The Information Commissioner’s Office (“ICO”) has published its “half term report”, giving its view on what has been done and what still needs to be done to comply with the new rules on cookies, together with updated guidance for UK website operators.
The ICO reported that website operators “must try harder” and “could do better” to comply with the new cookies laws.
The law, which came into force in May 2011, and will start to be enforced on 26 May 2012, after the 12-month grace period expires, requires website operators to obtain user’s opt-in consent to cookies being placed on their computer.
The EU legislation requires companies which use cookies to ensure that the consumer has ‘given his or her consent having been provided with clear and comprehensive information’ about them before cookies can be used.
The ICO has issued its clearest warning to date that website operators can not just wait for the lead-in period to end before taking any action. Christopher Graham, the Information Commissioner, said “Many people running web sites will still be thinking that implementing the law is an impossible task. But they now need to get to work”. Many businesses have struggled to understand what they will be required to do to ensure compliance. Whilst the amended cookie advice provides important guidance, there are areas still left uncovered.
Guidance
The updated guidance builds on the existing advice issued by the ICO and includes the following key points:
o A cookie to remember the goods a user wishes to buy when they add goods to their shopping basket.
o Cookies providing security, that is essential to comply with the security requirements of the seventh data protection principle, for an activity a user has requested – e.g. online banking services.
The ICO has also provided examples of cookies which are unlikely to fall within the exception, including cookies used for analytical purposes and first or third party advertising cookies.
Whilst this may seem like a sensible suggestion, in practice it may be difficult to comply. Many websites are funded through third-party advertisements. These advertisements often use cookies for the purposes of building profiles for behavioural advertising, to offer more personalised adverts. Under the guidance, it appears that website operators would have to obtain full details from the third party about the cookies being used and their purposes and disclose these to users of the website. This may be difficult if the third party advertiser is reluctant to provide details of all the cookies used, fails to update the website operator of changes, or if the adverts from a number of third party sources are used on the website.
Comment
Whilst the ICO’s guidance will be welcomed by website operators who have received limited pointers on what measures should be taken to ensure compliance, it is unlikely to satisfy those looking for a more prescriptive approach to compliance. The ICO have confirmed it is very much a case of looking at your website to find an approach that fits your use of cookies.
Website operators feel that they are having to take responsibility for educating users about cookies. They also object to the suggestion that they take responsibility for third party cookies, as traditionally website privacy policies expressly exclude responsibility for third party cookies.
Whilst the guidance mentions that these measures also apply to cookies set on mobile devices and other terminal equipment such as internet enables televisions further information is not provided on how this will work in practice and whether the same solutions will be appropriate.
There are still a lot of questions to be answered and as the ICO points out, a lot of work to be done to ensure compliance. It is important that website operators start to take the first steps now, in order that they can demonstrate attempts at compliance if the ICO launches an investigation. And as the ICO suggests, the first step is a cookie audit to identify the cookies set and their purpose. Following this, the various approaches suggested by the ICO can be considered in order to assess which will best meet the requirements of the website and how a solution may be best implemented.