ICO issues implementation guidance on cookie regulations
The Information Commissioner has now published the promised guidance on the new “Cookies Regulations”, which implement a European e-Privacy Directive. This note summarises that guidance and considers how businesses might comply with the new requirements. Associate Solicitor Caroline Redhead explains.
Following last month's update on the changes in requirements relating to cookies, the Information Commissioner has now published the promised guidance on the new “Cookies Regulations”, which implement a European e-Privacy Directive. This note summarises that guidance and considers how businesses might comply with the new requirements.
The Commissioner recognises that, in many cases, implementation of the rule requiring consent for cookies will be challenging for organisations. He has issued separate advice on how these requirements might be met in practice and acknowledges that requiring a rushed or hasty implementation could result in a significant restriction of the operation of internet services that users generally take for granted and would be likely to cause disproportionate inconvenience both to website providers and to users.
Accordingly, the Commissioner will allow a lead in period of 12 months for organisations to develop ways of meeting the requirements of the new Regulations before he will move towards the approach set out in his Data Protection Regulatory Action Policy and consider using his enforcement powers to compel them to do so in appropriate cases. This lead in period will end in May 2012.
In allowing this lead in period the Commissioner has borne in mind the Government’s publicised view that:
• work on technical solutions will not have been completed before the implementation deadline;
• it will take time for these solutions to be developed, evaluated and rolled out; and
Businesses should now be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate preparations to be compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers. In the event of complaints being received after May 2012 any such warnings will be taken into account by the Commissioner in deciding if and when to issue an organisation with an enforcement notice.
From May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy. This means that in deciding whether to take enforcement action in relation to a breach of the revised cookies rules he will be concerned with the impact of the breach on the privacy and other rights of website users and not just with whether there has been a technical breach of the Regulations.
In the meantime it is nevertheless likely that the Commissioner will receive complaints about cookies. Initially, where those complaints indicate non compliance with the Regulations, he will provide advice to the organisation concerned on the requirements of the law and it might comply. Where he considers it appropriate, and particularly as May 2012 approaches, he has indicated that he will also ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012.
How can businesses comply?
Whilst the Regulations anticipate that, as a general rule “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or program to signify consent”, the ICO and the Department for Culture, Media and Sport agree that at present most browser settings are not sophisticated enough to allow online providers to assume that the user has given their consent to allow a website to set a cookie. Whilst the government is currently working with the major browser manufacturers to address this issue it may be that solutions at this level will not be available and not all visitors to a website would use them (maybe if accessing the website on a mobile phone).
Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do and various possibilities exist.
If a user accepts cookies from the site, it might makes sense for the website operator to store that preference (for example, by setting a “cookie acceptance” cookie on the user’s browser or hard drive – provided of course consent has been granted!), to avoid the need to obtain consent again when the user next visits the site.
The Regulations allow website operators to make the user's access to certain web pages dependent on his or her acceptance of cookies; where a user makes a choice to access certain information or a particular tool or function, consent might be incorporated into that functionality. The use of pop-ups might be suitable as a means of informing users (and seeking consent) when a cookie is set (although in many situations this might be irritating to users of the website).
As with many aspects of the law concerning data protection and privacy, there are shades of grey here for businesses and website operators to consider; the Information Commissioner has gone so far as to say that they are “best placed to work out” how to get information to their users, what those users will understand and how they would like to demonstrate consent. Websites aimed at certain areas of the online community, such as children, will need to think carefully about how consent of younger children is obtained (and the ICO has suggested that explicit, parental consent is required where a child is under 12 years of age).
For further information or advice on information law, contact Caroline Redhead on 01228 552222.