Wake up and smell the cookies
Caroline Redhead explains what the growing emphasis on a “right to be forgotten” means to businesses.
Although it is probably not at the top of every employer’s agenda, the Information Commissioner has told businesses and other organizations running websites in the UK that they needed to ‘wake up’ to the fact that new legislation requires them to get consent in order to store or access information on consumers’ computers. There is a growing emphasis on a “right to be forgotten” and businesses need to be aware of the changes.
What do you mean, “Cookies”?
What steps should an organisation take?
The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" (which means, mostly, that users do nothing) to "prior, informed opt-in" and offers information to help organisations start to think about the practical steps they will need to take to remain compliant with the new Regulations.
Step 1: Audit
This might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are "strictly necessary" and which might not need consent, for example, a cookie which remembers what you have in your shopping basket on an online retailer’s site.
Step 2: Assessment
The new rules are intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity.
Step 3: Potential solutions
The ICO explains that an organisation needs to provide information about cookies and obtain consent before a cookie is set for the first time; it does not need to do so again for the same person each time it uses the same cookie (provided that use of the cookie is for the same purpose).
The following are the options which the current guidance considers;
• Pop-ups and similar techniques. A relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.
• Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as a "personalised greeting"). In this case, consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
• Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. Anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device (although the ICO acknowledges that this may be challenging).
Businesses have until May 2012 to deal with this but the Commissioner is already warning enforcement action will be considered by reference to the impact of the breach on the privacy and other rights of website users and not just whether there has been a technical breach of the Regulations.
From now until May 2012, if the ICO receives a complaint about cookies that indicate that an organisation is not complying with the rules, the ICO will provide advice to the organisation concerned but where the Commissioner considers it appropriate, and particularly as May 2012 approaches, he has indicated that he will also ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012. We understand that a response which indicates that an organization has decided to avoid making any change to current practice until compelled to do so will not be well received!
How can businesses comply?
The approach the ICO has taken on its own website is to provide information about the name and purpose of each cookie it uses as well as links to further information available from external sources in a table format. This ties in with the ICO’s general advice to providers that, before deciding on the method for obtaining consent, they should check what type of cookies and similar technologies they are using, consider how they use them and how intrusive that use is. This is probably an approach suitable for all websites. Where a user refuses to accept cookies (by failing to tick a box, for example), the website operator should refrain from setting any cookies other than those, like session cookies, which are essential for operating the site. As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply and/or the website functionality will be affected if he decides to reject cookies.
The key here is what “consent” means and this is the focus of the new rules. Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do (for example, how is the consent of younger children to be obtained) and various possibilities exist.
For further information about website law or cookies, contact Caroline Redhead on 01228 552222.