The cookie law has been enforced for 4 months now – how is it gaining momentum, and how will it affect your website?
It’s 4 months since the new laws about using cookies and other information-storing technologies (which we’ll shorthand to cookies here) on websites were enforced. We’ve had guidance from the Information Commissioner’s Office (ICO) as to how to comply, an online complaints tool for cookie non-compliance and the ICO is now recruiting staff for enforcement roles. So what do you need to do? And what will happen if you don’t?
What is the cookie law?
The ICO has the power to fine non-complaint websites up to £500,000 and also to issue press releases naming these sites: not the kind of publicity most businesses would want. So far the ICO has received over 380 complaints about non-compliant websites and appears to be staffing up to step up their enforcement of the regulations.
What does my website need?
Every website needs to gain consent from users before they can place website analytics cookies (yours or a 3rd party’s), tracking cookies and recognition cookies on a user’s device. To get this consent, your site needs to tell users:
- What information the cookies will collect
- What you will do with that information
- Who the information is going to be shared with
- Whether the collected information could be used to identify the individual user
- How long will the cookie remain on their device
- How they can disable cookies
However, where the cookie is ‘strictly necessary’ for a service the website user has requested, this consent is not required. These cookies include purchase path, security and operational cookies – so, for example, those needed to store items in baskets or comply with online security legislation.
3 practical steps to cookie compliance
Step 1: Undertake a cookie audit to understand what cookies are being used on the site and to collate the information that needs to be given to the user – your website developer should be able to assist.
Step 2: Decide whether to seek express or implied consent. Under the latest guidance from the ICO, implied consent can be sufficient despite earlier guidance that suggested otherwise. Obtaining express consent will give the website operator greater certainty that the website is compliant but may result in a lower user experience.
Step 3: Provide the user with the necessary information prior to placing the cookies:
But how does this look? There are several approaches, all valid, but the big factor is that you should not rely on a cookie (or privacy) policy without giving at least some kind of notice. A link, however prominent, as a method of obtaining consent is very unlikely to be found sufficient to ensure compliance with the cookie laws.
So what do suitable notice options look like?
1. Terms and conditions – tying cookie consent to acceptance of terms and conditions prior to use of a website is a common method currently being used. The user’s attention would still need to be drawn to the relevant cookie information.
Websites should not rely on user’s browser settings for consent as most users do not currently have the necessary understanding of their browser’s functions to rely upon this method. Most browsers accept cookies by default.
At this stage, no enforcement notices have been issued. However, where a website fails to engage with the ICO and undertake the necessary action, the ICO’s powers allow it to:
- Issue non-compliance press statements
- request undertaking from the website
- issue enforcement notices
- issue fines of up to £500,000.
The ICO’s main aim is for non-compliant websites to engage with them in order to become compliant (or at least are undertaking steps to achieve compliance within a reasonable time period), as opposed to issuing financial punishments.
About the author
Iain Taker, Associate at Kemp Little LLP, leading technology and digital media law firm. Iain can be contacted on Iain.Taker@kemplittle.com