On the 26th of May the grace period granted by the Information Commissioner’s Office (ICO) to comply with laws on cookies ended. Websites have since been subject to a higher risk of sanctions if they fail to comply.
Before discussing the implications of the new law and how businesses can adhere to it, it is worth explaining what cookies are and why the law takes an interest in them.
Cookies are pieces of information that websites store and access on visitors’ computers for a variety of reasons. For example, a website might store a cookie on your PC so that when you return to that site, it can remember you, so you don’t, for example, need to enter your password multiple times. Cookies make our user experience of sites more enjoyable. They are also used to track your activity for marketing analysis purposes.
So, what do the new rules mean? The regulations build on the previous law laid down in 2003, which required websites to provide visitors with clear and comprehensive information about how and why cookies were being used on a site, and to give users the ability to ‘opt-out’ of cookies being stored on their devices.
The new law means cookies can no longer be stored on a visitor’s device unless the visitor specifically consents in advance, for example by clicking a button, sending an email, checking a box and subscribing to a service.
However, in some cases consent is not strictly necessary. For example, using cookies to remember items in an online shopping basket for the purposes of security in online banking or to help load webpages faster is acceptable.
A controversial law?
For many, the law is controversial because it can be difficult to implement these measures in a way that does not spoil visitors’ experiences.
In response, the ICO has provided a range of examples of how to get around this particular issue. These are on pages 19-25 of the ICO guidance on the new cookies regulations.
The ICO is unlikely to impose colossal fines for first offences or minor breaches. The deputy commissioner has said that enforcement of the law ‘doesn’t mean the ICO is going to launch a torrent of enforcement action’, though the ICO announced it would send out 50 letters to some of the UK’s biggest websites, asking them to demonstrate that they are explicitly asking for users’ consent before using cookies to track behaviour.
Having sent these letters, the ICO intends to wait for users to specifically complain about cookies being used on particular sites before investigating individual organizations.
While only serious breaches of data protection will lead to the maximum fine, the ICO does have the power to commit an organization to take steps towards compliance, to compel an organization to comply (failure to do so would be a criminal offence) and if necessary, for more serious cases, to impose fines of up to £500,000.
Simply mentioning cookies in your terms may not be enough, because explicit rather than implicit permission is necessary for strict compliance, and for users to see your terms they would need to have loaded your website, and so may already have had a cookie placed on their device before being given the option to opt-in or out.
Under certain circumstances, the ICO suggests implied consent might be enough, provided a cookie-notice is displayed prominently, but this is a risky approach. Although the UK ICO is taking a pragmatic approach to implementation of the cookie rules, the changes are the result of European legislation, and other countries in the EU where the website is accessible might not be as lenient.
Unfortunately, it can be difficult to avoid spoiling the user experience for visitors who decline cookies. So it is important to work with web designers to develop an acceptable solution, and cookie consent should be a key design consideration if you are having a new site built. The Guardian recently updated their site with the below notice, but your site may merit a different approach:
Legal advice should be taken as early as possible, to ensure the solution for you works both from a legal and branding perspective, and avoids damage to reputation due to poor user experience. Similarly, you want to avoid investigation or sanction for a breach of rules designed to protect visitors.
Although in future compliance might be made easier by browser integration of cookie consent settings, for now a more creative solution is necessary.