We have looked at the changing picture with regard to cookies’ compliance in our monthly InfoLaw updates. Our views on this important topic are collated here, as we enter the countdown to the end of the “enforcement holiday”. We understand from our clients in both HE and FE that this is a topic of interest to the sector and it is an issue worth watching as website operators look ever more closely at what might (and might not) be acceptable going forward.
To recap, with the entry into force in May of last year of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations, 2011 (“Cookies Regulations”) the rules in relation to cookies have completely changed from a system of "informed opt-out" (which means, mostly, that users do nothing) to "prior, informed opt-in", so that consent is required, in almost all cases, where a cookie is to be set. The Cookies regulations apply to all website operators.
What do you mean, “Cookies”?
The new “Cookies Regulations” have been promulgated, largely, in response to the increased prevalence of behavioural advertising; the view of the European Data Protection authorities, although they accept the economic benefits which behavioural advertising undoubtedly brings, is that it should not be carried out at the expense of individuals’ rights to privacy and data protection. Accordingly, it is probably not unduly simplistic to say that the Cookies Regulations are not really aimed at the regulation of internet services which users want or need, although their effect is to require website operators to consider how meaningful consent may be obtained to the use of all cookies. It is clear (and specifically stated in Guidance published by the Information Commissioner’s Office - ICO) that the Cookies Regulations apply both to cookies and to similar technologies whose function is the storing of information.
The key issue is the new requirement to obtain a user’s consent, after he or she has been provided with clear and comprehensive information. The ICO‘s Guidance suggests that consent “must involve some form of communication, where the individual knowingly indicates their acceptance”. It is clearly accepted that the level of consent which is required will vary, depending upon the nature of the cookie in question. It is appropriate to think in terms of a “sliding scale” with privacy-neutral cookies at one end and potentially more intrusive uses of the technology at the other.
Many organisations will be considering whether implied consent is acceptable and, whilst the ICO’s guidance does not currently accept that this is a valid method of obtaining consent, discussions held by industry stakeholders in which the ICO has been involved, suggest that, for the least intrusive cookies, it would not be unreasonable to imply a user’s consent where appropriate information is available. It is important, however, to distinguish this from a continuation of the “opt out” status quo.
Compliance is likely to be a moving target in that what is and is not acceptable will become clearer once the “enforcement holiday” ends on 26 May 2012. The Information Commissioner has encouraged organisations to consider and implement solutions which are appropriate to their individual business needs (because there is not a “one size fits all” solution available) and has indicated that he will work with organisations in the event that what they have done is not considered sufficient. The key is for organisations to acknowledge that a step change is required and to plan accordingly.
The International Chamber of Commerce UK (ICC UK) has been working with a cross-section of industry stakeholders to discuss the production of a Guide to help businesses by giving them the technical and practical information they need to inform users/subscribers about what cookies are but also about how to work towards compliance. This Guide starts from an acceptance that there a “sliding scale”, as mentioned above, (and as per the Information Commissioner’s Guidance) and suggests dividing cookies into categories. The ICC UK Guide is therefore based on four categories of cookies, being;
• strictly necessary;
• functionality; and
It was considered that categorization (and the above is only a suggestion of four possible categories) is useful firstly to provide operators with “buckets” into which all cookies used by an organisation’s website can be placed. In addition, it facilitates the collection of consent for all cookies used by the site that fall into the same category at the same time, allows the use of user notices which have been developed by the working party and publicised through the Guide and. The hope is that the Guide will become a point of reference across a broad spectrum of business (possibly internationally) and that such widespread use will increase the speed at which users become educated, as they will be presented with the same categories of cookie and standard language in relation to each type on multiple different sites.
The Guide considers what might properly comprise “consent” by reference to each category of cookie and describes a graduation of the level of consent again, by reference to the “sliding scale”, where strictly necessary cookies require no consent and, at the other end of the spectrum, other types of cookie require very meaningful consent. The Guide remains a work in progress but is in the process of being finalised. It has been through six previous iterations and has incorporated the views of stakeholders from across industry (including representatives from the Information Commissioner’s Office).
What steps should an organisation take?
The ICO advises organisations to take the following steps:
• audit – to check what type of cookies and similar technologies it is using and how it uses them;
• identify Potential Solutions - to decide on the best solution for it to obtain consent.
Step 1: Audit
This might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are "strictly necessary" and might not need consent (an example might be the cookie which remembers what you have in your shopping basket in an online retailer’s site). This could be a good opportunity for organisations to "clean up" their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.
Step 2: Assessment
The new rules are intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity. There is a growing emphasis on a “right to be forgotten” and this change in the rules is a step in this direction.
Step 3: Potential solutions
The following are the options which the current guidance considers;
• Pop-ups and similar techniques. A relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.
• Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as a "personalised greeting"). In this case, consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
• Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. Anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device (although the ICO acknowledges that this may be challenging).
Many businesses will be looking at the extent to which implied consent will be compliant. The ICO has taken a reasonably pragmatic approach and has acknowledged that, in some circumstances, implied consent might be acceptable. The ICC UK Guide, referred to above, also acknowledges that for some of the categories of cookies, for example in the case of “performance cookies” (cookies limited to performance and website improvement, collecting only an anonymized information and being accessible only to the website operator – typically analytics cookies) implied consent should be a possibility.
Obviously whether or not such consent is informed will depend very much on the way in which the organisation presents the information to visitors to the website and a “one size fits all” approach is not likely to be a realistic option.
We are now approaching the end of the lead in period of 12 months during which the ICO indicated that enforcement action would not be taken. The ICO’s expectation is that, during this period, organisations will have been working towards the design and development of a solution which would meet the requirements of the Cookies Regulations. This lead in period will end in May 2012. From May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy (which is available through the ICO’s website at http://www.ico.gov.uk). Enforcement action in relation to a breach will be considered by reference to the impact of the breach on the privacy and other rights of website users and not just with whether there has been a technical breach of the Regulations.
As May approaches, the Information Commissioner has indicated that he will ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012. However confirmed, in his blog last December that “there will not be a wave of knee-jerk formal enforcement action against those who are not yet compliant but trying to get there”.
How can businesses comply?
The approach the ICO has taken on its own website is to provide information about the name and purpose of each cookie it uses as well as links to further information available from external sources in a table format. This ties in with the ICO’s general advice to providers that, before deciding on the method for obtaining consent, they should check what type of cookies and similar technologies they are using, consider how they use them and how intrusive that use is. This is probably an approach suitable for all websites.
Where a user refuses to accept cookies (by failing to tick a box, for example), the website operator should refrain from setting any cookies other than those, like session cookies, which are essential for operating the site. Some websites set cookies as soon as a user arrives at the site; issues around “prior” consent fall to be considered in these cases. As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply and/or the website functionality will be affected if he decides to reject cookies. The Regulations allow website operators to make the user's access to certain web pages dependent on his or her acceptance of cookies.
The key here is what “consent” means and this is the focus of the new rules. Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do (for example how is the consent of younger children to be obtained) and various possibilities exist.
As May approaches, the way in which very large, international businesses are rolling out their amended privacy policies, cookies policies and asking for consent will be interesting to watch. For many, this is likely to be an expensive and difficult process and, if organisations have not yet looked into their own cookie jar, now would certainly be a good time to open the lid.