The law on cookies changed on 26 May 2011. However, the new law was only passed by Parliament three weeks beforehand so website operators had little time to work out what changes needed to be made and how to implement them.
Because of this, Christopher Graham, the UK’s Information Commissioner (ICO), confirmed that he would allow a grace period of one year for businesses to comply with the new regulation. However, at the same time he has warned that this does not mean that businesses can ignore the issue for a year: “We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
This briefing note looks at what the change in the law means, and what website owners should be doing to comply with the change.
Previous legal position
The Regulation provides (paraphrasing) that a person shall not store information, or gain access to information stored, in the equipment of a user unless the user:
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- is given the opportunity to refuse the storage of or access to that information.
The Regulation does not specify how this information should be provided. Up to now, a privacy or cookies policy on the website, setting out information about the existence of cookies, has been regarded as sufficient.
Furthermore, the Regulation does not specify how users can refuse a cookie. Up to now, the requirements have been met simply by providing information as to how a user may configure his or her browser, as browsers have customizable settings to enable the user to set generic cookie preferences.
The Regulation affects all cookies and similar tracking devices such as web beacons. It applies to “session” cookies (which do not retain any data from one visit to a website to the next) and to “persistent” cookies (which enable a website to remember you on subsequent visits).
The Regulation also applies to any “information” – even if the user cannot be identified from it – and not just to “personal data”. Where a cookie involves personal data, then the requirements of the Data Protection Act will apply in addition to the Regulation.
Some cookies are more invasive from a privacy perspective than others. For example, a third party cookie that tracks a user’s browsing over multiple websites so as to deliver targeted behavioural advertising is more sensitive from a privacy perspective than a cookie that simply enables a website to generate statistics about its usage. Nevertheless, the Regulation applies equally to all cookies.
The main change to the Regulation is that a cookie may only be used if users have given their consent, having been provided with clear and comprehensive information about the purpose of the cookie.
Coinciding with this amendment, the enforcement powers of the ICO have been increased. The ICO can now impose fines up to £500,000 for serious breaches of the Regulation.
While it sounds reasonable to suggest that users should consent to a cookie, in reality it can be difficult to get consent.
The central issue, therefore, is how consent can be obtained in a manner which will be compliant with the amended Regulation.
The only exemption, where consent is not required, is where the cookie is “strictly necessary” to provide a service explicitly requested by the user. This exemption is limited in scope because “strictly necessary” means that the use of the cookie has to be essential, rather than desirable or reasonably necessary. The exemption could apply to cookies for shopping baskets, which are strictly necessary to complete a purchase the user is making, but would not apply to cookies for (for example) advertising, which is not “explicitly requested” by the user.
The ICO has acknowledged that obtaining consent can be challenging and has issued some preliminary guidance setting out some options.
- Audit: The first step for website owners is to carry out an audit to assess what cookies they use and the purposes of each. Where third party cookies are used – for example, cookies set by affiliate networks used for targeted behavioural advertising – the situation is more complicated; the website owner will need to work with the third party to ensure that appropriate information is provided to users and to ensure that cookies are served only once accepted.
Inevitably, the method that is chosen for eliciting consent will affect the user experience.
- Pop-ups: Although pop-up boxes are a way of obtaining consent, they are disruptive and may deter users. Also, many users opt-out of pop-ups.
- Registration / T&Cs: For websites that register users, consent can be sought in the terms and conditions to which the user will agree, provided that clear and comprehensible information is provided. Meanwhile, cookies should not be served to users who have not given consent.
- Website settings: Consent through website settings is a good option for websites where users can manipulate their privacy settings at a granular level, enabling the website to personalize the site to the user.
- Banner: Using a banner or prompt on the page to solicit consent may be a simple and convenient option for many websites. Seeking to lead by example, the following notice appears on the ICO website:
- “I accept cookies from this site.”
The non-essential cookies are not served to the user, unless and until the user ticks the “accept” box when the cookies are served and the notice is cleared from the page.
Consent through browser settings
Although the Regulation states that consent may be signified by setting controls on the browser or other application, current guidance is that it is not sufficient to rely on browser settings to infer consent. This is because browser software is not sufficiently sophisticated to enable users to manage cookies individually. Users cannot be deemed to have consented to a specific cookie simply because they do not change default browser settings or because they make generic changes to settings so as to accept certain types of cookies in bulk.
The government is working with browser manufacturers to develop settings which would meet the requirements of the Regulation. However, this is likely to take some considerable time to develop and, once developed, roll out. Moreover, websites can be accessed from multiple platforms and versions; for the immediate future, it is likely that websites will have to obtain consent in some other way.
The way forward
It is easy to be critical about the haphazard way in which this legislation has been introduced. However, there is no escaping that businesses must take steps to comply and not rely on the grace period. There are good business reasons to do so. Consumers are increasingly concerned about the privacy of their personal information and are suspicious of technologies that track their online behaviour. Corporate reputations and goodwill can be seriously damaged if a business falls short of privacy standards. Businesses that take privacy seriously can build trust by demonstrating good corporate governance and have much to gain.