" />

Burnetts logo

ICO publishes guidance on new regulations on the use of cookies

The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" to "prior, informed opt-in" following amendments to the E-Privacy Directive. Associate Solicitor Caroline Redhead explains the ramifications for website owners.

The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" to "prior, informed opt-in" following amendments to the E-Privacy Directive.

The changes come into force on 25th May 2011. The ICO has drawn up the guidance note to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. The note is designed to help them consider what type of cookies or similar technology their website uses and for what purpose, how intrusive their use is and which solution for obtaining users' consent would best suit them.

However, website owners will be unimpressed by the fact that both the Regulations and the ICO's guidance were published a mere three weeks before the deadline of 25th May. This now leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice.

While website owners will welcome the ICO's assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. Additional guidance on enforcement, to which the current advice refers, is expected to be published in due course.

Background

In November 2009, a new European legislative framework for electronic communications was adopted; the UK government consulted on the implementation of the new framework and published its response in April 2011. The new law, which will come into force on 25th May 2011, will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store information on, and retrieve usage information from, users’ computers.

Facts

The ICO’s new guidance note contains advice to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. It emphasises that it is a starting point for achieving compliance, rather than a definitive or prescriptive guide. The ICO plans to supplement the guidance note with additional content as innovative ways to acquire users' consent are developed.

The following is a summary of the key aspects of the ICO's guidance note.
Explanation of the change to the rules

The ICO sets out the changes to the law on the use of cookies and similar technologies. It explains to organisations that they will now need a user's consent if they want to store a cookie on a user’s device. It provides some reassurance to organisations by stating that it recognises that cookies perform a number of legitimate functions and that gaining consent will, in many cases, be a challenge.

Exception to consent rule

Consent is not required when a cookie is strictly necessary to deliver a service which has been explicitly requested by the user. The ICO considers that this is a narrow exception which applies to a small range of activities, such as the use of cookies in online shopping baskets, which was the view of the government in its response document.

The ICO states that the exception would not apply to an organisation which decided that its website was more attractive if it remembered users' preferences or if it used a cookie to collect statistical information about the use of its website.

Steps an organisation should take

The ICO advises organisations to take the following steps:

* audit – to check what type of cookies and similar technologies it is using and how it uses them;
* assess- to assess how intrusive its use of cookies is; and
* identify Potential Solutions - to decide on the best solution for it to obtain consent.

Step 1: Audit

The ICO explains that this might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.

An organisation should analyse which cookies are "strictly necessary" and might not need consent. This could be a good opportunity for organisations to "clean up" their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.

Step 2: Assessment

The ICO explains that the new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity.

Step 3: Potential solutions

The ICO's advice in relation to the use of browser settings as a means of indicating consent follows that of the government in its response document, namely that most browser settings are not currently sophisticated enough. It also points out that not everyone who visits a website will do so using a browser; for example, they may have used an application on their mobile device. Consequently, the ICO's current advice is that organisations which use cookies or other means of storing information on a user's equipment must gain consent some other way. The ICO explains that an organisation needs to provide information about cookies and obtain consent before a cookie is set for the first time; it does not need to do so again for the same person each time it uses the same cookie (provided that use of the cookie is for the same purpose).

It notes that in the future many websites may well be able to rely on the user's browser settings to demonstrate that they had the user's agreement to set all sorts of cookies. As the government mentioned in its response document, it is working on this with major browser manufacturers.

In the guidance document, the ICO then looks at various options for an organisation to obtain a user's consent, including the following.

  • Pop-ups and similar techniques. The ICO comments that this seems a relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.
  • Terms and conditions. If users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. The ICO recommends that it obtains a positive indication that users understand and agree to the changes, which can be done by asking them to tick a box.
  • Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as their "personalised greeting"). The ICO suggests that consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
  • Functional uses. The ICO explains that an analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user's device, prompting the user to read further information (perhaps served via the privacy pages of the website) and make any appropriate choices.
  • Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. The ICO advises that anyone using third-party cookies ensures that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device. It acknowledges that this may be the most challenging area in which to achieve compliance with the new rules and states that it is working with industry and other European data protection authorities to find solutions.

Enforcement

The government has publicised its view is that there should be a phased approach to the implementation of these changes. Consequently, the ICO says in its guidance note that were it to receive a complaint about a website, it would expect an organisation's response to be that they have considered the changes and have a realistic plan to achieve compliance. It would handle that sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
The ICO will be issuing separate guidance on how it intends to enforce the new regulations. We will issue a further briefing note as and when such guidance becomes available.

Comment

The ICO's guidance, published in somewhat of a hurry prior to the 25th May implementation deadline, will leave many website owners uncertain about the extent of their obligations once the new Regulations come into force. In particular, users of third-party cookies will find the ICO's rather non-committal statement that "everyone has a part to play in making sure that the user is aware of what is being collected and by whom" unhelpful. Third-party cookies are commonly used by online advertising networks for the purpose of profiling users by tracking their online behaviour and for targeting online advertisements accordingly. Given that the business models of many, otherwise free-to-access, online services depend on advertising revenue, online businesses urgently require clear guidelines about the methods they can use to achieve compliance with the new provisions in this regard.

In light of the fact that the revised E-Privacy Directive was adopted as early as December 2009, it is unfortunate that both the Regulations and the ICO's guidance were published so close to the implementation deadline. This leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice. While website owners will welcome the ICO's assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. We will publish further updates in due course.

The ICO’s Guidance is available here.

For further information or advice on information law, contact Caroline Redhead on 01228 552222.

About the author

Published: Monday 30th May 2011
Categorised: Corporate Law, Education, Information Law

All Factsheets