Cookies and the new rule

A "Cookie" is used for an origin website to send information to a users website and for the browser to return the information to the origin site. The information can be used for authentication, identification of a user session, a users preferences or anything else that can be accomplished by storing text data on the users computer.

The new rule
The legal requirement in relation to the use of cookies by website owners was recently updated. Under the revised law, the use of cookies is only allowed if the user concerned:
Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
Has given his or her consent.

This changes the requirement for provision of an "opt out" system, to a requirement that consent must be obtained.

Although the Information Commissioners Office (ICO) acknowledges that the new rule will require organisations to update their websites and will cause inconvenience to website providers and users, it does require compliance by May 2012. If a business is not yet fully compliant but has begun to implement changes, the ICO will take this into account and show leniency. However, the ICO has stated that it will not condone organisations taking no action at all in the period up to May 2012. Therefore businesses must look at the way in which their websites use cookies and consider their privacy policies to ensure internet services provided are in line with the new rule.

If compliance is not achieved, the ICO has a range of enforcement and penalty powers available to it and these include:
Serving an enforcement notice on an organisation specifying certain action that must be taken (for example, to start gaining consent for cookies). Failure to comply with an enforcement notice can be a criminal offence.
Fine of up to £500,000.

Compliance
The ICO advises website providers to take the following steps to ensure compliance with the updated law: 

1. Check what type of cookies and similar technologies the website uses and how it uses them.
This might amount to a comprehensive audit of the website, or it could be as simple as checking what data files are placed on user terminals and why (and it is a good idea to keep a record of this information). Analyse which cookies are strictly necessary and which might not need consent (cookies necessary to perform essential functions of the website do not require user consent).  This could be a good opportunity to clean up webpages and stop using any cookies that are unnecessary, or which have been superseded as a website has evolved.

2. Assess how intrusive the use of cookies is
The new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, greater priority needs to be given to obtaining meaningful consent for the more intrusive uses of cookies, such as those that involve creating detailed profiles of an individuals browsing activity.

3. Provide information
User-friendly information must be provided to users about the websites use of cookies. The ICO suggests two main ways of displaying information about cookies:
A table or list of cookies and their purposes. This may be not be appropriate for users who have little understanding of cookies.
A broad explanation of cookies which is aimed at helping users understand cookies and their use.

4. Bring information to users attention
The information about cookies must be brought to users attention either by including a prominent link on a web-page clearly referring to information regarding "cookies" not merely a privacy statement.

5. Obtain Consent
Consent from users should be obtained before a cookie is set. ICO guidance suggests that consent should be obtained though an affirmative step of the user, so implied consents will more than likely not be sufficient to comply with the legal requirement. Consent need not be sought each time a user enters the website. 
Static information banners in a prominent place providing a link to information and a way to signify acceptance of cookies may be acceptable. It is suggested that if the user fails to accept the cookies, the provider may be able to assume consent if the user continues to browse the website (as long as the link is provided on each page of the website with an easy method to withdraw consent). This however relies on implied consent, so using this method may not ensure compliance. It may therefore be better to set up a system where the user must signify acceptance before they can continue browsing.

The ICO suggests the following possible mechanisms for obtaining consent:
Highlighting the cookies and asking for consent from the user as they log into their account. Once this consent is obtained the option will not have to be provided on subsequent visits. 
The mechanism for the user to select or tailor their preferences ‘Would you like us to remember your… is amended to specifically flag that this process involves agreeing to a cookie. If the user selects the option to request that their preferences are remembered-having clearly had highlighted the role of the cookie in that process-the consent requirements would be satisfied. 
If the user will already be agreeing to terms and conditions to download a game or application, the way in which cookies are used is clearly and specifically highlighted in a prominent place in the process of agreement to these conditions (for example next to the ‘I agree box). Once this consent is obtained the option will not have to be provided each time the game is used. 

Next steps
It is of paramount importance that your organisation has taken some steps towards achieving compliance. As set out above, the ICO can enforce the new rule and could impose a fine of up to £500,000. We can explain what the new rule means for you and help you to carry out a proportionate exercise to review and update your website policies and the use of cookies to ensure you meet your legal responsibilities.

Comments

Thank you for your contribution. Your comment will appear on the site once approved.

Sorry something has happen! Please try again.

Sitemap | Ask a question | Careers | Accessibility | Terms of Use | How we handle your data

© 2017 Fraser Brown Solicitors. Authorised and regulated by the Solicitors Regulation Authority.
SRA Number: 0048586   |SRA |  VAT Number: 116 4751 78

Fraser Brown is a partnership of limited companies. Any references to partners in any document should be taken as being references to the directors of the limited companies and not to individual partners of the firm.