The rules on using cookies and similar technologies to store information on a user’s equipment changed on 26 May 2011.
Why has this happened?
The rule change is the result of implementation of an EU Directive. The new rules are contained in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.
What do the Regulations cover?
What has changed?
From 26 May 2011, cookies can only be placed on a user's equipment if the user has given their consent. The requirement to provide clear and comprehensive information remains in place.
Does the new rule apply to all cookies?
Yes - except for one limited exception. Consent does not need to be given where the cookie is "strictly necessary" for a service requested by the user. This is a very narrow exception. For example, it could apply to a cookie used to ensure that where a user clicks "proceed to checkout" when purchasing online, the site remembers the items chosen on a previous page.
This exception is very narrow. The EU Directive on which it is based refers to a service "explicitly requested" by the user and the Information Commissioner, who will enforce these Regulations, will bear this in mind in deciding whether or not the Regulations have been complied with.
Also, the requirement to provide information about a cookie and obtain consent is only required the first time it is set for a particular user. You do not have to do this again for the same person provided that it is the same cookie and is used for the same purpose.
What do you have to do and when?
The government believes there should be a phased approach to implementing these Regulations. However, this does not mean that you should do nothing. The Information Commissioner's Office has issued initial guidance on the new Regulations which are a starting point rather than a definitive guide. The guidance contains practical steps for you to take now.
- Check what type of cookies you use and how you use them- this may be a comprehensive audit or a simple check of the data files placed on user terminals. Analyse why you use the cookies and decide which are "strictly necessary" and might not require user consent. Use this as an opportunity to clean up your website. The Information Commissioner strongly advises in-house teams to carry out this audit and clean-up exercise in order to demonstrate compliance.
- Decide the best way of obtaining consent for your circumstances- the more intrusive your activities, the more you need to do to get proper meaningful consent. One of the suggestions in the EU Directive and the Regulations is to obtain consent through browser settings. However, the Information Commissioner's opinion is that, as most browser settings are not currently sophisticated enough to allow you to assume that a user has given specific consent, organisations need to obtain consent another way.
How do we obtain consent?
- Browser settings - browser level solutions are being worked on at the moment, but the Information Commissioner believes that browser settings are not currently sufficient for users to give consent.
- Pop-ups - this would be acceptable but even the Information Commissioner thinks this might become annoying for users!
- Settings-led consent - for certain cookies it might be convenient to obtain consent when a user changes the settings for a site. For example, if a user chooses to always access a site in the English language version, consent could be obtained at the point where the user makes this choice.
- Third party cookies - this is a difficult area. The Information Commissioner acknowledges that this is the most challenging area for compliance and is working with other bodies, including industry, to try and find the right solutions. However, in the meantime, you will need to work with third parties to ensure that the users are absolutely clear about cookies being set, and that they are able to give meaningful consent.
More guidance will be issued by the Information Commissioner over time. In particular, guidance on enforcement is expected to be published. Keep an eye on the Information Commissioner's website for this guidance.
The Information Commissioner will also provide guidance giving examples of methods for obtaining consent and is keen to receive examples from industry. Given the difficulties in obtaining consent, he has stated that he is unlikely to take enforcement action in the first 12 months provided that organisations have taken the steps set out in the guidance. Therefore the current guidance should be followed in order to demonstrate, if any complaint is made, that you have done all you can to comply with the new rules.
Where can I find more information?
The Information Commissioner's website should be checked regularly for updated guidance
The Initial Guidance from the Information Commissioner
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.