance measures to have been taken by May 2012. If it is not an issue you are already addressing, then it would be prudent to get started to avoid the risk of enforcement action against you later this year.
Olivia Whitcroft, principal of OBEP, 21 January 2012
1 See December 2011 ICO news release at: http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.
2 The relevant provision of the Regulations is that “a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements...are met.”
3 See, for example, study conducted by PricewaterhouseCoopers LLP, dated April 2011: http://www.culture.gov.uk/images/consultations/PwC_Internet_Cookies_final.pdf
4 See http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/ guidance_on_the_new_cookies_regulations.ashx
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details