Changes to the rules on using cookies

The Information Commissioner's Office (ICO) has published a report summarising the concerns reported to it by members of the public about UK website providers' use of cookies. Between May and November 2012, the ICO received 550 reports via its cookie reporting tool. Most of the concerns were raised by individuals that were unhappy with the implied consent mechanisms authorised by the ICO or who felt that they have not been given enough information about how to decline cookies or manage them later.

In the report, the ICO reiterates its intention to take a practical and proportionate approach to enforcing the rules on cookies. However, if an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using its formal regulatory powers, including the right to issue monetary penalty notices.

This business briefing is based on guidance issued by the Information Commissioner's Office (ICO).
It sets out how a business should obtain consent from visitors to its website to store or retrieve information from users’ computers or mobile devices. 

New laws require businesses to obtain consent from visitors to their websites to store or retrieve usage information from users’ computers or mobile devices. Previously, a business could simply tell visitors how it used cookies and how they could “opt-out” if they objected. Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of “opting out”.

What are cookies?

Cookies are small text files implanted by a website on the hard disks of visitors to the site (often without visitors being aware of this). Businesses use cookies for collecting information on the visitors to their website. For example:

Analysing their on-site browsing habits.

Remembering a user’s payment details when buying products online.

While cookies and the information they transmit may not be able to identify a living individual on their own, they may well be able to do so in combination with other information held by the recipient of the transmitted information or a third party.

Are there any exceptions to the new rules?

There is only one exception to the new consent rule. The business will not need to get consent for an activity that is “strictly necessary” for a service requested by the user. For example, a business would not need consent for a cookie which the business uses to ensure when a user of its website has chosen the goods they want to buy and clicks the “add to basket” or “proceed to checkout” button, the site “remembers” what they chose on a previous page.

What steps can a business take now?

Check what type of cookies the business uses and how they are used. The business should analyse which cookies are strictly necessary and may not need consent. The business could also use it as an opportunity to clean up its web pages and stop using any cookies that have been superseded as the site has evolved.

Assess how intrusive the business’ use of cookies is. The more intrusive the activity, the more priority the business should give to getting meaningful consent. For example, using cookies to create detailed profiles of an individual’s browsing activity would be regarded as intrusive.

Decide what solution to obtain consent will be best in the circumstances.

Can browser settings be used to indicate consent?

Most browser settings are not sophisticated enough to allow a business to assume that the user has given their consent to allow the website to set a cookie.

Not everyone who visits a business’ site will do so using a browser (for example, they may have used an application on their mobile device).

The ICO has therefore advised that if a business uses cookies or other means of storing information on a user’s equipment, it must gain consent using another method.

What other options exist for indicating consent?

The business needs to provide information about cookies and obtain consent before a cookie is set for the first time. If a business gets consent at this stage it will not need to so again for the same person each time the business uses the same cookie (for the same purpose) in future.

Pop-ups

Many websites routinely use pop-ups or “splash pages” to make users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed correctly, be a useful way of informing users of the techniques the business uses and the choices they have.

Terms and conditions

Consent could be gained by using the terms of use or terms and conditions which the user agrees when they first register or sign up.

However, simply changing the terms of use to include consent for cookies would not be good enough, even if the user had previously consented to the overarching terms.

To satisfy the new rules, businesses must make users aware of the changes and specifically that the changes refer to your use of cookies.

The business will need to gain a positive indication that users understand and agree to the changes (for example, by asking the user to tick a box). 

Settings-led consent

Some cookies are deployed when a user makes a choice about how the site works for them. Consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work. For example, some websites register which version a user wants to access (such as a version of a site in a particular language). However, to do this it is important that the user is made aware that cookies are used to fulfil his choice. 

Feature-led consent

Some objects are stored when a user chooses to use a particular feature of the site (for example, watching a video clip). In these cases, presuming that the user is taking some action to tell the webpage what they want to happen (for example, by clicking a link), a business could ask for their consent to set a cookie at this point. Again, the user must be made aware that cookies are used to enable the feature.

Implied consent

Within the UK, the business can imply the user’s consent, provided that that consent is “specific and informed”. In practice, this means that the information a business provides to the user and the way in which it is provided, must result in a “shared understanding” about the way in which the business uses cookies. For example, this can be achieved if the business informs the user on a prominent place on its website that the site is using cookies and that his continued use of the site implies his consent.

Analytic cookies

• A business may often collect information about how people access and use its site in the background and not at the request of the user. This type of activity will still require consent.
• The business should consider how it currently explains its policies to users and make that information more prominent.
• Provide more details about what the business does (for example, a list of cookies used with a description of how they work) so that users can make an informed choice about what they will allow.
• A business could, for example, place highlighted text in the footer or header of the web page or which turns into a scrolling piece of text when it wants to set a cookie on the user’s device.

Third party cookies

• If the business’ website displays content from a third party (for example, from an advertising network) this third party may read and write their cookies onto the business’ user’s devices.
• If the website allows or uses third party cookies, the business should make sure it is doing everything it can to get the correct information to users to enable them to make an informed choice about what is stored on their device. 

What are the penalties for failing to comply?

• If the ICO receives a complaint about a business’ website, the business would be expected to respond by:
• setting out how it has considered the complaint; and
• providing a realistic plan to achieve compliance.

If there are any points that you would like to discuss on this topic and any other article on this site then please feel free to contact me .