Martin Sloan, associate in the Technology, Information and Outsourcing Group at Brodies LLP
Since Saturday businesses in the UK are expected to have implemented new EU wide "cookie laws", which are designed to improve transparency about how users' activity is tracked on the internet.
Although the regulations came into force last May, a one-year grace period was granted to allow businesses and organisations to implement the necessary changes to their websites.
Unfortunately, many have not, raising the prospect that they could face financial penalties of up to £500,000 for breaching the regulations. Businesses are not alone in having failed to implement these new measures.
Rather embarrassingly, the UK Cabinet Office admitted last week that the majority of public sector websites would not be compliant by the time the grace period expires.
The good news is that the Information Commissioner's Office (ICO) has said it will not enforce the law aggressively initially and will instead focus its attention on the most intrusive cookie usage, with those who are unable to show that they are at least on the path to compliance following a complaint at greatest risk.
However, this does not mean that organisations can sit back and do nothing. The ICO has made it clear that it expects them to be able to demonstrate that they are taking steps towards compliance.
A cookie is a small data file stored on your computer or device by a website, which is used to help websites identify a particular user. Some cookies are temporary (session cookies), and are deleted once you leave the website. Other cookies (persistent cookies) will remain on your computer or device for a set period of time.
Although the law is often referred to as the "cookies law", it also applies to other files downloaded onto a user's device that are used to perform a similar function, such as local shared objects (or "Flash cookies"), web beacons/pixel tags and mobile apps. In this article I use the term "cookie" to refer to all of these files.
Unfortunately, browser controls for cookies are not terribly sophisticated, and recent surveys have shown awareness amongst users is low. Coupled with opaque information hidden in privacy policies, and high profile coverage about the way in which certain cookies are being (mis)used to track people's surfing habits, this has led to suspicion amongst users over the use of all cookies.
The ICO's official guidance sets out a number of different options for obtaining consent, and its view on what types of cookies are essential and therefore exempt from the requirements. As its guidance implies, in order to be effective, consent to persistent cookies should be obtained prior to the cookie being deployed on the user's device. Options include:
** the use of pop-up boxes or message bars upon arrival at a website (as used on the ICO's own website)
** terms and conditions accepted by users when registering to use a website
** obtaining consent at the point of activating a setting (for example, a cookies statement next to a button to "remember me"
** obtaining consent at the point of accessing a particular feature (for example notifying users about retargeted advertising prior to the user commencing a search for hotels or flights on an travel website, and only deploying the cookie once the user has clicked "search").
Some organisations have adopted interactive privacy "sliders" allowing users to select which types of cookies they wish to accept. The International Chamber of Commerce has also offered its own guide to compliance, with proposed consent wording for different types of cookies, which appears to have the tacit endorsement of the ICO.
What is appropriate will depend ultimately on the intrusiveness of the cookie, when it is used and the way in which users communicate with the website. Deploying cookies only when relevant (as opposed to on arrival at the homepage) may help make it easier to integrate consent into the user's journey.
There are four key steps to compliance:
Step 2: Categorise your cookies. For example, cookies that are essential (and therefore exempt from the requirements of the new regulations), first person cookies, third person cookies (which are under the control of a third party), session cookies (which expire when the user leaves the website), persistent cookies.
Step 3: Assess the intrusiveness of each category, based on the impact on the user's privacy. Consider the most appropriate method of obtaining consent, based on the user's expectations and the intrusiveness of the cookie. Remember that it is unlikely that there will be a one size fits all solution.
Step 4: Implement appropriate changes to your website to update your privacy/cookies policy to ensure that users are given clear and accurate information about the cookies you use, and that appropriate consent is obtained. Remove any cookies that are unnecessary or no longer used.
It's essential that organisations properly document their actions for each of those steps.
If an organisation cannot demonstrate that it has been through this process then it will be difficult for it to demonstrate to the ICO that it has taken appropriate action.
In contrast, if an organisation can provide the ICO with a privacy impact assessment that explains why it took a particular course of action, the ICO is likely to take a more benevolent approach to enforcement, even if it thinks the organisation got it wrong.
We have seen a wide variety of approaches to compliance with the new regulations, some of which appear more cavalier than others. Time will tell whether the ICO considers that these are sufficient to comply with the regulations. What is clear is that inaction is not an option.
Martin Sloan is an associate in the Technology, Information and Outsourcing Group at Brodies LLP
Brodies has created a free online resource for information on the new cookies law, which can be found here