The Cookie Monster
We've been monitoring the EU Privacy Directive closely for some time and as it comes closer to 'reality' for many companies we were 'interested' to see the ICO's 27 page guidance document.
We've done our best to summarise the guidance down to a more manageable size - so well worth a read.
What the law is effectively saying
The law requires that those setting cookies must;
- Tell people that the cookies are there
- Explain what the cookies are doing, and
- Obtain their consent to store a cookie on their device
The change in the law from 2003 is;
- 2003 European Directive : You must provide the option for people to opt out of cookies being stored on their devices
- EC Directive 2011: You must obtain consent to store a cookie on a user or subscribers device
Informing users about cookies and explaining their use
Suggested ways to make information about cookies more prominent include;
- Highlighting Cookies information
- Making the link distinguishable from normal text and other links
- Placing the link in a prominent position
The regulations are not prescriptive about the sort of information that should be provided on cookies, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so.
At present, levels of user understanding are likely to be low and so those using cookies will need to make a particular effort to explain the activities of cookies in a way that people will understand.
A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
The regulations require that users or subscribers consent to cookies being used.
Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking on an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.
At present, evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent.
Getting consent in practise
Suggested ways to gain consent
- Pop ups or similar techniques such as message bars - Using this technique you could ensure you are compliant by not switching on any cookies unless the person clicks 'I agree'. Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option, you might want the reassurance of a notice appearing elsewhere on the site which reminds users that you are setting cookies.
- Including details within Terms and Conditions when a user registers or signs up - In this case you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance.
- Settings-led consent - Some cookies are deployed when a user makes a choice about how the site works for them. In these cases consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work.
- Feature-led consent - When a user takes an action on a site, either by opening a link, clicking a button or agreeing to a functionality being switched on - then you can ask for their consent to set a cookie at this point.
Exceptions from the requirement to provide information and obtain consent;
Where the use of the cookie is;
(a) For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) Where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user
An 'information society service' is defined as 'any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service'.
This exception is likely to apply, for example to a cookie used to ensure that when a user of a site has chosen goods they wish to buy and clicks 'add to basket' or 'proceed to checkout' button, the site 'remembers' what they chose on a previous page. This cookie is strictly necessary to provide the service the user requests and so the exception would apply and no consent would apply.
- Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested - for example connection with online banking services.
- Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.
Activities unlikely to fall within the exception
- Cookies used for analytical purposes to count the number of unique users to a website for example
- First and third party advertising cookies
- Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored
Responsibility for compliance
The person setting the cookie is primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website, both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
Third parties setting cookies or providing a product that requires the setting of cookies may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.
Companies who design and develop websites must also consider the requirements of these regulations and make sure the systems they design allow their clients to comply with the law.
Third party cookies
Anyone whose website allows or uses third party cookies should make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.
Consent from the user or subscriber
The regulations state that consent for a cookie should be obtained from the subscriber or user.
In practise the owner of a website may not be able to distinguish between consent provided by the subscriber or user.
The regulations do not specify whose wishes should take precedence if they are different. In a domestic context, there will usually be a subscriber (the person in the household paying the bill) and potential several other users.
If a user complained that a website they visited was setting cookies without their consent the website could demonstrate they had complied with the Regulations if they could show that consent had previously been obtained from the subscriber.
Consent for cookies on more than one site
An organisation with several connected websites could in theory obtain consent for cookies set on each site in one place. In order for this consent to be valid it would have to be absolutely clear which websites the cookies in question were set on, what those cookies were used for exactly what the user was agreeing to.
Changes to cookies use after consent has been obtained
Provided a valid consent has been obtained once it does not need to be obtained again each time a user visits. If the purposes of the cookies you use changes significantly after consent however you will need to make users aware of the changes and allow then to make the choice about those activities.
Withdrawing consent for cookies
There is a 'lead in' period of 12 months from May 25 2011 to put in place the measures needed to comply. There are a range of options available to the Information Commissioner to take formal action where this is necessary. The main options are;
- Information notice: This requires organisations to provide specified information within a certain time period
- Undertaking: This commits an organisation to a particular course of action in order to improve its compliance
- Enforcement notice: This compels an organisation to take the action specified in the notice to bring about compliance with the regulations
- Monetary penalty notice: Up to a maximum of £500,000 - To be used in the most serious of cases
As the lead in period comes to an end organisations will need to be able to demonstrate that they have taken sensible measured action to move to compliance.
If a website has not achieved full compliance at the end of the period the Information Commissioner will expect a specific and clear explanation of why it was not possible to comply in time and clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.