BIMA Blog

BIMA Blog
BIMA knowledge-sharing Legal & Finance

Cookies and the law: What you need to know

Posted by BIMA knowledge-sharing Legal & Finance October 22, 2012
No Comments

The cookie law has been enforced for 4 months now – how is it gaining momentum, and how will it affect your website?

It’s 4 months since the new laws about using cookies and other information-storing technologies (which we’ll shorthand to cookies here) on websites were enforced.  We’ve had guidance from the Information Commissioner’s Office (ICO) as to how to comply, an online complaints tool for cookie non-compliance and the ICO is now recruiting staff for enforcement roles.  So what do you need to do? And what will happen if you don’t?

What is the cookie law?

Before the latest e-Privacy Directive was enforced as part of UK law, a UK website user was deemed to have consented to the use of cookies by the website unless they indicated otherwise. The new regulations reverse this position  - now consent is required before cookies can be used.

The ICO has the power to fine non-complaint websites up to £500,000 and also to issue press releases naming these sites: not the kind of publicity most businesses would want. So far the ICO has received over 380 complaints about non-compliant websites and appears to be staffing up to step up their enforcement of the regulations.

What does my website need?

Every website needs to gain consent from users before they can place website analytics cookies (yours or a 3rd party’s), tracking cookies and recognition cookies on a user’s device.  To get this consent,  your site needs to tell users:

  • What information the cookies will collect
  • What you will do with that information
  • Who the information is going to be shared with
  • Whether the collected information could be used to identify the individual user
  • How long will the cookie remain on their device
  • How they can disable cookies

However, where the cookie is ‘strictly necessary’ for a service the website user has requested, this consent is not required. These cookies include purchase path, security and operational cookies – so, for example, those needed to store items in baskets or comply with online security legislation.

Although most websites use multiple types of cookie, separate consent does not need to be obtained for each different type of cookie and one ‘blanket’ consent can be sufficient.  Where there are a series of connected websites the user can grant consent to the use of cookies across all the connected websites at one time.  The important aspect in both situations is that the user has been given the necessary information about all of the cookies prior to the consent being given.

3 practical steps to cookie compliance

Step 1: Undertake a cookie audit to understand what cookies are being used on the site and to collate the information that needs to be given to the user – your website developer should be able to assist.

Step 2: Decide whether to seek express or implied consent. Under the latest guidance from the ICO, implied consent can be sufficient despite earlier guidance that suggested otherwise. Obtaining express consent will give the website operator greater certainty that the website is compliant but may result in a lower user experience.

Step 3: Provide the user with the necessary information prior to placing the cookies:

But how does this look? There are several approaches, all valid, but the big factor is that you should not rely on a cookie (or privacy) policy without giving at least some kind of notice.  A link, however prominent, as a method of obtaining consent is very unlikely to be found sufficient to ensure compliance with the cookie laws.

So what do suitable notice options look like?

1. Terms and conditions – tying cookie consent to acceptance of terms and conditions prior to use of a website is a common method currently being used.  The user’s attention would still need to be drawn to the relevant cookie information.


2. Static pop-up – Use of a static ‘pop-up’ containing direct links to the cookie policy when the user (first) accesses the website is also popular.  Users who then access any other part of the website are implied to have consented to placement of cookies.


3. Static or accordion banner – the most common option, this is a banner across the website which states that the website is using cookies and provides the user with a direct link to the cookie policy.  It can be used to obtain either express or implied consent.

Browsers

Websites should not rely on user’s browser settings for consent as most users do not currently have the necessary understanding of their browser’s functions to rely upon this method. Most browsers accept cookies by default.

Enforcement

At this stage, no enforcement notices have been issued. However, where a website fails to engage with the ICO and undertake the necessary action, the ICO’s powers allow it to:

  • Issue non-compliance press statements
  • request undertaking from the website
  • issue enforcement notices
  • issue fines of up to £500,000.

The ICO’s main aim is for non-compliant websites to engage with them in order to become compliant (or at least are undertaking steps to achieve compliance within a reasonable time period), as opposed to issuing financial punishments.

In conclusion

The implementation of a suitable cookie and privacy policy is important for all websites. Websites should ensure that, where they are non-compliant, steps are being taken to change the layout of their website to provide the user with the necessary information. However, while the potential financial penalties are substantial, it appears likely that in the short term the ICO will not issue financial penalties unless a website fails to engage with the ICO and take steps to become compliant.

For more information, go directly to the source: read the  ICO’s guide on the use of cookies.

About the author

Iain Taker, Associate at Kemp Little LLP, leading technology and digital media law firm. Iain can be contacted on Iain.Taker@kemplittle.com

Post a Comment

Recent Comments

  • Simon Johnson: Thank God Ofer put this miss understood ‘quote’ to bed once and for all. Both entertaining...
  • Justin Cooke: What a brilliant summary. Thank you for sharing. Cannot wait to attend next years!
  • John Fegaj: There we have it, getting traffic from the folk who have the traffic is over-hyped. Wait what?
  • Ryan Law: Great summary, and I agree that ’spray-and-pray’ email marketing is no longer effective....
  • Andy Moseby: You’re right – the SEIS / EIS schemes do give really good tax incentives for investors, although...