This note has been prepared by Jordans Solicitors for non lawyers and, if you have any queries about any of its contents please seek legal advice.
Lots has been written about changes to law around cookie compliance since the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) were amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (Revised Regulations).
Although there are limited exceptions the basic position is that cookies can be used only if the user concerned:
- Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
- Has given his or her consent.
The Revised Regulations have caused all sorts of issues for businesses as many businesses with an online presence have grown to rely on cookies for carrying out essential as well as non-essential website functions. The Information Commissioners Office (ICO) gave businesses a lead in period of 12 months to achieve compliance and this period of grace ended in May 2012. At the end of May 2012 the ICO issued additional guidance which was almost identical to that given in December 2011 except where it relates to implied consent. http://www.ico.org.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law
The ICO advises that the steps to ensure compliance are:
Conduct a Cookie Audit
First ascertain what cookies you are using:
- Identify which cookies you are using on your website. This should include not only cookies used by you but those used by third parties who you have authorised to use your site. If as part of this audit identify old cookies and remove them immediately
- Confirm the purpose of each cookie. Is the cookie necessary to perform an essential function of the website or to fulfil part of the service requested by the website user? Customer recognition, customer tracking and profiling are considered to be non essential use. Regulation 6(4) of the Revised Regulations provides that essential cookies do not require a user’s consent.
- Identify what data each cookie holds and confirm whether the cookie is linked to other data the provider holds about a user. If information collected by a cookie relates to a living identifiable individual then any processing of that data must comply with the Data Protection Act 1998 .
- Confirm the type of cookie. Is the cookie persistent or session? Persistent cookies are more likely to be privacy intrusive.
- Confirm the lifespan of each persistent cookie. Is the lifespan appropriate or should it be shortened.
Provide Information to Users
Often information on cookie use provided to users is too detailed and technical. The ICO suggests that information could be displayed:
1: as a table of cookies used with a description of the way each one is used; or
2: or by using a broader explanation. The International Chamber of Commerce
Bring Information to Users’ attention
The latest guidence on this from the ICO includes:
- putting the information on a separate page on the website and providing a prominent link to that page from every page of the website. The link needs to make it clear that it is to information about cookies and privacy.
- use an icon although a standard cookie icon is yet to be developed so it might be difficult to ensure that users know what the link represents without additional explanation.
- in the short term it might be useful to include a blog post or news item on the home page explaining the policy on cookies and including a link to the cookie information page.
Practical steps to obtain consent
The policy on obtaining consent differs and, at present, the ICO seems to have a more relaxed view than regulators in other EU member states. The ICO in their 2012 guidance suggested that implied consent is reasonable in the context of storage of information or access to information when using cookies at least where non-sensitive personal data is concerned. Although an explicit opt-in mechanism might provide regulatory certainty there is an acknowledgement that in some circumstances implied consent might be a valid and more practical option.
Because the ICO is out of step with existing guidance from EU regulators there may be an issue if cookies are placed on the equipment of Non UK EU citizens on the basis of implied consent.
- Implied Consent can only be relied on provided that:
- It is specific and informed. So the information must be given prominently bearing in mind the intended audience and how users will obtain information from the site; and
- There is some action on the part of the user from which consent can be inferred. The fact that a user is on a website is not sufficient consent unless there is an understanding that the user knew cookies would be set. The 2012 guidance does however state that if a clear and unavoidable notice that cookies will be used appears on the landing page and the User continues to browse the site then it will imply consent.
- Affirmative Consent could be obtained through the use of splash pages or pop up windows including express consent provisions with tick boxes. This could be problematic as some users employ pop up blockers and so would not see the pop up windows.
- Static information Banners could be used at a prominent place on the website and can also include a link to the cookie information page.
- Features and user preferences when a user selects options to choose preferences in the way he or she uses the website which can also include information about the cookies used to enable those preferences.
- Third parties such as advertising networks that want to place cookies on users’ equipment through a website that they do not operate themselves will find it difficult to obtain valid consent. As they don’t have a direct relationship with the user of the site whose online behaviour they wish to track, they will not normally be able to obtain consent through the use of terms and conditions or privacy settings. The only way to get round this is for website owners to obtain consent by providing information about the third party cookies and to obtain consent on behalf of the third parties.
Recently the Internet Advertising Bureau (IAB Europe) which is a broad coalition of advertising, marketing and online businesses has launched an EU Framework for online Behavioural Advertising. They are promoting a uniform icon to be use as an alert for users that they are receiving targeted advertising. The icon will link to a website providing further information about online behavioural advertising and a set of steps to enable consumers to opt out of receiving targeted advertising. This approach has been supported by the UK govt although they have made it clear that there needs to be an affirmative act by the user before a cookie is placed and although the scheme is useful in relation to targeted advertising it doesn’t deal with consent for tracking user behaviour.
The above sets out the position to date however, website operators need to keep a weather eye on the situation as there are already planned revisions to the Data Protection Directive (1995/46/EC) which could make the views of the EU Article 29 Working Party legally binding rather than persuasive as of now.