The Information Commissioner’s Office (“ICO”) has published its “half term report”, giving its view on what has been done and what still needs to be done to comply with the new rules on cookies, together with updated guidance for UK website operators.
The ICO reported that website operators “must try harder” and “could do better” to comply with the new cookies laws.
The law, which came into force in May 2011, and will start to be enforced on 26 May 2012, after the 12-month grace period expires, requires website operators to obtain user’s opt-in consent to cookies being placed on their computer.
The ICO has issued its clearest warning to date that website operators can not just wait for the lead-in period to end before taking any action. Christopher Graham, the Information Commissioner, said “Many people running web sites will still be thinking that implementing the law is an impossible task. But they now need to get to work”. Many businesses have struggled to understand what they will be required to do to ensure compliance. Whilst the amended cookie advice provides important guidance, there are areas still left uncovered.
The updated guidance builds on the existing advice issued by the ICO and includes the following key points:
o A cookie to remember the goods a user wishes to buy when they add goods to their shopping basket.
o Cookies providing security, that is essential to comply with the security requirements of the seventh data protection principle, for an activity a user has requested – e.g. online banking services.
The ICO has also provided examples of cookies which are unlikely to fall within the exception, including cookies used for analytical purposes and first or third party advertising cookies.
Website operators feel that they are having to take responsibility for educating users about cookies. They also object to the suggestion that they take responsibility for third party cookies, as traditionally website privacy policies expressly exclude responsibility for third party cookies.
Whilst the guidance mentions that these measures also apply to cookies set on mobile devices and other terminal equipment such as internet enables televisions further information is not provided on how this will work in practice and whether the same solutions will be appropriate.
There are still a lot of questions to be answered and as the ICO points out, a lot of work to be done to ensure compliance. It is important that website operators start to take the first steps now, in order that they can demonstrate attempts at compliance if the ICO launches an investigation. And as the ICO suggests, the first step is a cookie audit to identify the cookies set and their purpose. Following this, the various approaches suggested by the ICO can be considered in order to assess which will best meet the requirements of the website and how a solution may be best implemented.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.