Little more than a month remains before a new law impacts on web site operators. The law is concerned with obtaining consent from users to cookies. But how to comply with the law remains a mystery.
No help is provided by the amendment to the EU’s Privacy and Electronic Communications Directive which the new law will implement. It requires websites to gain informed consent from users before using cookies. But does this mean that a specific opt-in consent will be needed for example, by some form of pop-up with privacy information or can consent be inferred through web browser settings?
Cookies are small text files generated by a website and stored on the user’s computer. Cookies are widely used by online retailers as they store useful information about the user such as their browsing habits, items in their shopping basket and website preferences.
Cookies are also used by online behavioural advertisers, who gather data from the cookies about the user and their browsing habits. This information is used to build up a profile of the user in order to serve them with personalised advertising.
Last Autumn the Government was proposing a pragmatic approach, of allowing users to consent to cookies through their website browser settings.
However, the Article 29 Working Party, a coalition of data protection regulators from across the EU, takes the view that you cannot rely on browser setting to indicate consent to cookies. The Article 29 Working Party considers that more explicit consent is required.
Wake up to new law on cookies
Last month the Information Commissioner’s Office issued a news release warning UK businesses that they need to “wake up to new EU law on cookies”. The Information Commissioner confirmed that the changes “must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses”. But it failed to given any guidance on what UK businesses will be required to do in order to comply.
No enforcement action in the short-term
In the meantime, website owners should review their privacy and cookie policies to make sure that they accurately describe how cookies are used and the type of cookies used on the website. The policy should be clear:
- about how the data collected is used, in order that a user’s consent is informed;
- that cookies are optional; and
- that a user can choose to disable them or “opt-out”; and
- as to how this can be done.
In this way website owners will be able to establish a level of “consent” and show that they have taken some steps towards achieving compliance with the new regulation.