The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" to "prior, informed opt-in" following amendments to the E-Privacy Directive. Associate Solicitor Caroline Redhead explains the ramifications for website owners.
The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" to "prior, informed opt-in" following amendments to the E-Privacy Directive.
The changes come into force on 25th May 2011. The ICO has drawn up the guidance note to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. The note is designed to help them consider what type of cookies or similar technology their website uses and for what purpose, how intrusive their use is and which solution for obtaining users' consent would best suit them.
However, website owners will be unimpressed by the fact that both the Regulations and the ICO's guidance were published a mere three weeks before the deadline of 25th May. This now leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice.
While website owners will welcome the ICO's assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. Additional guidance on enforcement, to which the current advice refers, is expected to be published in due course.
In November 2009, a new European legislative framework for electronic communications was adopted; the UK government consulted on the implementation of the new framework and published its response in April 2011. The new law, which will come into force on 25th May 2011, will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store information on, and retrieve usage information from, users’ computers.
The ICO’s new guidance note contains advice to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. It emphasises that it is a starting point for achieving compliance, rather than a definitive or prescriptive guide. The ICO plans to supplement the guidance note with additional content as innovative ways to acquire users' consent are developed.
The following is a summary of the key aspects of the ICO's guidance note.
Explanation of the change to the rules
Exception to consent rule
The ICO states that the exception would not apply to an organisation which decided that its website was more attractive if it remembered users' preferences or if it used a cookie to collect statistical information about the use of its website.
Steps an organisation should take
The ICO advises organisations to take the following steps:
* audit – to check what type of cookies and similar technologies it is using and how it uses them;
* identify Potential Solutions - to decide on the best solution for it to obtain consent.
Step 1: Audit
The ICO explains that this might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are "strictly necessary" and might not need consent. This could be a good opportunity for organisations to "clean up" their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.
Step 2: Assessment
The ICO explains that the new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity.
Step 3: Potential solutions
It notes that in the future many websites may well be able to rely on the user's browser settings to demonstrate that they had the user's agreement to set all sorts of cookies. As the government mentioned in its response document, it is working on this with major browser manufacturers.
In the guidance document, the ICO then looks at various options for an organisation to obtain a user's consent, including the following.
- Pop-ups and similar techniques. The ICO comments that this seems a relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.
- Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as their "personalised greeting"). The ICO suggests that consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
- Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. The ICO advises that anyone using third-party cookies ensures that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device. It acknowledges that this may be the most challenging area in which to achieve compliance with the new rules and states that it is working with industry and other European data protection authorities to find solutions.
The government has publicised its view is that there should be a phased approach to the implementation of these changes. Consequently, the ICO says in its guidance note that were it to receive a complaint about a website, it would expect an organisation's response to be that they have considered the changes and have a realistic plan to achieve compliance. It would handle that sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
The ICO will be issuing separate guidance on how it intends to enforce the new regulations. We will issue a further briefing note as and when such guidance becomes available.
The ICO's guidance, published in somewhat of a hurry prior to the 25th May implementation deadline, will leave many website owners uncertain about the extent of their obligations once the new Regulations come into force. In particular, users of third-party cookies will find the ICO's rather non-committal statement that "everyone has a part to play in making sure that the user is aware of what is being collected and by whom" unhelpful. Third-party cookies are commonly used by online advertising networks for the purpose of profiling users by tracking their online behaviour and for targeting online advertisements accordingly. Given that the business models of many, otherwise free-to-access, online services depend on advertising revenue, online businesses urgently require clear guidelines about the methods they can use to achieve compliance with the new provisions in this regard.
In light of the fact that the revised E-Privacy Directive was adopted as early as December 2009, it is unfortunate that both the Regulations and the ICO's guidance were published so close to the implementation deadline. This leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice. While website owners will welcome the ICO's assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. We will publish further updates in due course.
The ICO’s Guidance is available here.
For further information or advice on information law, contact Caroline Redhead on 01228 552222.