Technical Briefing – New guidance issued on “Cookie Law” compliance

13 January 2012

In this briefing, we examine:

- The legal responsibilities for web site owners following the introduction of “Cookie Law”
- What steps companies need to put in place to meet compliance

Background

The new European Union Privacy and Electronic Communications Directive “Cookie Law” came into effect in the UK on Thursday 26th May 2011. From that date onwards all website owners are required by law to obtain explicit consent from their website users prior to the deployment of cookies onto their PCs, laptops or mobile devices. Failure to comply could lead to a fine of up to £500,000.

Specifically, a website may only deploy cookies if:

1. The user concerned “has given his or her consent”
2. And has been “provided with clear and comprehensive information” about the purpose of the cookies

On the 13th December, the UK Government and the Information Commission’s Office (ICO) (the body charged with policing the new act) issued a much needed report on cookies compliance providing clearer guidance as to how the new legislation should be implemented.

The ICO’s latest briefing note ‘Guidance on the rules on use of cookies and similar technologies’- see Further Reading list below), published on the 13th December 2011, provides specific advice on what they are expecting website owners to demonstrate for compliance. The thorny issue of third party cookies (e.g. Google Analytics) is also addressed.

The only exception to this ruling will be “strictly necessary” cookies that are used during the delivery of a service (as “explicitly requested” by the user) such as a shopping basket facility or check out option whereby holding of information is necessary.

The ICO has also confirmed that relying on a user’s web browser settings to assume acceptance of cookies will not be sufficient to achieve compliance.

What are the consequences if my site is not compliant?

The ICO have announced an enforcement moratorium for a period of up to 12 months (commencing on 26th May 2011 – finishing 25th May 2012) during which it’s unlikely that enforcement action will be taken (i.e. fines) on website owners who are not compliant with the new legislation. Christopher Graham, the Information Commissioner, has stated that website owners will have up to 12 months to get their “house in order”. We are now in the final half of this lead in period.

The ICO does expect website owners to be actively considering their options and making plans for achieving the necessary compliance during this bedding in period. Even more so now that the ICO has removed a lot of the vague interpretations of the law in their new practical guidance report.

Christopher Graham wrote in December: “If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take.” (See ICO blog of 13th Dec in Further Reading below)

What should I do now?

If you are responsible for your company’s website, you should be doing the following:

• Performing a cookie audit: confirming the name of all cookies used on your site, what they are used for, whether they are first or third party, where they have come from and how long they are active for - and making a judgement on how intrusive they might be. Some cookies can be used to create highly detailed profiles of personal browsing activity and it is these cookies that the ICO deem to be the most intrusive.

• Add a full disclosure of all cookies used on your site’s Privacy Policy page prominently. Refer to the examples provided by the ICO in their updated version of their advice (see Further Reading)

• Given the outcomes of the audit, thinking through carefully what forms of consent might be appropriate to achieve compliance. The ICO recommends ranking your cookies and tackling the most intrusive first.

• Make a formal record of the cookie audit and the analysis of compliance options undertaken. This will need to be in a format that could be provided to the ICO should the need arise.