Cookies In The UK: Food For Thought As ICO’s Deadline Sweetener Nears End

    View Authors April 2012

    Are you a UK based business with a website or is your website accessible in and targeted to the UK? If so, and your website uses cookies, there are eight weeks remaining for you to make your website compliant with new UK laws on cookie use.

    Background

    UK laws regulating the use of cookies changed last year as a result of new regulations which came into force on 26 May 2011. We circulated a briefing note on the new laws as they came into force.

    The UK authority tasked with enforcing the new laws, the Information Commissioner’s Office (ICO), agreed to delay fully enforcing them for a period of 12 months. The delayed deadline for compliance (25 May 2012) is now fast approaching and it is important that all organisations are fully prepared to comply with the new laws by May or risk being fined up to £500,000.

    Overview of Action Needed

    The new rules on cookie use are relatively straightforward. However, translating them into practical action and implementing compliance measures may take some time.

    Initially, businesses will need to undertake an audit of what cookies they use, how and why. Then decisions will need to be made about what practical measures will be used to comply with the new laws. This may involve consultation between different areas of the business, such as management and the marketing department. Once a decision has been made, it will then be the task of the technical staff to develop the agreed solution. This process is likely to take several weeks or even months.

    What Is a Cookie?

    A cookie is a small text file that contains a unique label or cookie ID number. When a user visits a website that uses cookies the website sends a cookie to the user’s browser software and it is stored on their computer even after they leave the website and disconnect from the Internet. When the user revisits the website at a later date the cookie ID number is sent back to the website, allowing the website to recognise the user. This can be useful for both the website and the user. Some cookies are used simply to improve the overall website experience for users. For example, some cookies will record certain user preferences or login details so that the user will not need to enter or choose these on every occasion. Other cookies simply make the site work properly – typically they are needed for the online shopping basket and checkout mechanisms to operate effectively. However, some cookies can be intrusive as they track a user’s browsing activity within the site itself, or even across a number of different sites. It is concerns about how cookie use might adversely impact on user privacy that has resulted in the recent change in the law.

    Businesses should be aware that the new laws are drafted broadly to cover not only conventional cookie use, as described above, but “the storing of information, or the gaining of access to information already stored”. In this briefing, ‘cookie’ refers to both cookies per se and any other type of web tracking activity that is caught by this definition.

    What Changes Do the New Laws Introduce?

    Previously, the law required website owners to provide users with clear and comprehensive information about what cookies they set and what they were used for, and to give users an opportunity to opt-out of those cookies being set. This information, and the opt-out option, was usually included in a website privacy policy.

    The new laws maintain the need for clear and comprehensive information to be given, but instead of the ‘opt-out’ website owners need to obtain a user’s consent to setting the cookies (effectively an ‘opt-in’).

    ‘Clear and comprehensive information’ means that the information given to users about cookies must be sufficiently full and intelligible to allow users to clearly understand the potential consequences of agreeing to cookie use, bearing in mind that the level of understanding about cookie use amongst Internet users generally is low. ‘Consent’ means that a user must take some action to positively indicate that they consent to the use of cookies (such as sending an email, or ticking a box). Implied consent is not sufficient. However, consent only needs to be obtained from a user once, not each time they visit the website.

    Wherever possible, consent should be obtained before the cookie is set.

    Unless the Cookie is ‘Strictly Necessary…’

    There are limited exceptions to the need to obtain consent, most notably where the cookies are ‘strictly necessary’ to provide a service which has been requested by the user. An example of this is the ‘shopping basket’ cookie which is needed to remember what items an online shopper has put in their shopping basket when they reach the checkout. A cookie which is set purely for that purpose would be considered to be strictly necessary and exempt from the requirement of consent.

    This exemption will not cover cookies which are required just to improve or enhance the user’s visit to the site, but it may include cookies which are required in order to provide adequate security measures for the user’s details.

    How to Obtain Consent in Practice

    Some cookies are more intrusive than others, depending on their purpose. Cookies which are used in order to set user preferences, for example, will be less intrusive than cookies which track a user’s browsing activity across the website itself or across multiple sites.

    In December 2011, the ICO issued new guidance on what businesses should do to comply with the new laws. In essence it said that the more intrusive the cookie, the greater priority should be given to obtaining consent for its use.

    The ICO went on to say that businesses already use various mechanisms on their websites to draw matters to users’ attention, for example, pop up boxes, banners, headers and footers, notices, tick boxes and so on. The ICO recommended that businesses simply use the same mechanisms to obtain consent to cookies.

    The question for many businesses, however, is how to comply with the new law by giving an appropriate level of prominence to the information and request for consent, without ruining the look and feel of the website. Organisations are keen to avoid multiple pop-ups or splash pages, particularly on websites which deal with more serious subjects, such as investments, insurance or medical care.

    How consent is obtained will be largely a commercial and technical decision, but it is necessarily intertwined with the legal requirements. One approach which may prove popular is the ‘layered approach’. For example, a banner could be displayed on the home page of the site, which includes an express reference to cookies and which invites users to click through to a page (perhaps the site’s privacy policy) to obtain further information and give their consent.

    If that approach is used, the more intrusive cookies must be given greater prominence and clear and full information must be provided about how and why those cookies are used.

    Third Party Cookies

    Occasionally, cookies will be set not by the website owner themselves but by a third party. Websites may display third party content, such as advertisements, video links or even credit card payment screens which can allow third parties to set their own cookies. These cookies are often used to track a user’s movements over time so as to be able to serve targeted advertisements on them.

    The third party setting the cookie will be primarily liable for compliance with the laws. However, according to the ICO, there is potential for both the website owner and the third party to be liable for any noncompliance. In practice, it will be the website owner that is likely to be able to control when and how consent is obtained, rather than the third party. The website owner is also likely to be in receipt of any complaints relating to cookies which are set via its site.

    Website owners are, therefore, advised to identify not just what cookies they set via the site, but also what cookies any third parties set and what the purpose of those cookies is. They then need to decide how to provide the necessary information about and obtain consent for the use of those cookies as well as their own.

    Third party content providers are likely to want website owners to accept responsibility for getting consent. However website owners may not accept this, and traditionally, liability is excluded for third party content. Where a website owner fails to co-operate, a third party content provider may have no option but to either remove their content, disable the cookie, or try to find a way of obtaining its own consent where possible.

    Action Points

    If they have not already done so, website owners should take the following steps as soon as possible:

    1.     Audit what cookies your business uses and what third party cookies are set via your website.

    2.     Identify what those cookies are used for. Are any of them unnecessary and can be removed? Are any of them strictly necessary to provide a service requested by the user?

    3.     List all remaining cookies in order of intrusiveness.

    4.     Decide how to obtain consent for those cookies and ensure that sufficient information is provided about their use, giving priority to the more intrusive cookies.

    5.     Implement the solution identified by 25 May 2012.

    How Squire Sanders Can Help

    Squire Sanders has extensive experience in advising on cookie compliance strategies under both the old and new laws. We are able to advise not only on the UK position but also compliance under similar laws across the EU.