Cookies and the new law

November 2013

Page Director

Summary:

ICO issues new guidance the day before end of moratorium on enforcing new cookie rules.
This guidance suggests implied consent (opt-out) may be a good enough solution.

What are cookies?

Website cookies can allow a user to navigate a website efficiently and can add additional functionality to websites. They can also allow websites to track visitors and can be utilised by advertisers to target ad campaigns. This is all made possible by placing a cookie (a small data file) in your hard drive and allowing the website (or a third party) to access it.

How has the law changed?

On 26 May 2011, the UK updated its law relating to electronic communications, (which includes cookies) via the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

These changes to the law were instigated by the EU Commission via its 2009 ePrivacy Directive. The ICO announced in May 2011 that they would give most websites a year’s amnesty in which to adapt to the changes in the law. This amnesty ended on Saturday 26th May 2012.

Opt-in or Opt-out?

The Regulation states that it is unlawful to use cookies to collect a user’s data without first obtaining prior consent.

Initially, the Information Commissioner’s Office (ICO) guidance indicated that consent had to be express (i.e. opt-in). However, 11th hour guidance released on Friday May 25th suggests that implied consent (i.e. opt-out) may be appropriate most of the time.

The ICO has stressed that implied consent can only be relied on when users have sufficient understanding about the cookies used so that their actions imply their consent. This means that website owners still need to provide much more detailed information about their use of cookies and need to bring this information to the notice of website users, for example, using prominent links/banners etc.

Another consideration will be that the usual profile of a website’s users will be important when deciding on an appropriate method for achieving compliance. For example, a website designed for young children may require an opt-in approach to obtaining consent to cookies, but it’s likely that a website designed for adults which provides detailed and accessible information about its cookies could rely on an opt-out approach. 

What are other website owners doing?

Increasingly throughout 2012, more and more websites have started to include more detailed information about cookies in more prominent positions on the websites.

Some public sector websites are tending to take a more cautious approach by seeking to obtain prior consent to cookies on an express basis (opt-in).

The vast majority of websites have made no visible changes. It’s possible that some websites have stopped using cookies all together, however this is fairly unlikely. There are several examples of some of the changes to websites that we have seen at the end of this note. 

What should a website owner do?

The ICO has made it clear that it will enfoce this new law so website owners cannot ignore it. We recommend you do the following:

Perform an Audit

The first task is to perform an audit of the cookies you use. The ICO has stated that its approach to enforcement will relate, to an extent, to the intrusiveness of cookies that are used on websites. The more intrusive a cookie is in terms of data it collects and stores, the more onus there will be on the website owner to ensure compliance with the new rules. There is also a distinction made between first and third party cookies. First party cookies will be placed by the website owner and third party cookies will be placed by a third party (such as an advertiser). Third party cookies are generally seen as more intrusive.

If you don’t need the more intrusive cookies, get rid of them.

Consider the Exemption

There is an exemption to the new rules that applies to cookies which are “strictly necessary”. This exemption will be very strictly interpreted. The ICO has indicated it will only apply to cookies which result from a user’s explicit request. For example, adding an item to a shopping basket usually results in the use of a cookie to remember the item has been placed in the basket until the user is ready to pay.  The ICO’s guidance makes it clear that this exemption will not be extended to analytical cookies (such as Google analytics). However, it also states that provided users are informed about the use of analytical cookies, the ICO is unlikely to prioritise any regulatory action against their use without sufficient consent.

If you can operate a website using only “strictly necessary” cookies, you can tick the compliance box.

How to comply

Full compliance with the new rules requires you to:

  • provide users with comprehensive information about the cookies you use; and
  • gain a user’s consent to such use.

Information

You need to be able to show now that you have at least started to work towards full compliance. The easy one to deal with above is the information requirement. You need to prepare a cookie information section for your website that provides, as a minimum, the following information in relation to each cookie:

  • name or type of cookie;
  • 1st or 3rd party cookie;
  • what it is used for;
  • how long is it used for;
  • what data is stored/accessed; and
  • is there any link to the identity of a user.

You are also required to prominently flag this information to users. The ICO recommends having a link to a separate “cookies” section as well as a link to “privacy policy”, or to have a “how we use cookies” section. Some websites have renamed the privacy policy “cookies and privacy policy”.

Consent

As mentioned above, the latest ICO guidance suggests that implied consent may well be acceptable in more circumstances than the previous guidance had suggested. The key issue is that to be valid, implied consent needs to be “specific and informed”.

This means you cannot rely on doing nothing and argue a user visiting your website gives implied consent to cookie use simply by visiting. The ICO states that you have to ensure that “clear and relevant information is readily available to users explaining what it likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens.”

The ICO also states that you should view implied consent as coming out of a shared understanding between websites and users. The more users see prominent notices giving clear and relevant information about cookies, the more they will develop an understanding of cookie use and the more likely it will be that a website owner can on implied consent.

Twitter Instagram YouTube LinkedIn Facebook Google + WhatsApp Link Email icnUpArrow Right Arrow Down Arrow Left Arrow Search Checkbox Check Close Map Pin Shopping Bag