- ICO issues new guidance the day before end of moratorium on enforcing new cookie rules.
- This guidance suggests implied consent (opt-out) may be a good enough solution.
What are cookies?
Website cookies can allow a user to navigate a website efficiently and can add additional functionality to websites. They can also allow websites to track visitors and can be utilised by advertisers to target ad campaigns. This is all made possible by placing a cookie (a small data file) in your hard drive and allowing the website (or a third party) to access it.
How has the law changed?
On 26 May 2011, the UK updated its law relating to electronic communications, (which includes cookies) via the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
These changes to the law were instigated by the EU Commission via its 2009 ePrivacy Directive. The ICO announced in May 2011 that they would give most websites a year’s amnesty in which to adapt to the changes in the law. This amnesty ended on Saturday 26th May 2012.
Opt-in or Opt-out?
Initially, the Information Commissioner’s Office (ICO) guidance indicated that consent had to be express (i.e. opt-in). However, 11th hour guidance released on Friday May 25th suggests that implied consent (i.e. opt-out) may be appropriate most of the time.
Another consideration will be that the usual profile of a website’s users will be important when deciding on an appropriate method for achieving compliance. For example, a website designed for young children may require an opt-in approach to obtaining consent to cookies, but it’s likely that a website designed for adults which provides detailed and accessible information about its cookies could rely on an opt-out approach.
What are other website owners doing?
Increasingly throughout 2012, more and more websites have started to include more detailed information about cookies in more prominent positions on the websites.
Some public sector websites are tending to take a more cautious approach by seeking to obtain prior consent to cookies on an express basis (opt-in).
The vast majority of websites have made no visible changes. It’s possible that some websites have stopped using cookies all together, however this is fairly unlikely. There are several examples of some of the changes to websites that we have seen at the end of this note.
What should a website owner do?
The ICO has made it clear that it will enfoce this new law so website owners cannot ignore it. We recommend you do the following:
Perform an Audit
The first task is to perform an audit of the cookies you use. The ICO has stated that its approach to enforcement will relate, to an extent, to the intrusiveness of cookies that are used on websites. The more intrusive a cookie is in terms of data it collects and stores, the more onus there will be on the website owner to ensure compliance with the new rules. There is also a distinction made between first and third party cookies. First party cookies will be placed by the website owner and third party cookies will be placed by a third party (such as an advertiser). Third party cookies are generally seen as more intrusive.
If you don’t need the more intrusive cookies, get rid of them.
Consider the Exemption
There is an exemption to the new rules that applies to cookies which are “strictly necessary”. This exemption will be very strictly interpreted. The ICO has indicated it will only apply to cookies which result from a user’s explicit request. For example, adding an item to a shopping basket usually results in the use of a cookie to remember the item has been placed in the basket until the user is ready to pay. The ICO’s guidance makes it clear that this exemption will not be extended to analytical cookies (such as Google analytics). However, it also states that provided users are informed about the use of analytical cookies, the ICO is unlikely to prioritise any regulatory action against their use without sufficient consent.
If you can operate a website using only “strictly necessary” cookies, you can tick the compliance box.
How to comply
Full compliance with the new rules requires you to:
- provide users with comprehensive information about the cookies you use; and
- gain a user’s consent to such use.
You need to be able to show now that you have at least started to work towards full compliance. The easy one to deal with above is the information requirement. You need to prepare a cookie information section for your website that provides, as a minimum, the following information in relation to each cookie:
- name or type of cookie;
- 1st or 3rd party cookie;
- what it is used for;
- how long is it used for;
- what data is stored/accessed; and
- is there any link to the identity of a user.
As mentioned above, the latest ICO guidance suggests that implied consent may well be acceptable in more circumstances than the previous guidance had suggested. The key issue is that to be valid, implied consent needs to be “specific and informed”.
This means you cannot rely on doing nothing and argue a user visiting your website gives implied consent to cookie use simply by visiting. The ICO states that you have to ensure that “clear and relevant information is readily available to users explaining what it likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens.”
The ICO also states that you should view implied consent as coming out of a shared understanding between websites and users. The more users see prominent notices giving clear and relevant information about cookies, the more they will develop an understanding of cookie use and the more likely it will be that a website owner can on implied consent.
Examples of websites seeking to rely on implied consent:
The following picture shows a banner running across the top of a website. It has a link that allows users to obtain information about cookies, a link on how to control cookies and a button to stop the banner being shown again. This is an example of an implied consent approach.
The website owner is relying on implied consent from the user’s actions of either the user’s continued use of the website, or clicking “Don’t show this again”.
Example 2 below follows the same appraoch as example 1, but the notice is further down the page and the wording of the notice is more explicit in saying that continued use implies consent.
This is a further example of a website using the implied consent approach.
The following picture is another variation, however on clicking the “Cookie Consent” button in the bottom right corner, the user is provided with a dashboard from which cookie use is fully customizable.
The ICO has made it clear it will enforce the new rules. However, it has also suggested that it will take a reactive approach (i.e. reacting to complaints). It has also suggested that its approach to enforcement will be proportionate to the efforts the website owner has made, taking into account the relative invasiveness of the cookies you have used.
The ICO will generally look to gain your compliance first. It may subsequently look to use enforcement notices. It can always then move onto fines (up to £0.5m). Although again, the ICO has stated it sees fines as an unlikely conclusion to non-compliance with these new rules.
From the above, website owners should take the following messages:
- Work out what cookies you need and don’t need;
- Do the information bit well and do it now;
- Look at consent options – implied may well do the job;
- Keep an eye on how things develop.