New Cookie Regulations, Are You Ready?
2nd March, 2012
You have until May 2012 to comply with the new rules set out in the guidelines.
In essence, Cookies are small files that websites put on your hard drive. They can be benign and help you access sites more easily and process orders better or they can be malicious and gather sensitive data from your PC which can then be used or sold without your knowledge or permission.
For example, the BBC website may put up to 26 cookies onto your PC!
The regulations apply to cookies and also to similar technologies for storing information. This includes, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).
There are different types of cookies:
- Session cookies are placed onto the user’s computer whilst they browse a particular site and are removed at the end of their visit. They help navigate the user through the site and, for example, remember items placed in an online shopping basket.
- Persistent cookies remain on the user’s PC between sessions. These can be useful to remember your preferences and to personalise your journey. For example Amazon knows what you have bought or browsed before and makes recommendations, or a supermarket remembers your regular shopping list.
- First party cookies are put on your PC by the site you visit and third party cookies are put on your PC by others. Websites often sell cookie space to third parties. Again this can be benign and make sure you get “targeted” adverts when you visit a site, or can be more sinister.
You can alter your PC’s ability to accept cookies in your browser settings, but then the websites you visit may not work as well.
So if you have a website, it will probably have cookies. What must you do?
If your cookie collects data that can be linked to a name, a postal address or even an e-mail address, that information will amount to personal data and will be subject to the Data Protection Act 1998.
- Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
- Has given his or her consent.
Consent is not clearly defined in the Regulations and the level of information required to be given is not clear either. This is confounded by the difficulty of knowing the level of technical ability that any given user might have.
There is an interesting and not yet clear issue between user and subscriber. The person who pays the bill is the subscriber, but the person using the browser is the user. If a child is using a website on their parent’s connection, who has to give consent?
To look at the information required you should get your IT manager or provider to conduct a cookie audit. What sorts of cookies is your website using? The ICO suggests a table listing all the cookies, what they are called and what they do, along with more information if required. Alternatively, the ICO has suggested some generic wording starting “our website uses [x number of] cookies …”.
The users must “signify” their consent. This must be a conscious act by the user and should be before the user accepts the cookie. This causes a problem as most websites send their cookies as soon as the user lands on them. There are some minor exceptions to consent for subscription services and telecoms services.
Some of the ways that websites are doing this is through prominent links, icons and news items and blog posts. A pop up window which asked users to check a consent box would be ideal, although many browsers are set to block pop-ups and sites don’t want messages that get in the way of the browsing experience. A static and prominent banner is used by many sites, but it is questionable whether that is informed consent.
Where the site asks for preferences to be added for future visits, then a box could be added for cookie consent.
The ICO uses the following example :
If the user clicks on I agree all is fine or if they bypass it, implied consent may be given. Obviously, if they click on No thanks, cookies may not be loaded.
Getting consent for third party cookies is even more complex as there are multiple parties involved.
So, if you were looking for an easy answer in this article, you will be disappointed. The ICO guidance includes the words ”may” and “think about” and even “challenging”.
In conclusion, you must conduct a cookie audit to see what you are using, you must provide information to users of your site, you should get their opt-in consent and provide a way for them to withdraw their consent.
The items touched on briefly in this article should not be taken as specific legal advice; they are merely pointers to the issues that are out there. Additionally there are rules about data, the use of electronic communications, the use of location data and rules about selling on the internet. These are exciting times on-line but if you use the web to sell, directly or indirectly, you must be aware of the issues.
You might also be interested in...
15th August, 2019
Leading legal practice Aaron & Partners has strengthened two of its teams with the recruitment of two new... Read More »