Burnetts logo

Lifting the lid on the Cookie Jar

We have looked at the changing picture with regard to cookies’ compliance in our monthly InfoLaw updates. Our views on this important topic are collated here, as we enter the countdown to the end of the “enforcement holiday”. We understand from our clients in both HE and FE that this is a topic of interest to the sector and it is an issue worth watching as website operators look ever more closely at what might (and might not) be acceptable going forward.

To recap, with the entry into force in May of last year of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations, 2011 (“Cookies Regulations”) the rules in relation to cookies have completely changed from a system of "informed opt-out" (which means, mostly, that users do nothing) to "prior, informed opt-in", so that consent is required, in almost all cases, where a cookie is to be set. The Cookies regulations apply to all website operators.

What do you mean, “Cookies”? 

One common technique of storing information is widely known as a “cookie”. This is a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when he or she is buying products online.

The new “Cookies Regulations” have been promulgated, largely, in response to the increased prevalence of behavioural advertising; the view of the European Data Protection authorities, although they accept the economic benefits which behavioural advertising undoubtedly brings, is that it should not be carried out at the expense of individuals’ rights to privacy and data protection.  Accordingly, it is probably not unduly simplistic to say that the Cookies Regulations are not really aimed at the regulation of internet services which users want or need, although their effect is to require website operators to consider how meaningful consent may be obtained to the use of all cookies.  It is clear (and specifically stated in Guidance published by the Information Commissioner’s Office - ICO) that the Cookies Regulations apply both to cookies and to similar technologies whose function is the storing of information.

The Information Commissioner  has indicated that, whilst the implementation of this new law will be challenging, it will benefit consumers by giving them more choice and control over the information which businesses and other organizations can store on, and access from, the consumers’ own computers. He said that the ICO is “proactively working with the government, businesses and the public sector to find a workable solution”, acknowledging that “the internet as we know it today depends on the widespread use of cookies and there are of course legitimate business reasons for using them” and accepting that “these changes must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses”.

The key issue is the new requirement to obtain a user’s consent, after he or she has been provided with clear and comprehensive information. The ICO‘s Guidance suggests that consent “must involve some form of communication, where the individual knowingly indicates their acceptance”. It is clearly accepted that the level of consent which is required will vary, depending upon the nature of the cookie in question.  It is appropriate to think in terms of a “sliding scale” with privacy-neutral cookies at one end and potentially more intrusive uses of the technology at the other.

Many organisations will be considering whether implied consent is acceptable and, whilst the ICO’s guidance does not currently accept that this is a valid method of obtaining consent, discussions held by industry stakeholders in which the ICO has been involved, suggest that, for the least intrusive cookies, it would not be unreasonable to imply a user’s consent where appropriate information is available. It is important, however, to distinguish this from a continuation of the “opt out” status quo.

Compliance is likely to be a moving target in that what is and is not acceptable will become clearer once the “enforcement holiday” ends on 26 May 2012.  The Information Commissioner has encouraged organisations to consider and implement solutions which are appropriate to their individual business needs (because there is not a “one size fits all” solution available) and has indicated that he will work with organisations in the event that what they have done is not considered sufficient.  The key is for organisations to acknowledge that a step change is required and to plan accordingly.

The International Chamber of Commerce UK (ICC UK) has been working with a cross-section of industry stakeholders to discuss the production of a Guide to help businesses by giving them the technical and practical information they need to inform users/subscribers about what cookies are but also about how to work towards compliance.  This Guide starts from an acceptance that there a “sliding scale”, as mentioned above, (and as per the Information Commissioner’s Guidance) and suggests dividing cookies into categories.  The ICC UK Guide is therefore based on four categories of cookies, being;

• strictly necessary;

• performance;

• functionality; and

• targeting.

It was considered that categorization (and the above is only a suggestion of four possible categories) is useful firstly to provide operators with “buckets” into which all cookies used by an organisation’s website can be placed. In addition, it facilitates the collection of consent for all cookies used by the site that fall into the same category at the same time, allows the use of user notices which have been developed by the working party and publicised through the Guide and. The hope is that the Guide will become a point of reference across a broad spectrum of business (possibly internationally) and that such widespread use will increase the speed at which users become educated, as they will be presented with the same categories of cookie and standard language in relation to each type on multiple different sites.

The Guide considers what might properly comprise “consent” by reference to each category of cookie and describes a graduation of the level of consent again, by reference to the “sliding scale”, where strictly necessary cookies require no consent and, at the other end of the spectrum, other types of cookie require very meaningful consent.  The Guide remains a work in progress but is in the process of being finalised.  It has been through six previous iterations and has incorporated the views of stakeholders from across industry (including representatives from the Information Commissioner’s Office).

What steps should an organisation take?

The ICO advises organisations to take the following steps:

• audit – to check what type of cookies and similar technologies it is using and how it uses them;

• assess- to assess how intrusive its use of cookies is; and

• identify Potential Solutions - to decide on the best solution for it to obtain consent.

Step 1: Audit

This might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are "strictly necessary" and might not need consent (an example might be the cookie which remembers what you have in your shopping basket in an online retailer’s site). This could be a good opportunity for organisations to "clean up" their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.

Step 2: Assessment

The new rules are intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity. There is a growing emphasis on a “right to be forgotten” and this change in the rules is a step in this direction.

Step 3: Potential solutions

One option being considered is to allow consent to the use of cookies to be given via browser settings, although the current view is that most browser settings are not yet sophisticated enough (although in the future they may well be). This is an issue in relation to which Government and the ICO are working with major browser developers.
In any event, however, not everyone who visits a website will do so using a browser; they may, for example, have used an application on their mobile device. Consequently, the ICO's current advice is that organisations which use cookies or other means of storing information on a user's equipment must gain consent in some other way. The ICO explains that an organisation needs to provide information about cookies and obtain consent before a cookie is set for the first time; it does not need to do so again for the same person each time it uses the same cookie (provided that use of the cookie is for the same purpose).

The following are the options which the current guidance considers;

• Pop-ups and similar techniques. A relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.

• Terms and conditions. If users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. A positive indication (eg ticking a box) should be obtained to indicate that users understand and agree to the changes.

• Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as a "personalised greeting"). In this case, consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.

• Functional uses. An analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user's device, prompting the user to read further information (perhaps served via the privacy pages of the website) and make any appropriate choices.

• Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. Anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device (although the ICO acknowledges that this may be challenging).

Many businesses will be looking at the extent to which implied consent will be compliant.  The ICO has taken a reasonably pragmatic approach and has acknowledged that, in some circumstances, implied consent might be acceptable. The ICC UK Guide, referred to above, also acknowledges that for some of the categories of cookies, for example in the case of “performance cookies” (cookies limited to performance and website improvement, collecting only an anonymized information and being accessible only to the website operator – typically analytics cookies) implied consent should be a possibility. 

Obviously whether or not such consent is informed will depend very much on the way in which the organisation presents the information to visitors to the website and a “one size fits all” approach is not likely to be a realistic option.

Enforcement

We are now approaching the end of the lead in period of 12 months during which the ICO indicated that enforcement action would not be taken. The ICO’s expectation is that, during this period, organisations will have been working towards the design and development of a solution which would meet the requirements of the Cookies Regulations. This lead in period will end in May 2012. From May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy (which is available through the ICO’s website at https://ico.org.uk/). Enforcement action in relation to a breach will be considered by reference to the impact of the breach on the privacy and other rights of website users and not just with whether there has been a technical breach of the Regulations.

As May approaches, the Information Commissioner has indicated that he will ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012.  However confirmed, in his blog last December that “there will not be a wave of knee-jerk formal enforcement action against those who are not yet compliant but trying to get there”.

How can businesses comply?

A website operator must provide users with clear and comprehensive information about the purpose of the storage of, or access to, cookies the website places on the user's equipment. The Information Commissioner's initial guidance states that, if the information is to be included in a privacy policy, that policy should be clearly signposted at least on those pages where a user may enter a website. The guidance also states that sites which permit third parties to use cookies will have to inform users that this is the case, although it does not provide any useful suggestion as to what might suffice.
The approach the ICO has taken on its own website is to provide information about the name and purpose of each cookie it uses as well as links to further information available from external sources in a table format. This ties in with the ICO’s general advice to providers that, before deciding on the method for obtaining consent, they should check what type of cookies and similar technologies they are using, consider how they use them and how intrusive that use is. This is probably an approach suitable for all websites.

Where a user refuses to accept cookies (by failing to tick a box, for example), the website operator should refrain from setting any cookies other than those, like session cookies, which are essential for operating the site. Some websites set cookies as soon as a user arrives at the site; issues around “prior” consent fall to be considered in these cases. As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply and/or the website functionality will be affected if he decides to reject cookies. The Regulations allow website operators to make the user's access to certain web pages dependent on his or her acceptance of cookies.

Comment

The key here is what “consent” means and this is the focus of the new rules. Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do (for example how is the consent of younger children to be obtained) and various possibilities exist.

As with many aspects of the law concerning data protection and privacy, there are shades of grey here for businesses and website operators to consider; the Information Commissioner has gone so far as to say that the website operators themselves are “best placed to work out” how to get information to their users, what those users will understand and how they would like to demonstrate consent. Whilst this is of limited assistance, website operators who can show that they are genuinely considering their use of cookies with a view to updating and improving their practice, where necessary, can expect support rather than enforcement action.

As May approaches, the way in which very large, international businesses are rolling out their amended privacy policies, cookies policies and asking for consent will be interesting to watch. For many, this is likely to be an expensive and difficult process and, if organisations have not yet looked into their own cookie jar, now would certainly be a good time to open the lid.

About the author

Published: Friday 13th April 2012
Categorised: Education

All Factsheets