New Guidance on Cookies

Mairead McKenna
Director
McKenna Hughes Ltd
Blogger
Share this content

New Guidance on Cookies

The Information Commissioner's Office ("ICO") has recently published further guidance on the implementation of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. We take a look at the guidance and summarise the key messages for businesses. <!--break-->
Background <!--break-->
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Regulations") cover the use of cookies and other similar technologies for storing and accessing information on a person's computer or mobile. In May 2011 the UK Government introduced an amendment to the Regulations. The main change introduced in the amendment required that users or subscribers to a website must consent to the use of a cookie before the cookie is activated.
What do I need to do? <!--break-->
Whilst there is an acknowledgement amongst law enforcers that implementing the rules will require considerable work this will not constitute a reason for not complying with the new law. As of May 2012 website owners will be required to ensure that consent is obtained from users to the use of cookies. The guidance is very clear that " those setting cookies must -
•tell people that the cookies are there,
•explain what the cookies are doing, and
•obtain their consent to store a cookie on their device."   (ICO Guidance 13 Dec 2011).
What is very clear is that you must ensure that information about the use of cookies on your site is prominent and clear to the user. This can be achieved by positioning the hyperlink to a Privacy Policy in a more prominent location at the top of the page and highlighting this. For example, "Read about how we use cookies" could be displayed on the top right hand corner of the page containing an imbedded link to the Privacy Policy or Terms and Conditions which contain more detail about the cookies. <!--break-->
 Exceptions <!--break-->
The Regulations cover both persistent and session cookies however cookies which are "for the sole purpose of carrying out the transmission of a communication over an electronic communications network" or which are "strictly necessary for the provision of an information society service by the subscriber or user" are excluded from the requirement to obtain consent. This means that cookies such as those which remember what a user has put in the shopping basket would be considered to be "strictly necessary" and exempt from the requirement to obtain consent. The following types of cookies will be likely to fall within the exception:
•cookies used to remember what a buyer has placed in their shopping basket
•cookies used with online banking services which provide security in order to comply with the seventh data protection principle
•cookies which help to ensure that content is loaded quickly. <!--break-->
How do I obtain consent? <!--break-->
There are a number of ways in which you could obtain user consent to the use of a cookie. Which method you use will largely depend on how your site is configured and which cookies you deploy. Examples of ways in which consent may be obtained include:
•Pop ups or splash pages.
•Specific consent to Terms and Conditions which include a clear statement on the use of cookies.
•Settings led consent. You could obtain the users consent up front to the use of cookies to remember preferences.
•Features led consent. This can be achieved at the time the user has to click on the link or switch on the feature e.g. using a video. <!--break-->
Can I rely on a User's Browser Settings? <!--break-->
In time, you may well be able to rely on the user's browser settings as a way to satisfy yourself that consent has been given. At present, however, most browser settings are not sophisticated enough to rely on this mechanism. The Government is working with major browser manufacturers to establish which browser settings will be available and when. <!--break-->
Third Party Cookies <!--break-->
If you display content from a third party on your website (e.g. an advertisement or a video service) then you will need to ensure that information is provided to the user about the cookies which may be used by the third party. This information can either be provided by you or the third party. It is therefore important that you establish this upfront with the third party.  <!--break-->
What if I do nothing? <!--break-->
The ICO has given businesses a lead-in time of 12 months in order to achieve compliance (i.e. until May 2012). After this time it will follow up complaints made by users and take enforcement action where appropriate. In the first instance it will contact the website owner to discuss the complaint. The ICO has a number of remedies which are open to it including the imposition of monetary penalties of up to £500,000.  <!--break-->

Replies

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.