A "Cookie" is used for an origin website to send information to a users website and for the browser to return the information to the origin site. The information can be used for authentication, identification of a user session, a users preferences or anything else that can be accomplished by storing text data on the users computer.
The new rule
• Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
• Has given his or her consent.
This changes the requirement for provision of an "opt out" system, to a requirement that consent must be obtained.
If compliance is not achieved, the ICO has a range of enforcement and penalty powers available to it and these include:
• Serving an enforcement notice on an organisation specifying certain action that must be taken (for example, to start gaining consent for cookies). Failure to comply with an enforcement notice can be a criminal offence.
• Fine of up to £500,000.
The ICO advises website providers to take the following steps to ensure compliance with the updated law:
1. Check what type of cookies and similar technologies the website uses and how it uses them.
This might amount to a comprehensive audit of the website, or it could be as simple as checking what data files are placed on user terminals and why (and it is a good idea to keep a record of this information). Analyse which cookies are strictly necessary and which might not need consent (cookies necessary to perform essential functions of the website do not require user consent). This could be a good opportunity to clean up webpages and stop using any cookies that are unnecessary, or which have been superseded as a website has evolved.
The new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, greater priority needs to be given to obtaining meaningful consent for the more intrusive uses of cookies, such as those that involve creating detailed profiles of an individuals browsing activity.
3. Provide information
• A table or list of cookies and their purposes. This may be not be appropriate for users who have little understanding of cookies.
• A broad explanation of cookies which is aimed at helping users understand cookies and their use.
4. Bring information to users attention
The information about cookies must be brought to users attention either by including a prominent link on a web-page clearly referring to information regarding "cookies" not merely a privacy statement.
5. Obtain Consent
Consent from users should be obtained before a cookie is set. ICO guidance suggests that consent should be obtained though an affirmative step of the user, so implied consents will more than likely not be sufficient to comply with the legal requirement. Consent need not be sought each time a user enters the website.
Static information banners in a prominent place providing a link to information and a way to signify acceptance of cookies may be acceptable. It is suggested that if the user fails to accept the cookies, the provider may be able to assume consent if the user continues to browse the website (as long as the link is provided on each page of the website with an easy method to withdraw consent). This however relies on implied consent, so using this method may not ensure compliance. It may therefore be better to set up a system where the user must signify acceptance before they can continue browsing.
The ICO suggests the following possible mechanisms for obtaining consent:
• Highlighting the cookies and asking for consent from the user as they log into their account. Once this consent is obtained the option will not have to be provided on subsequent visits.
• The mechanism for the user to select or tailor their preferences ‘Would you like us to remember your… is amended to specifically flag that this process involves agreeing to a cookie. If the user selects the option to request that their preferences are remembered-having clearly had highlighted the role of the cookie in that process-the consent requirements would be satisfied.
• If the user will already be agreeing to terms and conditions to download a game or application, the way in which cookies are used is clearly and specifically highlighted in a prominent place in the process of agreement to these conditions (for example next to the ‘I agree box). Once this consent is obtained the option will not have to be provided each time the game is used.