03/05/2012
By 26 May 2012, all UK organisations that operate a website will need to obtain consent from visitors to its website in order to continue using cookies. The EU rules on the use of internet cookies changed following amendments made to the E-Privacy Directive. Those changes were implemented in the UK last year following amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Cookies (put simply, small packets of data stored on a user’s computer when the user accesses and browses a website) are used by most websites for a range of purposes, including to analyse the behaviour of website visitors (to monitor traffic and to report popular pages), to recognise users who return to the website (to personalise pages), to track a user’s interests and deliver targeted advertising to that user, and to allow users to access secure areas of a website.
By 26 May 2012, website owners are required to have made appropriate technical changes to their websites to provide clear and comprehensive information to, and obtain consent from, visitors in order to use cookies. It’s important to ensure that the information provided is accurate as the consent needs to be “specific” and “informed”. In its guidance, the Information Commissioner’s Office (ICO) has said that the information should be full and provided in plain and accessible language to allow non-technical users to understand clearly the potential consequences of agreeing to allow the cookies to operate on their devices, and that consent must involve some form of communication where the individual knowingly indicates their acceptance. It’s unlikely that a website owner can infer consent on the basis of a user’s browser settings (where a user is able to indicate what cookies they will allow). The ICO won’t commit to endorsing any one particular solution and it’s very likely that a solution for one website won’t necessarily work for another. The mechanisms available for obtaining consent include pop-up boxes, header bars, and subscribing to a service.
Cookies which allow users to access secure areas of websites (so-called “strictly necessary” cookies) will be exempt from the requirement to obtain consent.
Steps to take
In line with the ICO guidance, we would recommend that organisations conduct an audit of their websites and in particular:
- check which cookies are being used and how
- assess how intrusive the use is and prioritise compliance efforts (starting with the most intrusive use)
- decide which solution for providing clear and comprehensive information and obtaining consent works best in the circumstances
- involve in the audit process the IT department, web host and designer, and any third parties who provide content or services for the website
- if in doubt about whether you will comply, seek legal advice.
Time is short. Organisations that have not yet done so will need to move quickly to ensure that they comply with the legislation before 26 May 2012. The ICO has the power to issue fines of up to £500,000 for organisations that fail to comply.
Further reading
The ICO guidance is available here
The Government Digital Service guidance for public
sector bodies is available here (although it has not been
endorsed by the ICO)