Category Archives: Cookie Regulation

New cookie law no longer an issue following an ICO backtrack?

Many people breathed a sigh of relief following the Guardian’s take on last week’s ‘watering down’ of  EU regulations by the ICO which impact on the use of cookies by UK websites.  Unfortunately, perhaps as a result of Chinese whispers, the growing consensus seems to be that the European rules don’t apply and sites no longer need to take action.

The previous version of the guidance, seemingly no longer available from the ICO following a quick search, provided, at page 6, that:

“general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent.  As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree”

The same paragraph suggested that the shared understanding necessary to rely on implied consent is more likely to be achieved ‘if websites make a real effort to ensure information about cookies is made clearly available to their users’.  Notably, the guidance indicated that mentioning cookies in a privacy policy would not be sufficient.

What some people appear to have taken away from the revised note, which elaborates on the above, is that the ‘watered down’ guidance means no action is necessary, because implied consent is suddenly an option.  However, implied consent (as opposed to requiring a visitor to subscribe, to check a box, or to click a button), was already envisaged by the ICO.  In particular, page 16 of the previous guidance explained that, if a notice is displayed asking for permission and the user does not explicitly give it by clicking ‘accept’, instead navigating to another part of the website, then “you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site”.

While the revised guidance offers some further clarity on this point, and arguably relaxes the language somewhat such that implied consent seems a more viable option, it has not done away with the new requirements.  Specifically, rather than simply allowing users to opt-out of the use of cookies, websites now need opt-in consent.  To infer implied consent, you ought to be sure that visitors actually know you intend to use cookies, and why.  The Guardian, the BBC, BT and a host of other sites have been updated to do this with notices of varying size and prominence which could serve as inspiration for your own site.

If you only mention cookies in your privacy policy, or you have a link to “cookies” in your footer, it is likely that you are not doing enough to educate visitors to an extent adequate to infer consent. That doesn’t mean you need to drop everything and get your web developers on the line right away.  Although the grace period for non-enforcement by the ICO has ended it is perfectly clear the Commissioner does not intend to adopt a heavy handed approach.  However, you should also not ignore the changes, and it is important to take note that, where the new guidance refers to implied consent, it also mentions more than once how “explicit consent might allow for regulatory certainty”.  There are also international considerations to bear in mind, as mentioned in our earlier post.

What is important is to begin working towards compliance.  If you are a small business with scarce resources, then rather than dragging your heels, why not take some time to identify straightforward steps you can action now.  There are WordPress plugins, downloadable Javascripts and a range of other offerings that can help you to quickly demonstrate that you care about keeping your visitors in the loop, and complying with your legal obligations.

How to deal with the new law on cookies

On the 26th of May the grace period granted by the Information Commissioner’s Office (ICO) to comply with laws on cookies ended.  Websites have since been subject to a higher risk of sanctions if they fail to comply.

Image of computer with a cookie displayed on the screenBefore discussing the implications of the new law and how businesses can adhere to it, it is worth explaining what cookies are and why the law takes an interest in them.

Cookies

Cookies are pieces of information that websites store and access on visitors’ computers for a variety of reasons.  For example, a website might store a cookie on your PC so that when you return to that site, it can remember you, so you don’t, for example, need to enter your password multiple times.  Cookies make our user experience of sites more enjoyable.  They are also used to track your activity for marketing analysis purposes.

The aim of the law is to protect people’s online privacy. The ICO’s main concern, noted in ‘Guidance on the rules on use of cookies and similar technologies’, was online tracking of individuals and the use of spyware.

New regulations

So, what do the new rules mean? The regulations build on the previous law laid down in 2003, which required websites to provide visitors with clear and comprehensive information about how and why cookies were being used on a site, and to give users the ability to ‘opt-out’ of cookies being stored on their devices.

The new law means cookies can no longer be stored on a visitor’s device unless the visitor specifically consents in advance, for example by clicking a button, sending an email, checking a box and subscribing to a service.

However, in some cases consent is not strictly necessary. For example, using cookies to remember items in an online shopping basket for the purposes of security in online banking or to help load webpages faster is acceptable.

Still, these exceptions are limited, and the majority of sites have since been obliged to seek explicit consent to use cookies. Examples of common use of cookies for which sites need consent include web analytics (such as Google analytics), for advertising, or to recognize visitors when they return.

A controversial law?

For many, the law is controversial because it can be difficult to implement these measures in a way that does not spoil visitors’ experiences.

A crucial issue, attracting much attention, is that if a site cannot use cookies to remember that a visitor has not given consent to the use of cookies, it may need to keep asking for consent every time a page is loaded.

In response, the ICO has provided a range of examples of how to get around this particular issue.  These are on pages 19-25 of the ICO guidance on the new cookies regulations.

The ICO is unlikely to impose colossal fines for first offences or minor breaches. The deputy commissioner has said that enforcement of the law ‘doesn’t mean the ICO is going to launch a torrent of enforcement action’, though the ICO announced it would send out 50 letters to some of the UK’s biggest websites, asking them to demonstrate that they are explicitly asking for users’ consent before using cookies to track behaviour.

Having sent these letters, the ICO intends to wait for users to specifically complain about cookies being used on particular sites before investigating individual organizations.

While only serious breaches of data protection will lead to the maximum fine, the ICO does have the power to commit an organization to take steps towards compliance, to compel an organization to comply (failure to do so would be a criminal offence) and if necessary, for more serious cases, to impose fines of up to £500,000.

Ensure you have a Privacy Policy

So what can businesses do to ensure their websites comply? First, it is important to find out whether your website uses cookies.  Also, consider whether you can avoid using cookies (the majority of business sites will likely be already using, or might want to use, cookies for the purpose of analytics).

Next, ensure your privacy policy mentions cookies, or if you don’t already have a policy, implement one as soon as possible.

Simply mentioning cookies in your terms may not be enough, because explicit rather than implicit permission is necessary for strict compliance, and for users to see your terms they would need to have loaded your website, and so may already have had a cookie placed on their device before being given the option to opt-in or out.

Under certain circumstances, the ICO suggests implied consent might be enough, provided a cookie-notice is displayed prominently, but this is a risky approach. Although the UK ICO is taking a pragmatic approach to implementation of the cookie rules, the changes are the result of European legislation, and other countries in the EU where the website is accessible might not be as lenient.

Every website is different, so businesses need to consider the best way for their particular site to inform visitors about their use of cookies, and obtain consent.

Unfortunately, it can be difficult to avoid spoiling the user experience for visitors who decline cookies. So it is important to work with web designers to develop an acceptable solution, and cookie consent should be a key design consideration if you are having a new site built.  The Guardian recently updated their site with the below notice, but your site may merit a different approach:

Image of a cookie banner

The focus of the ICO is likely to be on big business, so it should necessarily be a significant concern if you have not yet addressed the changes on your site.  This is especially true where you make judicious use of cookies, given that we expect smaller businesses to be targeted by the ICO only if they receive complaints.  Still, this is not a good reason to ignore the issue.

Legal advice should be taken as early as possible, to ensure the solution for you works both from a legal and branding perspective, and avoids damage to reputation due to poor user experience.  Similarly, you want to avoid investigation or sanction for a breach of rules designed to protect visitors.

Although in future compliance might be made easier by browser integration of cookie consent settings, for now a more creative solution is necessary.

Banner for Legally Branded