Burnetts logo

Wake up and smell the cookies

Caroline Redhead explains what the growing emphasis on a “right to be forgotten” means to businesses.

Although it is probably not at the top of every employer’s agenda, the Information Commissioner has told businesses and other organizations running websites in the UK that they needed to ‘wake up’ to the fact that new legislation requires them to get consent in order to store or access information on consumers’ computers.  There is a growing emphasis on a “right to be forgotten” and businesses need to be aware of the changes.
 

What do you mean, “Cookies”?

One common technique of storing information is widely known as a “cookie”. This is a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering a user’s payment details when he or she is buying products online.

What steps should an organisation take?

The Information Commissioner's Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of "informed opt-out" (which means, mostly, that users do nothing) to "prior, informed opt-in" and offers information to help organisations start to think about the practical steps they will need to take to remain compliant with the new Regulations.

Step 1: Audit

This might amount to a comprehensive audit of an organisation's website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are "strictly necessary" and which might not need consent, for example, a cookie which remembers what you have in your shopping basket on an online retailer’s site.

Step 2: Assessment

The new rules are intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual's browsing activity.

Step 3: Potential solutions

One option being considered is to allow consent to the use of cookies to be given via browser settings.  Unfortunately, this is something for the future as most browser settings are not yet sophisticated enough to do this.  In any event, not everyone who visits a website will do so using a browser; they may, for example, have used an application on their mobile device. Consequently, the ICO's current advice is that organisations which use cookies or other means of storing information on a user's equipment must gain consent in a more pro-active way.

The ICO explains that an organisation needs to provide information about cookies and obtain consent before a cookie is set for the first time; it does not need to do so again for the same person each time it uses the same cookie (provided that use of the cookie is for the same purpose).

The following are the options which the current guidance considers;

• Pop-ups and similar techniques. A relatively easy option to achieve compliance, but may spoil a user's experience of using a website if several cookies are used.
• Terms and conditions. If users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. A positive indication (eg ticking a box) should be obtained to indicate that users understand and agree to the changes.
• Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as a "personalised greeting"). In this case, consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
• Functional uses. An analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user's device, prompting the user to read further information (perhaps served via the privacy pages of the website) and make any appropriate choices.
• Third-party cookies. Some websites allow third parties to set cookies on a user's device, and the process of getting consent for these cookies is more complex. Anyone using third-party cookies should ensure that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device (although the ICO acknowledges that this may be challenging).

Enforcement

Businesses have until May 2012 to deal with this but the Commissioner is already warning enforcement action will be considered by reference to the impact of the breach on the privacy and other rights of website users and not just whether there has been a technical breach of the Regulations.
From now until May 2012, if the ICO receives a complaint about cookies that indicate that an organisation is not complying with the rules, the ICO will provide advice to the organisation concerned but where the Commissioner considers it appropriate, and particularly as May 2012 approaches, he has indicated that he will also ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012. We understand that a response which indicates that an organization has decided to avoid making any change to current practice until compelled to do so will not be well received!

How can businesses comply?

A website operator must provide users with clear and comprehensive information about the purpose of the storage of, or access to, cookies the website places on the user's equipment. The Information Commissioner's initial guidance states that, if the information is to be included in a privacy policy, that policy should be clearly signposted at least on those pages where a user may enter a website. The guidance also states that sites which permit third parties to use cookies will have to inform users that this is the case, although it does not provide any useful suggestion as to what might suffice.
The approach the ICO has taken on its own website is to provide information about the name and purpose of each cookie it uses as well as links to further information available from external sources in a table format. This ties in with the ICO’s general advice to providers that, before deciding on the method for obtaining consent, they should check what type of cookies and similar technologies they are using, consider how they use them and how intrusive that use is. This is probably an approach suitable for all websites. Where a user refuses to accept cookies (by failing to tick a box, for example), the website operator should refrain from setting any cookies other than those, like session cookies, which are essential for operating the site. As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply and/or the website functionality will be affected if he decides to reject cookies.

Comment

The key here is what “consent” means and this is the focus of the new rules. Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do (for example, how is the consent of younger children to be obtained) and various possibilities exist.
As with many aspects of the law concerning data protection and privacy, there are shades of grey here for businesses and website operators to consider; the Information Commissioner has gone so far as to say that the website operators themselves are “best placed to work out” how to get information to their users, what those users will understand and how they would like to demonstrate consent. Whilst this is of limited assistance, website operators who can show that they are genuinely considering their use of cookies with a view to updating and improving their practice, where necessary, can expect support rather than enforcement action.

For further information about website law or cookies, contact Caroline Redhead on 01228 552222.

About the author

Published: Tuesday 11th October 2011
Categorised: Employment, Information Law

All Factsheets