We help fashion businesses flourishing grow with everything from securing intellectual property rights to renegotiating agency agreements and commercial leases.
The law on cookies changed on 26 May 2011. However, the new law was only passed by Parliament three weeks beforehand so website operators had little time to work out what changes needed to be made and how to implement them.
Because of this, Christopher Graham, the UK’s Information Commissioner (ICO), confirmed that he would allow a grace period of one year for businesses to comply with the new regulation. However, at the same time he has warned that this does not mean that businesses can ignore the issue for a year: “We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
This briefing note looks at what the change in the law means, and what website owners should be doing to comply with the change.
Previous legal position
The use of cookies is regulated by the Privacy and Electronic Communications Regulations which came into force in 2003 implementing an EU Directive (the “Regulation”).
The Regulation provides (paraphrasing) that a person shall not store information, or gain access to information stored, in the equipment of a user unless the user:
The Regulation does not specify how this information should be provided. Up to now, a privacy or cookies policy on the website, setting out information about the existence of cookies, has been regarded as sufficient.
Furthermore, the Regulation does not specify how users can refuse a cookie. Up to now, the requirements have been met simply by providing information as to how a user may configure his or her browser, as browsers have customizable settings to enable the user to set generic cookie preferences.
Cookies
The Regulation affects all cookies and similar tracking devices such as web beacons. It applies to “session” cookies (which do not retain any data from one visit to a website to the next) and to “persistent” cookies (which enable a website to remember you on subsequent visits).
The Regulation also applies to any “information” – even if the user cannot be identified from it – and not just to “personal data”. Where a cookie involves personal data, then the requirements of the Data Protection Act will apply in addition to the Regulation.
Some cookies are more invasive from a privacy perspective than others. For example, a third party cookie that tracks a user’s browsing over multiple websites so as to deliver targeted behavioural advertising is more sensitive from a privacy perspective than a cookie that simply enables a website to generate statistics about its usage. Nevertheless, the Regulation applies equally to all cookies.
The change
The main change to the Regulation is that a cookie may only be used if users have given their consent, having been provided with clear and comprehensive information about the purpose of the cookie.
In essence, this is a move from an “opt-out” to an “opt-in” approach. Whereas previously it was sufficient for websites to notify users of the use of cookies and provide information about how these could be disabled through browser settings, the new requirements are more extensive.
Coinciding with this amendment, the enforcement powers of the ICO have been increased. The ICO can now impose fines up to £500,000 for serious breaches of the Regulation.
Consent
While it sounds reasonable to suggest that users should consent to a cookie, in reality it can be difficult to get consent.
Under data protection laws, consent must be “freely given, specific and informed”. In other words, the user needs to know exactly how the data concerning his or her browsing habits are to be collected, analysed, stored and used. While this can be explained in the website’s terms and conditions or privacy policy, inevitably these documents are detailed, legalistic and complex. Most consumers do not read them, or only do so superficially, and that can hardly be a basis for informed consent.
The central issue, therefore, is how consent can be obtained in a manner which will be compliant with the amended Regulation.
Exemption
The only exemption, where consent is not required, is where the cookie is “strictly necessary” to provide a service explicitly requested by the user. This exemption is limited in scope because “strictly necessary” means that the use of the cookie has to be essential, rather than desirable or reasonably necessary. The exemption could apply to cookies for shopping baskets, which are strictly necessary to complete a purchase the user is making, but would not apply to cookies for (for example) advertising, which is not “explicitly requested” by the user.
Guidance
The ICO has acknowledged that obtaining consent can be challenging and has issued some preliminary guidance setting out some options.
Inevitably, the method that is chosen for eliciting consent will affect the user experience.
“On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
- “I accept cookies from this site.”
The non-essential cookies are not served to the user, unless and until the user ticks the “accept” box when the cookies are served and the notice is cleared from the page.
Although the Regulation states that consent may be signified by setting controls on the browser or other application, current guidance is that it is not sufficient to rely on browser settings to infer consent. This is because browser software is not sufficiently sophisticated to enable users to manage cookies individually. Users cannot be deemed to have consented to a specific cookie simply because they do not change default browser settings or because they make generic changes to settings so as to accept certain types of cookies in bulk.
The government is working with browser manufacturers to develop settings which would meet the requirements of the Regulation. However, this is likely to take some considerable time to develop and, once developed, roll out. Moreover, websites can be accessed from multiple platforms and versions; for the immediate future, it is likely that websites will have to obtain consent in some other way.
The way forward
It is easy to be critical about the haphazard way in which this legislation has been introduced. However, there is no escaping that businesses must take steps to comply and not rely on the grace period. There are good business reasons to do so. Consumers are increasingly concerned about the privacy of their personal information and are suspicious of technologies that track their online behaviour. Corporate reputations and goodwill can be seriously damaged if a business falls short of privacy standards. Businesses that take privacy seriously can build trust by demonstrating good corporate governance and have much to gain.