Four steps to comply with PECR, ICO cookies regulations

To comply with ICO regulations, you’ll need to clean up website cookies and prepare pop-up permission requests. Alan Calder explains how.

The new Privacy and Electronic Communications Regulations (PECR), announced by the Information Commissioner’s Office (ICO) in 2011, will be enforced in May 2012. In advance of the ICO cookies compliance date, organisations are expected to take appropriate steps to be compliant, which include making proactive changes to their websites.

The cookie audit is the easy part of the compliance process. Deciding what to do with the information gathered from the audit is much harder.

In a previous tip, I explained how to conduct an internal cookie audit. The cookie audit is the easy part of the compliance process. Deciding what to do with the information gathered from the audit is much harder because there is no clear guidance on what this compliance might look like.

The absence of clear guidance on cookie compliance, and the range of practical difficulties that will be encountered in determining what to do with each identified cookie, may lead many website operators to struggle with the compliance process.

To make the process easier, here are four steps you can take to make the appropriate changes to your website in order to comply with the PECR cookie regulations.

1. Remove as many cookies as possible
The first step is to clean up your website. Start with the list of cookies discovered during your internal cookie audit, and work with your Web developers to remove unnecessary cookies. In particular, remove  the most intrusive cookies first. Any cookies that are designed to track individual visitor behaviour are likely to be considered intrusive. Early evidence suggests that, when faced with an intrusive “cookie notice,” visitor volumes will fall off quite rapidly. Organisations that prize their visitor volumes will therefore need to work hard to find and deploy visitor tracking options that don’t depend on intrusive cookies.

For the cookies that remain, identify those that are essential to the website’s operation and for which the browser’s consent can be assumed. Remember that the test for “assumed consent” is narrow: The cookie must be essential for the specific, advertised purpose of the website. This would include a cookie that connects an item put into a shopping basket to the browser of the visitor that put it there. There is, however, no formal list of criteria for individual cookies assessment. Until there are some legal test cases, “assumed consent” should be interpreted in line with the ICO’s guidance, which is narrow.

More on cookies

The term “cookie” includes tracking code and any other form of code that might be used to track visitors.

The ICO provides specific guidance on PECR compliance.

2. Deal with your software suppliers
Third-party cookies are more difficult to deal with. You will need to contact any third parties you are using for website components, such as an online shopping cart software maker or service provider, to determine what changes (if any) they are planning to make in terms of cookies. If a third party is not planning appropriate changes, you may have to consider switching partners.

3. Create questions for all remaining cookies
In principle, you will deal with all the remaining types of cookies by providing users with some form of pop-up box that enables them to decide whether to accept the cookie. It is likely to be expensive and complicated to enable a pop-up consent box prior to every cookie, so a simpler solution is to have your Web developers write a script that either loads a user consent box when a browser first visits the site, or shows a user consent banner that is visible from all pages of the site. Whichever option you choose, here is the minimum information that should be provided to users:

  • A statement that cookies are being used, and some cookies are necessary for the site to work correctly.
  • A link to a page that provides detailed information about each of the cookies being used.
  • A tick-box for the user to express consent. Remember, it may be necessary to install a cookie in order to remember that decision!
  •  A tick-box for the user to indicate whether those cookies should be installed for this session or permanently.

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

4. Develop a server-based tracking alternative
For those users who choose not to accept cookies, work with your developers to create a server-based tracking alternative so that relevant details about those users are stored in the website database rather than in the visitor’s browser. While this is not a complicated piece of coding, it must be done carefully to work properly. Even so, these visitors' browsing experiences may be less smooth than they would be with cookies installed on their browsers.

These four steps should be adapted to take account of how your website was created, the specific technologies deployed on your website, your own business objectives, and your overall marketing strategy.

About the author:
Alan Calder is a leading author on information security and IT governance issues. He is also chief executive of IT Governance Limited, the one-stop-shop for books, tools, information and advice on governance, risk management and compliance in the UK. Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government's Department for Trade & Industry, and is a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including ISO27001.

Read more on Regulatory compliance and standard requirements