- What does the cookie consent rule require?
- Are there any exemptions from consent?
- Do website pop-ups need to get consent?
- Are there any other practical recommendations?
Last year, new rules came into force requiring UK online businesses to ask for consent before serving or accessing website cookies on visitors' computers or mobile devices.
At the time, the UK data protection watchdog, the Information Commissioner's Office (ICO), said it would allow businesses a 12 month window – until 25 May 2012 – to achieve compliance.
Now this period has expired, businesses that have not already implemented cookie consent mechanisms need to do so promptly or risk regulatory enforcement.
Let's look at some of the some of the most common questions organisations are asking about the new rules:
Yes. There is no need to obtain consent for cookies which are strictly necessary to operate the website. ICO guidance says cookies which are necessary to maintain website security, power online shopping baskets and balance website server load do not need consent. All other cookies do, however – even those used to provide analytics or remember visitor preferences.
No. How to get consent is up to you. In some cases, providing simple cookie notices prominently on the face of the website that link to easy-to-use cookie controls will be enough to infer visitors' consent if they do not change their cookie preferences. The most important thing is to make visitors aware that cookies are being served and how to control this.
There are four essential steps to compliance:
- First, perform a technical audit of your website to identify what cookies it serves. If you don't have in-house capability to do this, consider using an outsourced solutions provider to do this;
- Second, assess the intrusiveness of the cookies your website serves. This will inform how prominent your consent notices must be. This stage will also help identify which cookies are strictly necessary and so exempt from consent;
- Third, decide on an appropriate consent strategy. For websites making non-intrusive uses of cookies (for example, serving cookies for analytics of visitor preference purposes), an implied consent strategy will likely suffice. For websites making more intrusive cookie uses (for example, tracking visitors across multiple domains), a more express consent strategy will be appropriate;
- Lastly, implement your consent strategy. This will require technical and operational changes to your website o deliver prominent cookie notices and obtain visitors' consent. You may either choose to make these changes in-house or, again, use an outsourced solutions provider to help you.
- Aside from the above there are a number of quick wins online businesses can achieve. For example, where your audit reveals that you are using cookies you no longer need, get rid of those cookies - you will then have no need to ask for consent for them.
- Similarly, if you are serving persistent cookies with long expiry periods, reduce those expiry periods. This will help minimise the intrusiveness of those cookies and so better enable reliance on implied consent strategies.
- Lastly, when working with third party technology partners, have them explain to you what cookies they serve and what they do. This information will enable you to make clearer, more meaningful cookie disclosures and improve the validity of your visitor consents.
Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse
This was first published in May 2012