InfoLaw June 2012
Cookies: the next chapter
Just over a year ago, on 26 May 2011, the Information Commissioner published new guidance to reflect the coming into force of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 but, accepting the scale of the compliance task these Regulations would impose on many businesses, announced that he would allow organisations a year-long period to work towards compliance with the new requirements.
In that year, there has been much discussion, analysis and reaction to the “Cookies Regulations”.
The Information Commissioner's Office (ICO) has been involved both formally (promulgation of guidance) and informally (in the blogosphere) and in its work directly with more than 50 organisations behind popular websites and others to help achieve compliance
In it has always been clear that the ICO expected organisations to be working towards compliance, so that at the end of the “amnesty” period, each website owner had a solution in place which would provide a visitor with sufficient information to allow him or her to understand what a cookie is and what it would mean to have one placed on his or her device and for the organisation to allow him or her to grant or refuse consent before a cookie was served.
It has also always been clear that there can be no ‘one size fits all approach’ in respect of compliance with these Regulations. The ICO’s guidance has always reflected its view, which some organisations think is not helpful but others see as allowing more flexibility, that organisations themselves are best placed to develop their own solutions; that they will know how and why their customers use their websites better than the regulator.
The current position
This latest guidance sees a change in the ICO's position on the requirements for obtaining internet users' consent to the setting of cookies. The ICO’s previous position was that implied consent would not be sufficient to achieve compliance (as has always been the Article 29 Working Party’s view). However, the revised ICO guidance suggests that implied consent is a reasonable proposition in the context of storage of information or access to information using cookies, at least where non-sensitive personal data is concerned.
In a nutshell, the guidance makes the following statements concerning implied consent:
• implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies;
• if you are relying on implied consent, you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent;
• in some circumstances, for example where you are collecting sensitive personal data such as health information, (in relation to the processing of which, readers will recall, the Data Protection Act requires explicit consent), implied consent is unlikely to be sufficient.
Consent and information
The catalyst for legislation in this area was the lack of general awareness about the data collected by cookies and this is the key (or certainly one of the key) issues for businesses to consider when designing a cookies policy and compliance solution; without information there will be no basis to assume understanding and the absence of understanding makes “informed consent” difficult to obtain – and probably impossible to imply.
The ICO’s Guidance therefore stresses that, to be confident in its ability to rely on a user’s consent for cookies (and particularly when an organisation’s solution relies on implied consent for a particular category of cookies), the organisation must ensure that clear and relevant information is readily available to users, explaining what is likely to happen while the user is accessing the site and what choices the user has to control what happens. The level of information which might be provided will vary, depending upon the type of site and the type of user, and suggestions (which are intended neither to be prescriptive nor exhaustive) appear in the ICO’s Guidance.
The ICO has previously (somewhat defensively) emphasized that it is only responsible for enforcing the law, and can’t change the legislation which was passed by the EU, and later implemented by the Department for Culture, Media and Sport (DCMS). However, the ICO’s position on the availability (albeit in limited circumstances) of implied consent to a cookie being served is likely to set the ICO against the majority of data protection regulators in other member states and the Article 29 Working Party, which, as mentioned above, has all along clearly ruled out the use of implied consent. By the ICO’s own admission, this may lead to difficulties for UK providers who place cookies on the equipment of non-UK EU citizens on the basis of implied consent.
This is an area where development will clearly continue. As and when enforcement action is taken, (and it will be interesting to see whether any privacy-focused individual uses the ICO’s “report your cookie concerns” tool to tell tales to the ICO!) further information will become available to clarify what compliance will look like. But for the time being, we understand that the technical gurus are working on new tools to gather data …..