Take on the Cookie Monster: Don't be caught out by 26 May website compliance deadline
Reminder of the law
The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 (the ‘Privacy Regulations’) enacted last summerrequire that any person setting cookies (or similar technologies) on theterminal equipment of users, or accessing any information stored in thecookies, must have provided users with “clear and comprehensive” informationabout the purposes for which the cookies are used and obtained their consent tothe setting and use of the cookies.
The main exemption from this obligation is where the cookiesare “strictly necessary” for a service which the user has requested. Thisexception will be narrowly construed. By way of guidance, the ICO has statedthat the following are likely to be considered strictly necessary: cookiesremembering the goods a user has put in a virtual basket; cookies providingessential security to comply with data protection law; and cookies ensuringthat the content of a page loads effectively by distributing workload acrossnumerous computers. The following uses are not strictly necessary and sorequire consent: cookies used for analytical purposes (e.g. counting visitors);first and third-party advertising cookies; and cookies recognising a user sothat the website can be tailored.
What do you need to be doing?
Carry out an audit
The first thing you need to do is make an inventory of thetype of cookies you are using and what you are using them for. You need tocheck which cookies are necessary and which might require a user’s consent. Youshould also consider if your website displays content from a third party (e.g.advertisements) as that third party could be setting cookies on your users'devices. The ICO states that all parties have to ensure that users are aware ofwhat is being collected and by whom.
i. strictly necessary
ii. performance cookies
iii. functionality cookies and
iv. targeting/advertising cookies.
The ICO is most worried about the very intrusive cookies; itinformed The Register that "provided clear information is given abouttheir activities we are highly unlikely to prioritise first party cookies usedonly for analytical purposes in any consideration of regulatory action."
Decide which method of obtaining consent best suits yourcircumstances
•settings (whereby you explain to users that by allowing thewebsite to remember certain choices, they are consenting to the use ofcookies); and
•scrolling text in a header or footer when you want to set acookie on a user's device which prompts a user to make further choices.
The ICO notes that in the future websites may be able torely on users’ browser settings as a means of consent. However, the ICO hasmade it clear that you cannot yet rely on this method, as most browser settingsare not sophisticated enough. The ICO has suggested that in determining itsapproach to compliance an organisation should take into account the standard ofcompliance achieved by others within that organisation’s sector: “After all, ifeveryone else in your area of business has done a cookie audit, is changing theway they explain things to users and has engaged with industry peers to come upwith consistent messages, the ICO might reasonably ask ‘if they can do it, whycan’t you?’”
Consequences of not complying
Serious breaches of the Privacy Regulations may attractmonetary penalties of up to £500,000. A serious breach is defined as a seriouscontravention of the Privacy Regulations likely to cause substantial damage ordistress. Such contravention must have been deliberate, or the person responsiblemust have known/ought to have known that a contravention would occur and thenfailed to have taken reasonable steps to prevent it. On this basis,non-compliance with the cookie law is unlikely to attract the maximum fine.
The ICO has stated that while it does not anticipate “a waveof enforcement action after the lead-in period ends”, it does expectorganisations to have used the year’s lead-in period productively and to haveensured that they are working towards becoming fully compliant.
The ICO’s guidance on complying with the law can be foundhere.
The ICC’s guidance on complying with the law can be foundhere.
This article first appeared in Law-Now, CMS CameronMcKenna's free online information service, and has been reproduced with their permission.For more information about Law-Now, click here. http://www.law-now.com/law-now/