Wednesday, 18 January 2017  
border border border
image by George Gardiner
border border
    arrow     Home

Main Menu
News items
- - - - -
Contact us

Lost Password?
Cookie law update - 12 months on Print

In May 2011 we prepared a guidance note on the amendments to The Privacy and Electronic Communications (EC Directive) Regulations 2003 (link). Back then businesses were given a 12 month moratorium on compliance and enforcement by the Information Commissioner. That moratorium ends on 25 May 2012.

Since then not a lot seems to have changed. Most websites appear to have done little to deal with the new rules (i.e. the "opt in" requirement) - the BBC website being a notable and elegant exception.

This makes enforcement by the ICO problematic, except for the worst offenders. However, widespread changes will not occur until the ICO starts handing out fines.

What does this mean for your business? In short, if you haven't already you need to start work immediately on identifying what cookies are used and the data they track; then you need to decide whether or not the use of those cookies is justified; and, finally, you may need to get explicit consent for the remaining cookies you decide to use.

For an explanation of the changes to the law itself please see our May 2011 guidance note (link).


ICO Guidance

The ICO has prepared a pragmatic and useful guide - Guidance on the rules on use of cookies and similar technologies (link).

The guidance is well written and should help businesses understand what is required. As the Information Commissioner is the person most likely to bring enforcement action his own guidance should be fairly indicative of the approach that would be taken.

Persuasive as the Information Commissioner's views are, ultimately it is for the courts to determine whether or not particular conduct is legal or not.

What are the key issues?

Although the amendments to the Regulations permit consent to be obtained via browser controls (Reg 3A), a technological solution which is consistent across all browsers and versions has yet to appear.

This does mean that you will have to implement a system of informing visitors to your website about the cookies used and any data collected/processed, and you will have to obtain explicit informed consent to your processing.

The Information Commissioner relies on the definition of "consent" contained in the Data Protection Directive, namely:

"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".

That consent has to be given prior to the cookie being set, unless of course the cookie is absolutely necessary for the proper operation of the website. There is a narrow exception to the consent requirement, provided for in Art 5(2) of the Directive on privacy and electronic communications (link), namely where the cookie is required:

"for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user".

This will only apply to a limited range of services though you are still required to inform users about these cookies.

Perhaps most important are the three activities which the Information Commissioner considers likely to fall outside of this exception and therefore will require notification AND consent. They are:

(1) analytical cookies (e.g. number of visitors to a website),

(2) first and third party advertising cookies, and

(3) cookies recognising a user so that he/she can be identified upon return.

First party cookies are your own cookies, whereas third party cookies are those cookies introduced via banner ads provided by external companies. Many websites derive their profitability from and therefore their existence on advertising revenue provided by third party companies.

The Information Commissioner was silent on this aspect a year ago but has now made it clear that you are liable for the cookies implemented by third party banner advertisers. The rationale, quite reasonably and properly, is that it is your decision to use third party banner adverts for which you derive a revenue stream; therefore you should be responsible for them. The BBC website, incidentally, appears to take a different view on third party cookies.

This significantly changes the operating parameters for many website businesses and therefore our strong recommendation is that all third party banner adverts should be checked for compliance with the Regulations.

This applies not just to banner advertisements - you are responsible for any third party using cookies on your websites, including analytics providers.

These activities are not forbidden; rather you have to get explicit informed prior consent. If you have that then go ahead and use these cookies.

What does this mean?

Most businesses are probably not compliant, leaving them open to potential enforcement action. The ICO has taken a pragmatic approach in the past though, which is to work towards compliance rather than immediately implementing sanctions; except in the worst cases.

That permissive approach is unlikely to last forever.

You are going to have to implement new procedures for obtaining explicit consent, if you haven't already. The ICO's guidance note details a number of examples and methods, which we will not repeat here; but are worth considering.

Just because technology allows one to do something quickly and easily does not mean that we should do so or that in fact the information gathered is of any real commercial or operational value. An alternative way of looking at this is that the cost of ensuring compliance and storing/processing that data may significantly outweigh the benefit of that data in the first place. That makes it an easy decision - don't bother to use intrusive cookies to collect so much data.

Finally, you need to able to demonstrate that a user has not only been appropriately informed but also that he/she has consented. There are passive and active ways of achieving this. A sliding scale approach may be appropriate - the more intrusive and pervasive the data collection the more active the consent process needs to be.

You might be able to get away with very prominent disclaimers in headers/footers with clear links to policies if your use of cookies is fairly benign. If not, you may have to implement stop/go points with access to parts of your website and services dependent on positive confirmation, which you need to record of course.


A PDF copy of this article is available here.

go to top Go To Top go to top

Copyright reserved
border border border