Express consent required
The new law means cookies can only be placed on devices where the user or subscriber has given their express consent. This means the user has to be provided with clear and comprehensive information about the purposes of the storage of or access to that information, and have given his or her consent. The only exception is where the cookie is strictly necessary for a service requested by the user.
What actions do you need to take now?
Many website providers currently comply with the existing requirements by setting out the information about their cookies and the steps that need to be taken to opt-out in their privacy policies. Under the new regulations this will no longer be sufficient. However it is not entirely clear what will be sufficient. To help organisations identify ways in which they can become compliant with the new requirements, the Information Commissioner's Office (ICO) published guidance on 9 May 2011. The ICO guidance identifies three steps that you should be taking now:
Step 1 - perform an audit on the type of cookies and similar technologies used and how they are used: The ICO explains that this might amount to a comprehensive audit of your website, or it could be as simple as checking what data files are placed on user terminals and why.
Step 3 - decide on the best solution for obtaining consent: One further change to the regulations states that consent may be signified by a subscriber who amends or sets controls on their internet browser or by a subscriber who uses another application or program to signify consent. Because of this provision, when the proposed amendments were first published, it was hoped that in practice the changes that would need to be made to websites would be limited as many users were already changing their browser settings to reject cookies. However, in its guidance, the ICO confirmed that existing browser settings are not adequate to evidence consent.
Methods of gaining user consent
The UK government is working with the major browser providers to identify future browser setting capabilities that will be adequate, but this is not yet ready. Consequently, the current advice is that you must gain consent some other way.
The ICO guidance sets out several options that are available for you to obtain a user's consent. These are only intended to be a guide and the government has made it clear that it considers that technological capabilities and advances should dictate the approach taken rather than legislation. The options set out in the ICO guidance include:
Pop-ups and similar techniques: This initially seems a relatively easy way to achieve compliance - you ask the user to click "yes" to accept - but it may spoil the visitor's experience of using the website, especially where you use several cookies.
Settings-led consent: Some cookies are deployed when a user makes a choice about how the website works for them. In these cases the ICO suggests that consent could be gained as part of the process by which the user confirms how they want the website to work.
Feature-led consent: You may be able to get consent where a visitor chooses to use a particular feature of the site, such as watching a video clip. At the point the user takes a certain the action, you could ask for consent for the cookie.
Third-party cookies: The ICO advises that anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom and allows them to make informed choices about what is stored on their device. The ICO has acknowledged that this may be the most challenging area in which to achieve compliance with the new rules and states that it is working with industry and other European data protection authorities to find solutions. It is not clear at the moment exactly who has responsibility for obtaining consent.
Make changes as soon as possible
Guide to EU cookie compliance
This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.
Having consideration to the variety of cookies in use and the variety of uses for the information collected it does not seem likely that organisations will be able to adopt a one-size-fits-all approach to being compliant with the new requirements. Accordingly, it is likely that a significant change by most website providers will be required. The magnitude of the required changes has been recognised by the government and is reflected in its adoption of a phased approach to the implementation of the changes. This does not however mean that you should ignore the changes.
The ICO has clearly stated that, if it receives a complaint about a website, it will deal very differently with an organisation that has followed the three steps outlined above than it would if the organisation had done nothing to comply.
Henrietta Neate is a lawyer at SNR Denton LLP.
This was first published in May 2011