|
As reported in June 2011, changes in UK "cookie law" to give pride of place to the privacy of website users were introduced on 26 May 2011. Website owners were given a one year grace period within which to comply. This expires on 26 May 2012, after which the Information Commissioner's Office (the ICO) will start to actively enforce the new law.
So, how do website owners comply with the new law? 
What is a cookie?
A cookie is a small text file which is downloaded on to a device and is used to track and record information about a user's behaviour on a website.
How has the law changed?
Prior to the changes, the law required that organisations had to provide clear information to users on how they used cookies and how their users could 'opt out' from cookies if they objected.
The changes require a more pro-active approach to be adopted. Website owners are now expected to obtain a user's prior "informed consent" before cookies can be used lawfully. There is also an obligation to provide "clear and comprehensive information about the purposes or the storage of, or access to the information" stored by the cookie.
How do you comply with the new law?
The initial guidance issued by the ICO, which we reported on last year, has been updated.
General approach
The ICO has indicated that it wishes to take a pragmatic and sympathetic approach to compliance with the new law, providing organisations with as much "flexibility as possible" to effect solutions which are relevant and proportionate to the cookie use (and how intrusive that use might be) and which meet their own business needs, as well as the expectations of their users.
Cookie Audit
The ICO recommends that organisations perform a "cookie audit" to identify which types of cookies they use, how and for what purpose they are used, and to enable them to weed out any that they no longer need. This will enable a proper assessment of where, how, when and how much information about their use of cookies should be provided to a user - essential if the organisation is to get "informed consent".
Cookie Information
The ICO observes that the understanding of cookies amongst the general population remains low. Organisations therefore must ensure that their explanatory information about cookie use is not only "clear and comprehensive" but also "sufficiently full and intelligible" to allow users to understand clearly the consequences of accepting cookies.
The ICO suggest using:
- prominent links to direct users to a separate webpage providing cookie use information. This should be a page separate from the privacy policy page, with a clear title (for example, "Information about cookies")
- an identifiable icon. Providers could adopt a unique icon which could be used throughout the website to link to their cookies information
- blog posts and news headlines. As a short term measure, a posting or news item could draw attention to the website's approach to cookies.
Cookie Consent
The mechanics used to obtain a user's consent to the use of cookies is also very important. There needs to be a valid, affirmative step taken by the user to the website's use of the cookie. Strictly speaking, consent must be obtained before the cookie is set. This creates obvious technical difficulties where websites set cookies as soon as a user accesses their website.
The ICO suggest using:
- consent provisions included in pop-up windows or splash pages. Whilst an easy way to ensure compliance, this approach could impede a user's browsing experience where cookies are set by multiple providers on the same page
- static information banners displayed prominently on the website. This could provide a dual function by also linking to information about the website's use of cookies
- acceptance of terms and conditions or privacy policy when registering with a website. However, where a user is not new to the website and has previously accepted the terms or policy, simply altering them as a means to obtain consent will not be sufficient, and some additional notice to the user is required
- features and users' settings. It might be possible to obtain a user's consent to the use of cookies when the user makes their choices regarding preferences or functionalities on the website.
What about technical measures,
such as browser settings?
Whilst internet browsers contain settings that allow users to detail their cookie preferences, the ICO has made it clear that browser configurations will not comply with the new law as they are not currently sophisticated enough for website owners to assume that a user's consent has been validly given. This may change as technology evolves and there may also be other technical solutions in time.
What about third party cookies?
Sometimes when visiting a website, cookies are set by third parties (such as advertisers) who do not normally have a direct relationship with the user. How do they get "informed consent" to their use of cookies?
The ICO has suggested that third parties and website owners co-operate to obtain user consent (for example, when they contract with each other, clauses obliging the website owner to take steps to obtain consent from the user on behalf of the third party might be included in the contract). It is difficult to see this working in practice, as the website owner would be reluctant to take on this additional responsibility.
What if we get it wrong?
The ICO will be able to issue information notices, binding undertakings, enforcement notices and penalty notices up to a maximum of £500,000.
In practice, the ICO is likely to be reactive rather than pro-active in its approach, responding to complaints that it receives. It simply does not have the resources at its disposal to launch a review of every website.
If it does adopt a pro-active approach, it is likely to have a sector focus or to direct its attention to a few market leaders, in order to set an example. This though is likely to be later down the line. The ICO has indicated that its focus initially will be on encouraging and working with businesses to effect the required changes rather than adopting a very strict approach to compliance.
Beware that the ICO will not keep to that approach for very long. Also, indications are that it will take a dim view of organisations which have not already started to think about, and to implement, steps to comply with the new law, in particular simpler steps such as making changes to website terms and conditions, policies or notices.
It's not just cookies!
While we have focused here on cookies, it should be noted that the new law extends to any information stored on or accessible from terminal equipment of a user. It therefore captures any technology capable of storing or accessing such information.
Contact us
If you have any queries about the use of cookies and the new law, please contact:
Alison Bryce
Partner
0141 271 5741
alison.bryce@mms.co.uk
Ross Nicol
Associate
0141 271 5744
ross.nicol@mms.co.uk
Simon Cosgrove
Associate
020 7002 8521
simon.cosgrove@mms.co.uk
MMS Knowledge®
Given your interest in IP & Technology law, you may find some of our other updates particularly useful. Corporate, for example, has been selected by many of our clients who have signed up to IP & Technology. To register for additional bulletins, guides and seminars, visit sign up.
Please feel free to forward on this bulletin to friends and colleagues who may find it of interest and wish to subscribe themselves.
This briefing is written as a general guide only. It is not intended to contain definitive legal advice which should be sought as appropriate in relation to any particular matter.
|
Listen to this page
