Take on the Cookie Monster: Don't be caught out by 26 May website compliance deadline

On 26th May 2012 the Information Commissioner’s Office (the‘ICO’) will start enforcing the changes to the cookie law, as the 12-month lead-inperiod for website owners to put their houses in order will have come to anend. This means that organisations which use cookies on their websites haveonly three weeks from today to take the practical steps they need in order toobtain consent for their cookie use.

Reminder of the law

The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 (the ‘Privacy Regulations’) enacted last summerrequire that any person setting cookies (or similar technologies) on theterminal equipment of users, or accessing any information stored in thecookies, must have provided users with “clear and comprehensive” informationabout the purposes for which the cookies are used and obtained their consent tothe setting and use of the cookies.

The main exemption from this obligation is where the cookiesare “strictly necessary” for a service which the user has requested. Thisexception will be narrowly construed. By way of guidance, the ICO has statedthat the following are likely to be considered strictly necessary: cookiesremembering the goods a user has put in a virtual basket; cookies providingessential security to comply with data protection law; and cookies ensuringthat the content of a page loads effectively by distributing workload acrossnumerous computers. The following uses are not strictly necessary and sorequire consent: cookies used for analytical purposes (e.g. counting visitors);first and third-party advertising cookies; and cookies recognising a user sothat the website can be tailored.

What do you need to be doing?

Carry out an audit

The first thing you need to do is make an inventory of thetype of cookies you are using and what you are using them for. You need tocheck which cookies are necessary and which might require a user’s consent. Youshould also consider if your website displays content from a third party (e.g.advertisements) as that third party could be setting cookies on your users'devices. The ICO states that all parties have to ensure that users are aware ofwhat is being collected and by whom.

Assess how intrusive your use of cookies is

The purpose behind this law is to protect users’ privacy, sothe more intrusive your use of cookies, the more urgency there is for you toput a consent process in place. The International Chamber of Commerce (the‘ICC’) has produced a cookie guide to help organisations comply with the law.This guide helps you work out how invasive the cookies you use are by splittingthem into four categories, from least intrusive to most intrusive:

i. strictly necessary

ii. performance cookies

iii. functionality cookies and

iv. targeting/advertising cookies.

The ICO is most worried about the very intrusive cookies; itinformed The Register that "provided clear information is given abouttheir activities we are highly unlikely to prioritise first party cookies usedonly for analytical purposes in any consideration of regulatory action."

Decide which method of obtaining consent best suits yourcircumstances

The ICO has made it clear that consent must involve “someform of communication where the individual knowingly indicates theiracceptance.” This means that any form of implied consent, such as a privacypolicy hidden at the bottom of a webpage which states ‘by using this website youconsent to our use of cookies’ is not compliant. There are a number of ways youmay be able to obtain consent through:


•terms of use (note that users must indicate that theyunderstand and accept any changes to the terms of use)

•settings (whereby you explain to users that by allowing thewebsite to remember certain choices, they are consenting to the use ofcookies); and

•scrolling text in a header or footer when you want to set acookie on a user's device which prompts a user to make further choices.

The ICO notes that in the future websites may be able torely on users’ browser settings as a means of consent. However, the ICO hasmade it clear that you cannot yet rely on this method, as most browser settingsare not sophisticated enough. The ICO has suggested that in determining itsapproach to compliance an organisation should take into account the standard ofcompliance achieved by others within that organisation’s sector: “After all, ifeveryone else in your area of business has done a cookie audit, is changing theway they explain things to users and has engaged with industry peers to come upwith consistent messages, the ICO might reasonably ask ‘if they can do it, whycan’t you?’”

Consequences of not complying

Serious breaches of the Privacy Regulations may attractmonetary penalties of up to £500,000. A serious breach is defined as a seriouscontravention of the Privacy Regulations likely to cause substantial damage ordistress. Such contravention must have been deliberate, or the person responsiblemust have known/ought to have known that a contravention would occur and thenfailed to have taken reasonable steps to prevent it. On this basis,non-compliance with the cookie law is unlikely to attract the maximum fine.

The ICO has stated that while it does not anticipate “a waveof enforcement action after the lead-in period ends”, it does expectorganisations to have used the year’s lead-in period productively and to haveensured that they are working towards becoming fully compliant.

The ICO’s guidance on complying with the law can be foundhere.

The ICC’s guidance on complying with the law can be foundhere.

This article first appeared in Law-Now, CMS CameronMcKenna's free online information service, and has been reproduced with their permission.For more information about Law-Now, click here. http://www.law-now.com/law-now/