The Information Commissioner’s Office (“ICO”) has published its “half term report”, giving its view on what has been done and what still needs to be done to comply with the new rules on cookies, together with updated guidance for UK website operators.
The ICO reported that website operators “must try harder” and “could do better” to comply with the new cookies laws.
The law, which came into force in May 2011, and will start to be enforced on 26 May 2012, after the 12-month grace period expires, requires website operators to obtain user’s opt-in consent to cookies being placed on their computer.
The ICO has issued its clearest warning to date that website operators can not just wait for the lead-in period to end before taking any action. Christopher Graham, the Information Commissioner, said “Many people running web sites will still be thinking that implementing the law is an impossible task. But they now need to get to work”. Many businesses have struggled to understand what they will be required to do to ensure compliance. Whilst the amended cookie advice provides important guidance, there are areas still left uncovered.
The updated guidance builds on the existing advice issued by the ICO and includes the following key points:
- Further information is given on what is meant by “consent” to cookies being placed on a user’s computer. The ICO considers that consent must involve “some form of communication where the individual knowingly indicates their acceptance”. The ICO recognises that some cookies may be set as soon as a user accesses a website, but insists that where possible the setting of cookies should be delayed until the users have had the opportunity to understand what cookies are being used and consent to the usage. The ICO has highlighted that the information provided must not just be clear and comprehensive, but also readily available.
- The Regulations do not specify whether the consent for the cookie should be obtained from the subscriber (the person who pays the bill) or the user (the person viewing the website). Therefore, if the same website is visited by both a subscriber and a user, it appears that it will only be necessary to obtain consent to set the cookies once, from either party.
- The ICO has provided guidance on the meaning of ‘strictly necessary’ for the purpose of the exception that allows for consent not to be obtained to serve cookies that are strictly necessary to provide a function that a user has requested. Cookies that are likely to fall within the exception are:
o A cookie to remember the goods a user wishes to buy when they add goods to their shopping basket.
o Cookies providing security, that is essential to comply with the security requirements of the seventh data protection principle, for an activity a user has requested – e.g. online banking services.
The ICO has also provided examples of cookies which are unlikely to fall within the exception, including cookies used for analytical purposes and first or third party advertising cookies.
- The ICO acknowledges that achieving compliance in relation to third-party cookies is one of the most challenging areas. It suggests that third parties setting cookies may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about third party cookies and to obtain consent from users.
- The guidance sets out practical advice on how to comply, giving examples of the different ways in which website owners may obtain consent through the use of pop-ups, tick-boxes, privacy settings and terms and conditions.
- Upon the expiry of the grace period, the ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.
Website operators feel that they are having to take responsibility for educating users about cookies. They also object to the suggestion that they take responsibility for third party cookies, as traditionally website privacy policies expressly exclude responsibility for third party cookies.
Whilst the guidance mentions that these measures also apply to cookies set on mobile devices and other terminal equipment such as internet enables televisions further information is not provided on how this will work in practice and whether the same solutions will be appropriate.
There are still a lot of questions to be answered and as the ICO points out, a lot of work to be done to ensure compliance. It is important that website operators start to take the first steps now, in order that they can demonstrate attempts at compliance if the ICO launches an investigation. And as the ICO suggests, the first step is a cookie audit to identify the cookies set and their purpose. Following this, the various approaches suggested by the ICO can be considered in order to assess which will best meet the requirements of the website and how a solution may be best implemented.