Roxburgh Milkins

A version of this article first appeared on AccountingWeb and can be found here (you will need to register to view this on AccountingWeb) 

In this article we take a look at the due diligence process on the sale of a business.  Most of you will be familiar with what due diligence is and many of you will appreciate that it is often a difficult process from which many buyers and sellers struggle to derive value.  We consider how it should be approached and give some tips for surviving it.

Is due diligence inevitable?
Any prospective buyer of a business should want to be as sure as possible that the business is worth what they are paying for it.  It’s therefore understandable that they will want to kick the tyres and carry out some investigations into the business, its assets and people.

If you want to sell your business it is possible that you will find a buyer who is willing and has the money to just write a cheque without doing due diligence.  However, especially in these economically difficult times, buyers like this will be few and far between.

We often find that even if some people on the buying side are willing to proceed with minimal due diligence (perhaps a director who is championing the deal at a commercial level) often they are unable to do so because others (funders, shareholders, the main board) require thorough due diligence.  So don’t just accept at face value any assertion that due diligence will be ‘light touch’ or ‘limited’ – make sure all stakeholders on the buying side agree with this.

What the reality of due diligence often is
Due diligence can certainly be a painful process for buyers and sellers alike: it can consume a lot of time and result in high professional fees.  We have been involved in plenty of deals where this has created friction between the parties: – “why is your lawyer/accountant asking this irrelevant question – can’t we just get on and sign the deal?”,“why is it difficult to provide this basic information which you should have at your fingertips?”.

In addition, it’s a common complaint that the only persons who receive value from the due diligence process are the professional advisers who conduct it, with the sellers, buyers and target business having got little of genuine use from the process.

Collaboration not confrontation
Sellers should assume from the outset that any buyer is going to want to investigate every element of the business and will only proceed if it has all the information that it needs. If a seller does this then his interests are likely to be aligned with those of the buyer: they both have the aim of all relevant information being in the open.

A buyer who is invited to see everything about a business is likely to have confidence that the seller has nothing to hide and, as a result, trust between the parties should grow.  In contrast, if you have a seller who is unwilling or unable to provide information the opposite is likely to happen and it may actually mean that a buyer feels it needs to conduct more thorough due diligence.

Cracking old chestnuts
Sellers are sometimes tempted to assume that a buyer won’t find out or won’t be bothered about a particular issue.  Sometimes this turns out to be right but, if it isn’t,  the consequences can be significant – the buyer can decide not to proceed or the deal terms can change significantly.

From a legal perspective, we find that the same issues come up time and time again which cause problems in due diligence.  Often these issues are ignored or overlooked until late in the sale process.  When this happens, mistrust between the parties can creep in and renegotiation of deal terms and price reductions become much more likely.  Whereas, if the issues are identified and dealt with up front it is often possible for them to be resolved in a way which does not disrupt the deal process or terms.

Examples of these types of issues include:

• inadequate documentation for customer and supplier contracts
• inappropriate employment contracts for key members of staff
• for intellectual property rich businesses (such as those that develop software) inadequate evidence that the business owns/has the right to use intellectual property
• dilapidations liabilities on leasehold properties which have not been provided for
• irregularities with share capital, where legal formalities have not been complied with.

Five tips for surviving due diligence for sellers

Assume it will take time and be comprehensive. If sellers start with this mindset then they can prepare accordingly and are less likely to be frustrated.

Put yourself in the buyer’s shoes.  A seller should ask itself what questions a buyer is likely to ask and make sure that these questions can be answered.

Get organised early. Prepare early, well before potential purchasers are approached.

Resource it.  Assume due diligence will take time and then work out who is going to be responsible for fielding the different questions that will come in.

Present solutions.  If there is a problem area, either resolve it or present a solution at the outset.

Roxburgh Milkins advised the shareholders of Bath-based property management company Touchstone, a longstanding client, on its recent sale to Places for People. 

Paladin Group, Touchstone’s parent company, was acquired by Places for People in a deal valued at £15.9m. It also saw the exit of NVM Private Equity, which backed Touchstone in 2006.

Roxburgh Milkins worked closely with Tim Saunders, the chief executive of Touchstone, who offers his thoughts here on a two-year journey – and some tips for others preparing to embark on the same process.

How much time should people allow in planning for a sale?

TS: We started two years out. Our private equity investors obviously needed to exit at some stage but we wanted to manage the process according to our timetable. Other factors were the desire to capitalise on positive market sentiment and also to correlate the completion timetable with that of the financial year, not drifting beyond Christmas 2012.

We spent the first 18 months on ‘tidying up’ the business. That meant stripping away those few parts not functioning particularly well or that did not really fit – anything which might put off potential buyers.

The last six months began with signing off a marketing strategy, then with preparing and issuing the information memorandum. We also set a planned exit date of 16 November. 

There were management meetings from late August with people who made offers in the right ballpark and we entered into exclusivity with Places for People at the end of September. That left us with six weeks to complete – and we hit our target exit date to the very day.

Who were your advisers and how did you manage them?

TS: I combined the roles of chief executive and finance director so I drove the process. 

I have had a 15-year association with Bruce Roxburgh, so Roxburgh Milkins handled the legal matters, while Deloittes were corporate finance lead adviser, also researching the market and co-ordinating inquiries. I’ve dealt with them for seven years. I trust them both.

By the time we were in the ‘exclusivity’ stage, with a willing buyer and a willing seller, my instructions then were simply: ‘Don’t mess up.’ My job was to read the documentation and to manage the process, but I’m neat and tidy and organised. You’ve got to have an eye for detail and you can’t really leave it all to your advisers.

Did the sale process have any effect on the underlying business?

TS: Not really, certainly not in any negative way. Because I was managing the whole process, the involvement of the other directors could then be limited. We needed to keep people focused on ‘the day job’, so I kept them in the loop without distracting them.

We needed to reassure our clients, some of them had been with us for as much as 14 years. So we identified a select group and told them what we were doing. The message was: ‘Don’t worry. We’ve got your interests at heart in all this.’

What would you do differently?

TS: Not much really. It all went remarkably smoothly. NVM, who had put £6m into the business over six years, said it was the easiest deal they had ever done.

Did preparing your business for sale bring any wider benefits to the business?  

TS: By January 2012 we had sold off the last small element of those parts of the business which were not really making money and the management structure was in fit and proper shape for the future. 

Our decision to collate and store all the disclosure documentation ‘in the cloud’ also had benefits in the way we now manage our information.

Have you any tips for others planning to sell?

TS: Appoint advisers who are in tune with your way of working – and likewise in choosing your purchaser. There’s no point in being unnecessarily confrontational.

Prepare a virtual ‘data room’ for all due diligence inquiries. We kept our disclosure bundle in ‘the cloud’ rather than in 30-odd lever-arch files. It’s much more straightforward to control and manage access and, in terms of the process, makes life a lot easier.

Reassure your clients in advance – don’t give them nasty surprises. We told staff immediately afterwards but that was a low-key announcement because it was just a change of shareholders. There were no redundancies or employment transfer implications but as a management team we made ourselves available to answer questions.

And, even days or hours from a deal, remember that it might not happen!

Mark Panay, co-founder of SimpleWeb, shares some thoughts about what should be in a spec.

We receive a lot of ideas for applications, both mobile and web-based. Sometimes we get the most amazingly detailed documents that give us a thorough understanding of what the idea is and what it’s supposed to achieve. Sometimes…!

Mostly, people do know what they want, but don’t often know how to describe their idea and miss out large chunks of information, assuming that whoever they are talking to knows the context. It’s easy to do, especially with a complex idea that they’ve been thinking about for some time.

When we get job referrals like this, we ask the client – at the expense of possibly losing the project –  to clarify their idea using two specific approaches. This also helps us to determine whether the potential client is serious about the project. These approaches are:

• What is the essence of the idea? This is essentially the ‘elevator pitch’ –  one minute to pitch the idea to a customer or investor
• Simple user stories. Who are the various users in the system and what are they able to do within a defined set of areas?

We also ask for a simple overview summary, which is always useful, like a longer elevator pitch.

The essence
You’re trapped for 30 seconds in an elevator with your dream client (or investor) and you need to explain what your product does. This is the number one stumbling block: what is it that makes your product special?

Good: “We’re building a product that makes it really easy for people to change TV channels without moving from their couch.”

Bad: “We’re building a small plastic device that has various buttons including a volume control and channel controls, that via infra-red allows the viewer of a TV to change various parameters on their TV remotely.”

The former is succinct, has context and gets over the idea. It’s not technical – just the essence of the product. If a client briefed a developer like this, it would get built. It might be pink, have 12 buttons, take 5 AA batteries and work by using sonar but you would get a product that achieves your business requirement.

It’s much easier said than done though. You need to test your pitch on as many people as possible.

Simple user stories
User stories are a pragmatic way to ensure a project is communicated effectively. Essentially we want the client to describe the application for particular types of user, without telling the developer how to do it. This means clients don’t have to keep asking: “is it possible?”; they just state what is needed. The developer then needs to figure out how to prioritise and achieve these requirements within the resource available.

There are many ways to obtain a set of user stories. We like the MoSCoW (http://en.wikipedia.org/wiki/MoSCoW_Method) method. A client starts with a list of what they want to be able to achieve functionally, with simple priorities based on MUST, SHOULD, COULD or WON’T. For example, a user:

• SHOULD be able to sign up to an RSS feed MUST be able to sign up to a newsletter
• SHOULD be able to post comments
• MUST have a public profile
• COULD submit an idea to improve the website
•  WON’T be able delete a roller without a warning.

The idea is not to describe how to do something, only what you want to achieve.

You will find that a lot of your requirements are generic, in that a lot of other applications already offer the required functionality, such as registering, logging in, profiles, etc. This is where your research (and you’ve done your research, right?) will play a big part. You can model them quite quickly using the MoSCoW method, leaving you just to map out ‘the essence’ as MUST, SHOULD, COULD or WON’T.

 You could separate these features out under two headings, Generic and Essence. In the generic section you could be less granular and focus all of your energy on the features that make up the essence, as this is the part that makes your product special.

Essentially the aim is to give the developer as much information as possible as early as possible. Oh, and one more thing… make sure you allow your developer enough time.

Follow Mark @ https://twitter.com/redeye

Over the last 18 months we’ve been investigating a number of web-based products which are complementary to the services we offer. One of these is in development and will, touch wood, be launched later in the year.

Whether or not the products turn into profitable businesses is for later but, if nothing else, the process has been massively educational; we advise clients on buying technology but you get a whole new perspective when you’re doing the buying yourself. We thought we should share some of what we’ve learnt.  This post is about some of the things we’ve learned about specs. In his post  Mark tells us what we should have done. Needless to say, we didn’t exactly do that.

A little less conversation…You can spend forever talking about concepts but it’s not until you write things down that you can actually get proper clarity and definition. We started talking to potential developers before we’d done any sort of spec. It would have been better to have had the spec prepared earlier. That would have provided focus to all those conversations and we would have got more value from them.

The essence of the thing…What Mark says (in his post) about this is spot on – you need to convey the essence succinctly and clearly. This is not something that comes naturally to a group of lawyers – we’re used to the detail but summarising concepts was not something that came easily.  In the development stage the aim must be to build something that showcases the essential elements of the concept. The detail is important but it can come later.

Less of the how… A spec must state what you want built and why. Unless you come from a technical background you’re not the best person to decide how it’s actually built. Understanding the ‘how’ is important but our spec contained details about the database and how documents should be organised – neither of which actually helped to describe the essence. The result? We spent too much time and energy on these items.

Go back to it…It’s too easy to concentrate on where  you are in the build process. At every stage you should check back against the spec so that decisions are aligned to your initial aims. You are then more likely to end up with a product that captures the essence of what you wanted to achieve.

If you want to make a change, ensure it’s an informed decision…Even a detailed, tight spec isn’t going to be perfect. We followed an agile process, so the result was always going to be different from what was envisaged in the initial spec. If you do change it during the build then make it a definite and informed decision rather than allow the build to diverge from the original spec by default through inconsistent decision-making.

Part of the role of any good business adviser is to help make connections for people. If a client needs expertise that Roxburgh Milkins does not offer then we try to put them in touch with someone who does.

 We’re lucky because we know plenty of excellent people and organisations able to provide all kinds of help … other lawyers, organisations offering support to businesses of all sizes, finance providers, people who can find you a property or build you a bit of software. 

The more established the business the more likely it is to have an existing network of people it can turn to for advice.  But a young business or entrepreneur is much less likely to have this network. This is why we are very enthusiastic about Business Navigator, a powerful new tool which has been launched in Bristol and Bath.

 Business Navigator is a free online service which helps businesses to find support and resources.  It’s the first service of its type to go live anywhere in the UK and is backed by the West of England Local Enterprise Partnership.

 Business Navigator is run by Martin Coulthard and Christian Annelsey, both very well known in Bristol. Martin is an experienced entrepreneur who has founded, grown and sold two companies. He was also director of the Bath & Bristol Enterprise Network.  Christian was founder editor of South West Business Insider. 

 With the local know-how, contacts and commitment to the project of Martin and Christian, we think that Business Navigator will be able to provide entrepreneurs with a valuable insight into the support available to them.

 Martin adds: “We are extending our offer all the time, finding support organisations that are worth entrepreneurs knowing about, and would love to hear from anyone with insight into organisations we should add or functionality they’d like to see. In the meantime, anyone interested can keep track of Business Navigator through social media and by signing up to our newsletter on the homepage.”

 The site regularly aggregates more than 100 local events a month taking place across more than 50 listed business-support organisations. Business Navigator is also on Twitter and has a LinkedIn Group..

Love them or hate them, online services such as social media and cloud computing services can be very useful and a cost-effective way to run and promote your business. But if companies (or their employees) use them in the wrong way, there can be serious, negative implications. The aim of this blog is to arm you with some of the knowledge needed to navigate the legal minefield you might find yourself in when using online services.

What is Social Media?

“Social Media” is a term used to describe a number of vastly different platforms. Most of them fall in to at least one of the following categories:

• Blogs like Wordpress and Blogger.
• Social Networking like LinkedIn, Facebook or even A Small World.
• Wiki – an information database like Wikipedia, Wikitravel or Wikia.
• MMOG (Massively Multiplayer Online Game) – Online games such as World of Warcraft and Second Life.

All of these examples are predominantly open to all with few restrictions. Many companies also make use of internal social media services like Yammer or have an internal intranet as they can be a cost effective and time efficient means for internal communication. 

What is Cloud Computing?

Cloud computing is essentially software as a service over the internet. Examples include project management tools like Basecamp, online storage tools like iCloud and office tools such as Google Docs. It’s usually not necessary to purchase or install any software; services are run through web browsers. As a result, companies don’t have to run their own application and data servers, which can result in costs savings. Cloud service providers host applications and provide the computing power from their data centres, benefiting from massive economies of scale and dramatically lowering the costs of IT service provision. But as is often the case, with every benefit comes a drawback elsewhere…

The Checklist

There are a few things you and your company should consider before using any Social Media or Cloud Computing service…

1 – Are the platform’s terms and conditions, acceptable use policy, privacy policy etc. acceptable to your company? Key things to look out for in these documents are data protection/processing issues, intellectual property rights and what happens if things go wrong. For example:

• Are you happy (and able) to give Facebook a licence to the IP that you upload to Facebook pages?
• Are you prepared to accept the limitation of liability applicable to use of a Twitter account?
• Do you have the consent of your employees to share their data if they/you register them to use a platform on behalf of the company?
• Evaluate the risks of using the service - how secure is the platform and what level of liability is the service provider accepting for this?
• Gain an understanding of the key laws relating to use of social media:-defamation, deceptive or unethical marketing and advertising and promotions and competitions are the main ones to look out for.

2 – Make sure the payment model for the service is acceptable and check the level of support and guaranteed uptime for the service. Is it good value? Freemium and monthly subscription models can be cheaper in the short term but more expensive in the long term. You will also need to be wary of planned obsolesence, some service providers may refuse to support or maintain older services in order to push users to use a newer (and usually more expensive) service.    

3 – Once you’ve reviewed the platform’s policy documents and relevant laws, prepare your own cloud computing/Social Media Policy to set out the rules and/or procedures that employees must follow when using the platform, taking into account what you’ve learnt from a review of the platform’s policy documents. It might also be worth reviewing your company’s employment contracts and staff handbooks at the same time in order to see if there are any gaps that need to be filled as a result of the use of social media. One thing to point out to employees is that they should never be signing the company up to any services without sufficient managerial approval.

4 – If you make the leap into the arena of Social Media, it’s also worth considering what arrangements will be necessary to keep an eye on things. If a disgruntled client starts a smear campaign, you will need to know about it quickly and have the tools to deal with it. If you like the DIY approach, try using a solution such as Mention. If you’re a bit overwhelmed, paid-for monitoring services are available from people like Digital Visitor and Trufflenet. If you’re still struggling and can’t sleep at night, there’s even social media insurance available!

If you’re worried about any of the reviewing or drafting mentioned above, or even if you just want a chat, get in touch. We will also follow up this general overview with some more detailed articles in the near future.

Premier Veterinary Group is one of the more innovative businesses to have emerged from the deregulation of veterinary practices in 1998.

While subsequent development of the sector has been held back by the difficulties in obtaining finance from banks and traditional sources of funding, PVG has grown to cover a dozen practices, mainly in Bristol, Kent and Birmingham.

Chief executive Dominic Tonner led a management buy-in to acquire the first two practice groups in 2007, funding the acquisition by attracting finance from high net worth individuals.

Work began immediately on making the necessary operational changes to improve revenues, client service and other aspects of the business affecting its profitability. The company now operates across three regions employing more than 150 staff.  A significant further investment was made in 2010 and Premier Vet Alliance was launched in 2011. It comprises 216 member practices across the UK taking advantage of a range of products and services, chief among these being a buying group, a pet health scheme and its own brand pet food.

PVG is continuing its strategy of growth by acquiring practices in other locations. The funding for further acquisitions, which will double the size of the core business, has been raised through the shareholder group and other high net worth individuals attracted by a 12 per cent return on loan notes. 

 
Richard Hopkins at Roxburgh Milkins has acted for PVG in relation to the fundraising and acquisitions. Corporate finance advice has been provided by PKF.

Dominic said: “What I like about Richard is that he is a ‘no fuss’ lawyer. He knows our business from back to front and is fast and efficient. It’s a very cost effective service.”

Doing business with big companies can be great – it’s good for publicity and is exposure to important work, but more importantly, a nice pay day! But could this work cost you more than you realised? Is your Intellectual property slipping through your fingers?

If your customer is a large company, chances are they will have a lawyer in tow. In our experience, many large companies use lawyers that are quite fond of their standard documents or “company policies”, most of which are likely to say something like “we, the big company, will own all IP relating to the Service provided by you, the small fry” The question is, does “all IP” mean all IP or just IP created specifically for this client?

A large amount of the materials used to provide most services will be the same for every customer. For example the backend of a website might be identical for several customers, but the frontend will be more bespoke. If you give ‘all of the IP’ in these materials away to one customer, you might not be able to use your backend again for your next customer.

What do I do to sort this out?

Make sure that you have an agreement in place that has a clear IP clause that covers:

1. The IP that you will continue to own (your ‘background IP’), and the terms on which you will licence such background IP to the client; and
2. The IP that the client will own as a result of the agreement, and whether you will retain a licence to any of this IP.

You need to carefully think through what makes up 1 and 2 above. Anything that makes up part of your standard service should be retained as background IP. And remember that if you ‘assign’ or ‘transfer’ ownership of IP to a client, it won’t be yours any more and you can’t use it unless the client specifically agrees to licence it back to you.

The next issue to cover will be the terms of any licences for IP retained and/or assigned by you.

What if I haven’t dealt with this properly in the past?

The Patents County Court recently decided that, generally speaking, in the absence of express wording, background IP will not be assigned to the customer of the services. However, the customer would gain an unrestricted licence to that background IP – which is not much different from owning the IP, save that the service provider can also continue to use the IP without restriction. This could mean that your customer could use your IP in any future project, without any further dealings with you or paying any additional licence fees (other than perhaps acknowledging you as an author of previous work – i.e. moral rights), which won’t be to everyone’s liking.   

If you’re worried about any of the issues mentioned above, or if you just want a chat, please get in touch.

Summary:

• ICO issues new guidance the day before end of moratorium on enforcing new cookie rules.
• This guidance suggests implied consent (opt-out) may be a good enough solution.

What are cookies?

Website cookies can allow a user to navigate a website efficiently and can add additional functionality to websites. They can also allow websites to track visitors and can be utilised by advertisers to target ad campaigns. This is all made possible by placing a cookie (a small data file) in your hard drive and allowing the website (or a third party) to access it.

How has the law changed?

On 26 May 2011, the UK updated its law relating to electronic communications, (which includes cookies) via the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

These changes to the law were instigated by the EU Commission via its 2009 ePrivacy Directive. The ICO announced in May 2011 that they would give most websites a year’s amnesty in which to adapt to the changes in the law. This amnesty ended on Saturday 26th May 2012.

Opt-in or Opt-out?

The Regulation states that it is unlawful to use cookies to collect a user’s data without first obtaining prior consent.

Initially, the Information Commissioner’s Office (ICO) guidance indicated that consent had to be express (i.e. opt-in). However, 11^th hour guidance released on Friday May 25^th suggests that implied consent (i.e. opt-out) may be appropriate most of the time.

The ICO has stressed that implied consent can only be relied on when users have sufficient understanding about the cookies used so that their actions imply their consent. This means that website owners still need to provide much more detailed information about their use of cookies and need to bring this information to the notice of website users, for example, using prominent links/banners etc.

Another consideration will be that the usual profile of a website’s users will be important when deciding on an appropriate method for achieving compliance. For example, a website designed for young children may require an opt-in approach to obtaining consent to cookies, but it’s likely that a website designed for adults which provides detailed and accessible information about its cookies could rely on an opt-out approach. 

What are other website owners doing?

Increasingly throughout 2012, more and more websites have started to include more detailed information about cookies in more prominent positions on the websites.

Some public sector websites are tending to take a more cautious approach by seeking to obtain prior consent to cookies on an express basis (opt-in).

The vast majority of websites have made no visible changes. It’s possible that some websites have stopped using cookies all together, however this is fairly unlikely. There are several examples of some of the changes to websites that we have seen at the end of this note. 

What should a website owner do?

The ICO has made it clear that it will enfoce this new law so website owners cannot ignore it. We recommend you do the following:

Perform an Audit

The first task is to perform an audit of the cookies you use. The ICO has stated that its approach to enforcement will relate, to an extent, to the intrusiveness of cookies that are used on websites. The more intrusive a cookie is in terms of data it collects and stores, the more onus there will be on the website owner to ensure compliance with the new rules. There is also a distinction made between first and third party cookies. First party cookies will be placed by the website owner and third party cookies will be placed by a third party (such as an advertiser). Third party cookies are generally seen as more intrusive.

If you don’t need the more intrusive cookies, get rid of them.

Consider the Exemption

There is an exemption to the new rules that applies to cookies which are “strictly necessary”. This exemption will be very strictly interpreted. The ICO has indicated it will only apply to cookies which result from a user’s explicit request. For example, adding an item to a shopping basket usually results in the use of a cookie to remember the item has been placed in the basket until the user is ready to pay.  The ICO’s guidance makes it clear that this exemption will not be extended to analytical cookies (such as Google analytics). However, it also states that provided users are informed about the use of analytical cookies, the ICO is unlikely to prioritise any regulatory action against their use without sufficient consent.

If you can operate a website using only “strictly necessary” cookies, you can tick the compliance box.

How to comply

Full compliance with the new rules requires you to:

• provide users with comprehensive information about the cookies you use; and
• gain a user’s consent to such use.

Information

You need to be able to show now that you have at least started to work towards full compliance. The easy one to deal with above is the information requirement. You need to prepare a cookie information section for your website that provides, as a minimum, the following information in relation to each cookie:

• name or type of cookie;
• 1^st or 3^rd party cookie;
• what it is used for;
• how long is it used for;
• what data is stored/accessed; and
• is there any link to the identity of a user.

You are also required to prominently flag this information to users. The ICO recommends having a link to a separate “cookies” section as well as a link to “privacy policy”, or to have a “how we use cookies” section. Some websites have renamed the privacy policy “cookies and privacy policy”.

Consent

As mentioned above, the latest ICO guidance suggests that implied consent may well be acceptable in more circumstances than the previous guidance had suggested. The key issue is that to be valid, implied consent needs to be “specific and informed”.

This means you cannot rely on doing nothing and argue a user visiting your website gives implied consent to cookie use simply by visiting. The ICO states that you have to ensure that “clear and relevant information is readily available to users explaining what it likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens.”

The ICO also states that you should view implied consent as coming out of a shared understanding between websites and users. The more users see prominent notices giving clear and relevant information about cookies, the more they will develop an understanding of cookie use and the more likely it will be that a website owner can on implied consent.

Examples of websites seeking to rely on implied consent:

The following picture shows a banner running across the top of a website. It has a link that allows users to obtain information about cookies, a link on how to control cookies and a button to stop the banner being shown again. This is an example of an implied consent approach.

Example 1

The website owner is relying on implied consent from the user’s actions of either the user’s continued use of the website, or clicking “Don’t show this again”.

Example 2 below follows the same appraoch as example 1, but the notice is further down the page and the wording of the notice is more explicit in saying that continued use implies consent.

Example 2

This is a further example of a website using the implied consent approach.

Example 3

The following picture is another variation, however on clicking the “Cookie Consent” button in the bottom right corner, the user is provided with a dashboard from which cookie use is fully customizable.

Example 4

Conclusion

The ICO has made it clear it will enforce the new rules. However, it has also suggested that it will take a reactive approach (i.e. reacting to complaints). It has also suggested that its approach to enforcement will be proportionate to the efforts the website owner has made, taking into account the relative invasiveness of the cookies you have used.

The ICO will generally look to gain your compliance first. It may subsequently look to use enforcement notices. It can always then move onto fines (up to £0.5m). Although again, the ICO has stated it sees fines as an unlikely conclusion to non-compliance with these new rules.

From the above, website owners should take the following messages:

• Work out what cookies you need and don’t need;
• Do the information bit well and do it now;
• Look at consent options – implied may well do the job;
• Keep an eye on how things develop.

Nobody likes creepy looking clowns that pop out of boxes. The same goes for website pop-ups! Following changes to the laws relating to website cookies (which our previous blog explains in greater detail), websites might have no option but to bombard users with a pop-up on their first visit to the website in order to ask for consent to use cookies.

The Basics

On 26 May 2011, the UK updated its law relating to electronic communications, (which includes cookies) via the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. It’s now unlawful to use cookies to collect a user’s data without first obtaining: prior (1) informed and (2) express consent. The tried and tested opt-out approach that’s previously been relied upon is now defunct. These changes to the law were instigated by the EU via their 2009 ePrivacy Directive. The ICO announced in May 2011 that they would give most websites a year’s amnesty in which to adapt to the changes in the law. This amnesty is due to end in May 2012.

What’s happened during the amnesty?

To quote the “revered” magician Paul Daniels, “not a lot”. On one hand this is surprising given that the ICO can fine websites up to £500,000 for non-compliance. On the other hand, the new law is a huge change for websites that have been used to relying on the opt-out approach. Many websites are reluctant to make the change as the process of requiring users to opt-in is very impractical. It’s been reported that 95% of the UK’s biggest organisations’ websites still don’t comply with the new laws. As the body responsible for enforcing the new laws, the ICO was one of the first organisations to change their website to meet the new requirements. They decided to do this by using the dreaded pop-up, including a tick-box for users to confirm their consent to the cookies that they propose to use (with the cookies not being installed until the box has been ticked):

By its own admission, this approach hasn’t worked for the ICO. Only 10% of new visitors to the ICO’s website have ticked the box. This reinforces the fact that we all hate popups, especially ones which require us to agree to something with a positive response. BT has come up with an alternative which is half opt-in half opt-out and likely to result in a better uptake:

By giving a negative option rather than a positive option, it’s thought that far more people will agree to the use of cookies. In reality, by clicking “No thanks” users are opting-in to the use of cookies. The ICO’s approach and wording is clearly what needs to be done if following the letter of the law, but it will almost certainly continue to be ignored and affect user experience for the website. BT’s attempt is a bit more practical, and we think it may just scrape across the line of what the ICO will accept.

A lot of other websites seem to be taking the approach that simply including more information about cookies will do the trick. For example, there are quite a few websites that now have their own “cookie” section as well as a privacy policy link or have “privacy policy and cookies” sections. These sections tend to describe in some detail what cookies are used and what they are used for. Whilst this is a step in the right direction, it is still relying on implied consent and it may be harder to convince the ICO that users have given informed and express consent in such circumstances. Such websites are either hoping that the ICO will take a relaxed approach to enforcement if the website has gone some (but not all) of the way to complying with the new rules, or they are waiting to see what happens and have consent mechanisms waiting in the wings.

Three steps to cookie compliance

1. Audit your cookies. Have a spring clean, get rid of the cookies that you don’t need.
2. Provide detailed information about the remaining cookies. Name them and tell people what they do. You could add this information to your Privacy Policy or Terms of Use, or have a separate “cookies and how we use them” section.
3. Work out the best method to get informed consent from users. This is potentially the tricky bit and largely depends on what your website does and how your website works. For example, if users are required to login to use the website, it should be fine to ask them to tick a box to confirm their consent to cookies before they are able to next log in. Have a look at the ICO guidance for further examples.

If you’re worried about your cookies, let us put your mind at rest! Get in touch.