As reported in June 2011, changes in UK "cookie law" to give pride of place to the privacy of website users were introduced on 26 May 2011. Website owners were given a one year grace period within which to comply. This expires on 26 May 2012, after which the Information Commissioner's Office (the ICO) will start to actively enforce the new law.
So, how do website owners comply with the new law?
What is a cookie?
A cookie is a small text file which is downloaded on to a device and is used to track and record information about a user's behaviour on a website.
How has the law changed?
Prior to the changes, the law required that organisations had to provide clear information to users on how they used cookies and how their users could 'opt out' from cookies if they objected.
The changes require a more pro-active approach to be adopted. Website owners are now expected to obtain a user's prior "informed consent" before cookies can be used lawfully. There is also an obligation to provide "clear and comprehensive information about the purposes or the storage of, or access to the information" stored by the cookie.
How do you comply with the new law?
The initial guidance issued by the ICO, which we reported on last year, has been updated.
The ICO has indicated that it wishes to take a pragmatic and sympathetic approach to compliance with the new law, providing organisations with as much "flexibility as possible" to effect solutions which are relevant and proportionate to the cookie use (and how intrusive that use might be) and which meet their own business needs, as well as the expectations of their users.
The ICO observes that the understanding of cookies amongst the general population remains low. Organisations therefore must ensure that their explanatory information about cookie use is not only "clear and comprehensive" but also "sufficiently full and intelligible" to allow users to understand clearly the consequences of accepting cookies.
The ICO suggest using:
- an identifiable icon. Providers could adopt a unique icon which could be used throughout the website to link to their cookies information
- blog posts and news headlines. As a short term measure, a posting or news item could draw attention to the website's approach to cookies.
The ICO suggest using:
- consent provisions included in pop-up windows or splash pages. Whilst an easy way to ensure compliance, this approach could impede a user's browsing experience where cookies are set by multiple providers on the same page
What about technical measures,
such as browser settings?
Whilst internet browsers contain settings that allow users to detail their cookie preferences, the ICO has made it clear that browser configurations will not comply with the new law as they are not currently sophisticated enough for website owners to assume that a user's consent has been validly given. This may change as technology evolves and there may also be other technical solutions in time.
What about third party cookies?
The ICO has suggested that third parties and website owners co-operate to obtain user consent (for example, when they contract with each other, clauses obliging the website owner to take steps to obtain consent from the user on behalf of the third party might be included in the contract). It is difficult to see this working in practice, as the website owner would be reluctant to take on this additional responsibility.
What if we get it wrong?
The ICO will be able to issue information notices, binding undertakings, enforcement notices and penalty notices up to a maximum of £500,000.
In practice, the ICO is likely to be reactive rather than pro-active in its approach, responding to complaints that it receives. It simply does not have the resources at its disposal to launch a review of every website.
If it does adopt a pro-active approach, it is likely to have a sector focus or to direct its attention to a few market leaders, in order to set an example. This though is likely to be later down the line. The ICO has indicated that its focus initially will be on encouraging and working with businesses to effect the required changes rather than adopting a very strict approach to compliance.
Beware that the ICO will not keep to that approach for very long. Also, indications are that it will take a dim view of organisations which have not already started to think about, and to implement, steps to comply with the new law, in particular simpler steps such as making changes to website terms and conditions, policies or notices.
It's not just cookies!
While we have focused here on cookies, it should be noted that the new law extends to any information stored on or accessible from terminal equipment of a user. It therefore captures any technology capable of storing or accessing such information.
0141 271 5741
0141 271 5744
020 7002 8521
Given your interest in IP & Technology law, you may find some of our other updates particularly useful. Corporate, for example, has been selected by many of our clients who have signed up to IP & Technology. To register for additional bulletins, guides and seminars, visit sign up.
Please feel free to forward on this bulletin to friends and colleagues who may find it of interest and wish to subscribe themselves.
This briefing is written as a general guide only. It is not intended to contain definitive legal advice which should be sought as appropriate in relation to any particular matter.