The changes to the cookie laws, which require website operators to obtain consent from users before setting cookies came into force last year. However, the ICO’s grace period, of one year, only expired on 19 May 2012.
The ICO has set up a reporting tool to allow users of websites to report concerns about cookies on websites. The reporting tool was activated on Friday 25 May 2012. Since the reporting tool went live, the ICO has received a flurry of complaints, 64 in just three days and 180 complaints so far.
The ICO stated that the first 64 complaints did not refer to 64 separate websites. The reporting tool can be found on their website.
The ICO has stated that it will not be taking a hard line in enforcement in respect of website operators who are not compliant with the cookies laws. Instead when complaints are made the ICO will look into the steps that the website operator has taken to comply. If the website operator can demonstrate that they have taken steps to try and comply with the changes in the law, the ICO will offer help rather than taking legal action.
Websites in compliance
A number of high-profile websites have taken steps to comply with the change to the law, as follows:
- The Financial Times has chosen to use a pop-up notice that appears when a user clicks onto the site. The pop-up includes links to the Financial Times’ cookie policy, which explains what cookies are and how they are used and a link to information on disabling cookies.
- BT is using a pop-up box, which automatically disappears, to provide links to further information about cookies, together with a permanent link at the bottom of each page regarding cookies.
- The Guardian has chosen a header for its page, with a link to further information on cookies and a statement that by continuing to use the website, the user agrees to the use of cookies.
Implied consent
The ICO has updated its guidance on cookies to include further information on implied consent, leading to angry responses from website operators and website designers. Many website designers have been advising clients to implement measures to obtain explicit consent, such as banners or pop-ups. Such measures take time to develop and cost money to website operators, as well as affecting the design of the website. Website operators and designers are angry over what they view as the last-minute back-tracking of the ICO, which would allow implied consent and mean that such measures were unnecessary.
The ICO has clarified that:
- Implied consent is a valid form of consent and it can be used to comply with the new rules surrounding cookies.
- However, it is important that if website operators are relying on implied consent, they are satisfied that users understand their actionswill result in cookies being set.
- Website operators should not rely on the fact that users might have read a privacy policy that is hard to find or difficult to understand.
- In some circumstances, such as if sensitive personal data (e.g. health information) is being collected, explicit consent might be more appropriate.
Steps to take to comply
As the ICO have stressed that there’s no “one size fits all approach”. What should website operators do to comply?
We recommend taking the following steps:
1. Undertake a cookie audit
A comprehensive list of all cookies used on the website should be produced. The cookies should be categorised according to their functionality and purpose in order to identify what the cookies do and the type of information they collect. The International Chamber of Commerce cookie guide may assist. This will allow you to analyse the type of solution that will be suitable.
2. Implement a solution
Consider whether implied consent will be appropriate in the situation or whether express consent will be required. Then implement the solution, this may require changes to be made to your privacy policy and attention being drawn to the changes on your homepage, the introduction of a cookies policy or the use of a banner or pop-up.
3. Keep your cookies under review
The appropriate solution for now, may not always be the appropriate solution. Each time a new cookie is added to your website you will have to consider the information it collects and how you will provide a solution to the problem of consent.
