Little more than a month remains before a new law impacts on web site operators. The law is concerned with obtaining consent from users to cookies. But how to comply with the law remains a mystery.
No help is provided by the amendment to the EU’s Privacy and Electronic Communications Directive which the new law will implement. It requires websites to gain informed consent from users before using cookies. But does this mean that a specific opt-in consent will be needed for example, by some form of pop-up with privacy information or can consent be inferred through web browser settings?
Cookies
Cookies are small text files generated by a website and stored on the user’s computer. Cookies are widely used by online retailers as they store useful information about the user such as their browsing habits, items in their shopping basket and website preferences.
Cookies are also used by online behavioural advertisers, who gather data from the cookies about the user and their browsing habits. This information is used to build up a profile of the user in order to serve them with personalised advertising.
Consent
The amendments to the E-Privacy Directive require website users to consent to the use of cookies, having been provided with clear and comprehensive information about the purpose of the cookies, unless the cookie is strictly necessary for the provision of services to the user.
Last Autumn the Government was proposing a pragmatic approach, of allowing users to consent to cookies through their website browser settings.
However, the Article 29 Working Party, a coalition of data protection regulators from across the EU, takes the view that you cannot rely on browser setting to indicate consent to cookies. The Article 29 Working Party considers that more explicit consent is required.
Wake up to new law on cookies
Last month the Information Commissioner’s Office issued a news release warning UK businesses that they need to “wake up to new EU law on cookies”. The Information Commissioner confirmed that the changes “must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses”. But it failed to given any guidance on what UK businesses will be required to do in order to comply.
The Information Commissioner confirmed that one option being considered is to allow consent to the use of cookies to be given via browser settings. However, most users are unaware of how to adjust their browser privacy settings. A simpler and more user-friendly solution is needed. The problem is that this will take time to develop and then, once developed, will take time to proliferate amongst web users.
No enforcement action in the short-term
With the deadline of 25 May 2011 drawing near and no definitive guidance given, the Government has suggested that businesses need to be working to address the way they use cookies. It has confirmed that the Information Commissioner’s Office will not be expected to take enforcement action in the short term against businesses as they work out how to address their use of cookies.
Establish consent
In the meantime, website owners should review their privacy and cookie policies to make sure that they accurately describe how cookies are used and the type of cookies used on the website. The policy should be clear:
In this way website owners will be able to establish a level of “consent” and show that they have taken some steps towards achieving compliance with the new regulation.