The changes to the cookie laws, which require website operators to obtain consent from users before setting cookies came into force last year. However, the ICO’s grace period, of one year, only expired on 19 May 2012.
The ICO has set up a reporting tool to allow users of websites to report concerns about cookies on websites. The reporting tool was activated on Friday 25 May 2012. Since the reporting tool went live, the ICO has received a flurry of complaints, 64 in just three days and 180 complaints so far.
The ICO stated that the first 64 complaints did not refer to 64 separate websites. The reporting tool can be found on their website.
The ICO has stated that it will not be taking a hard line in enforcement in respect of website operators who are not compliant with the cookies laws. Instead when complaints are made the ICO will look into the steps that the website operator has taken to comply. If the website operator can demonstrate that they have taken steps to try and comply with the changes in the law, the ICO will offer help rather than taking legal action.
Websites in compliance
A number of high-profile websites have taken steps to comply with the change to the law, as follows:
- BT is using a pop-up box, which automatically disappears, to provide links to further information about cookies, together with a permanent link at the bottom of each page regarding cookies.
The ICO has updated its guidance on cookies to include further information on implied consent, leading to angry responses from website operators and website designers. Many website designers have been advising clients to implement measures to obtain explicit consent, such as banners or pop-ups. Such measures take time to develop and cost money to website operators, as well as affecting the design of the website. Website operators and designers are angry over what they view as the last-minute back-tracking of the ICO, which would allow implied consent and mean that such measures were unnecessary.
The ICO has clarified that:
- Implied consent is a valid form of consent and it can be used to comply with the new rules surrounding cookies.
- However, it is important that if website operators are relying on implied consent, they are satisfied that users understand their actionswill result in cookies being set.
- In some circumstances, such as if sensitive personal data (e.g. health information) is being collected, explicit consent might be more appropriate.
Steps to take to comply
As the ICO have stressed that there’s no “one size fits all approach”. What should website operators do to comply?
We recommend taking the following steps:
1. Undertake a cookie audit
A comprehensive list of all cookies used on the website should be produced. The cookies should be categorised according to their functionality and purpose in order to identify what the cookies do and the type of information they collect. The International Chamber of Commerce cookie guide may assist. This will allow you to analyse the type of solution that will be suitable.
2. Implement a solution
3. Keep your cookies under review
The appropriate solution for now, may not always be the appropriate solution. Each time a new cookie is added to your website you will have to consider the information it collects and how you will provide a solution to the problem of consent.