Cookies – getting the recipe right

Given that virtually every website and many marketing e-mails use cookies, it is important for all organisations to note that the law has changed regarding the use of cookies - it is no longer enough simply to tell website users/recipients about cookies and allow them to opt out. There is now a requirement to obtain consent to the use of cookies and similar technologies on websites and as part of marketing activities.

Background

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, sometimes referred to as 'the cookie laws', (‘the Regulations’) came into effect in May 2011 but they started to be actively enforced from 26th May 2012.

What is a 'cookie'?

A 'cookie' in the context of a website is a small file of computer code that is invisibly placed on a device when a user accesses a website or a marketing e-mail to enable the website owner or advertiser to distinguish individual visitors/devices and gather useful information. A typical cookie, for example, recognises the user and means that there is no need for that user to sign in with all the usual details every time a website is visited and that the user receives a more personalised view of the website.

Guidance

The Information Commissioner's Office, the UK’s data protection and privacy regulator, (‘ICO’) has updated its advice and guidance on changes to the EU cookie laws (see the 'ICO Guidance') on how organisations can comply with the rules on the use of cookies and similar technologies.  This replaces the guidelines issued in December 2011, in which the ICO had stated that implied consent would not be acceptable to achieve compliance. However, the ICO Guidance now suggests that implied consent may be sufficient in the context of storage of information or access to information using cookies at least where non-sensitive personal data is concerned (see below).

When do the Regulations apply?

The Regulations apply whether or not any particular individual can be identified as a result of the use of a cookie. Where an individual can be identified from the information obtained, then this involves processing personal data and compliance with the Data Protection Act 1998 is also required.

When can cookies be used?

Under the Regulations, the use of cookies is only allowed if the user concerned:

The second requirement for consent is the major change.

Are there any exemptions?

The main exemption from the obligation to get consent is where the cookies are ‘strictly necessary’ for a service which the user has requested.  This exception will be narrowly construed. The ICO Guidance states that the following cookies are likely to be considered ‘strictly necessary’, those which:

The following uses are not considered strictly necessary and hence consent is necessary for cookies which:

Compliance 

The Regulations do not define who should be responsible for compliance but the person setting the cookie is primarily responsible. Where cookies are set by a third party (normally an advertiser or advertising network), both the website owner and the third party will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

What is critical is not who obtains the consent but that valid, well-informed consent is obtained. Consent need not necessarily be obtained from each and every user of a particular device. Indeed, it may not always be possible to distinguish between individual users. Consent does, however, at the very least need to be obtained from one of (a) the subscriber (the person who pays the access bill); or (b) a user.

Third parties setting cookies or providing a product or service that requires the setting of cookies, for example, advertising networks that want to place cookies on users' equipment through a website that they do not operate themselves, may wish to include a contractual obligation into agreements with website owners to satisfy themselves that appropriate steps will be taken to provide appropriate information about third party cookies and obtain the necessary consent (see below).

Non-compliance

The ICO has the ability to fine organisations up to £500,000 if it believes an infraction is serious enough as well as to impose other enforcement measures. Although the ICO has stated that a monetary fine would be at the extreme end of enforcement applied and it does not anticipate a wave of enforcement action, it does expect organisations to have used the adjustment period since May 2011 productively and to have ensured that they are working towards becoming fully compliant. In reality, if a website owner is found to be non-compliant but there are no major privacy issues, an information notice or enforcement notice may be all that is issued, requiring certain information to be supplied or a particular action be carried out by a certain date.

Requirement to provide information

For most users it will be appropriate to provide information in the form of an explanation of the way cookies operate and the categories of cookies used on the particular website. No specific form of information is mandatory but the explanation provided must be ‘sufficiently full and intelligible to allow individuals to clearly understand’ the information being collected and why. Explanatory information must be ‘readily available’. In April 2012 the International Chamber of Commerce (‘ICC’) produced a guide to help organisations comply with the law, see the ICC Cookie Guide, which provides some suggested wording.

The ICO advises that rather than simply including the information about cookies in a privacy policy, businesses should consider setting up a separate web page with a prominent link on the home page or possibly on every page of the website. The link should preferably have a title that makes it clear that this is where information about cookies can be found such as ‘Read here about how we use cookies’ and, as far as is possible, the information should be in clear language that is easy to understand.

Requirement to obtain consent

Some suggestions for methods of obtaining consent are outlined in the ICO Guidance:

In relation to users selecting preferences or enabling features, in practice it will normally be sufficient to make it clear to the user that these will be set or enabled by using a cookie (with a link to the more detailed cookie information). If the user then proceeds to choose the preference or enable the setting, his consent to the setting of the relevant cookie can be assumed.

Implied consent

The ICO has changed its earlier position on implied consent and has clarified that although an explicit opt-in mechanism might provide regulatory certainty, in some circumstances implied consent might be sufficient.  Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health, then data protection law might require them to obtain actual consent.

The two key requirements of implied consent according to the ICO Guidance are:

Information – website users need to be given a clear notice that the website uses cookies and an explanation of what they are used for. The information must be:

Choice – visitors to a site should be able to control the setting of cookies even if the consequences might be loss of functionality for that visitor. The website provider must satisfy itself that the user’s actions are not only an explicit request for content or services but also amount to an indirect expression of the user’s consent to the setting of cookies. Consent might be inferred for example when a user visits a website, moves from one page to another or clicks on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.

If the website includes a clear and unavoidable notice that cookies will be used if the user enters the site, and if the user then clicks through and continues to use the site, this would be sufficient to imply consent.

Changes to purposes

If the purposes of the cookies used change significantly after consent has been obtained, it will be necessary to make users aware of the changes and allow them to make an informed choice as any consent obtained previously will be insufficient.

Withdrawal of consent

Users must be allowed to withdraw consent at any time and sufficient information must be given as to how that can be done.

Effect on EU compliance

This change in position by the ICO may set it against the majority of data protection regulators in other EU member states and the Article 29 Working Party, which has clearly ruled out the use of implied consent. By the ICO's own admission, this may lead to difficulties for UK providers who place cookies on the equipment of non-UK EU citizens on the basis of implied consent.

What should you do?

If you have not started work on complying with the Regulations, it is important to do so now. First steps should be to:

What has TRG done?

We have taken a pragmatic view about what we can and must do in relation to the use of cookies and similar technologies on our website and by distributing our email newsletters, the TRG Update and the TRG Executive BRIEFing. The steps we have taken to comply with the new law therefore are:

If you require any advice on complying with the Regulations, please contact us at info@TRGlaw.com.

back to archive