New Rules for Using Cookies: A Recipe for Confusion?
What are cookies?
Cookies are small text files which websites use to track and record information about user's behaviour and site visits. The Information Commissioner's Office (ICO) has warned that organisations using cookies will need to take active steps to comply with the new requirement to obtain the consent of users.
Cookies and consent - how has the law changed?
The new law means that organisations using cookies are required to obtain the consent of users to place cookies on machines. The only exception to the new rule is if a cookie is 'strictly necessary' for the task which the user has asked the website to perform. This exception will be interpreted narrowly, for example a cookie which is used to 'remember' what a person has ordered on a website, when moving to the checkout page.
How do I ensure that my organisation is compliant?
The ICO has issued guidance on its website (www.ico.gov.uk) on how to comply with the new rules. However it is not quite as helpful as ICO guidance normally is. This is because implementation of the new rules has taken place before technical solutions to achieve compliance are available. Prior to the implementation of the new rules it was felt that more sophisticated browser settings would in most cases be sufficient to obtain this consent. Unfortunately such settings do not currently exist, so while discussions at UK and EU level are taking place with browser manufacturers, there is currently no such solution generally available just now.
What will happen if my organisation does not comply with the changes?
Perhaps not surprisingly given the lack of clarity on compliance and the absence of suitable technical standards to achieve it, the ICO is taking a fairly sympathetic view on enforcement. It has said that it will take a proportionate view of any non-compliance and will focus on instances where breach has caused detriment to consumers. It has also indicated that it will allow a bedding in period of 12 months to enable organisations to work out how best to comply with the new laws - and no doubt to see if new technical standards are available in this time.
This period mirrors the recent comments of the European Commissioner who challenged all interested parties to come up with a uniform technical standard which will provide users with a simple way to opt out of cookies, but which also allow website operators to comply with the new rules.