As we indicated in our previous article on privacy and use of cookies, new rules governing the use of cookies (and other information storage technologies) have come into force. So from now on, if you want to store a cookie on a computer or device, you will have to obtain the user’s consent first. A “get-ready” period of 12 months has been allowed for businesses to develop ways of meeting the cookie-related requirements.

Guidance on complying with the new law

Under the new directive, the requirement for consent is much stricter than the old ‘inform the user and give them the option to opt out’ approach.  Under the new regime, the only circumstance in which a business can store a cookie on a computer without obtaining the user’s permission is if this is “strictly necessary” for a service which the user has requested.  The example given by the ICO is: if the user of an online shop places an item they wish to purchase in a virtual ‘basket’ and then clicks ‘proceed to checkout’, consent will not be required for the use of cookies to remember the chosen item.  The ICO warns that this exception will be narrowly construed; it will only apply when the user has explicitly asked for the related service. 

What do you need to be doing now?

The advice from ICO is that you start preparing for this change in the law by:

• Carrying out a data protection audit in relation to the type of cookies are you using. The manner in which you using them. Whether it is necessary to use cookies and which might require a user’s consent. A business also needs to consider if its website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on its users' devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom;
• Addressing how intrusive the use of the cookies is. The purpose behind this law is to protect users’ privacy, so the more intrusive your use of cookies is, the more urgent it is to put a consent process in place; and
• Deciding how to obtain consent. There are a number of ways a business may be able to obtain consent: through pop-ups; terms of use (note that users must indicate that they understand and accept any changes to the terms of use); settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and scrolling text in a header or footer when you want to set an analytic cookie on a user's device which prompts a user to make further choices. The ICO notes that in the future websites may be able to rely on users’ browser settings as a means of consent, but it has made clear that a business cannot yet rely on this method.

Consequences of not complying

The ICO guidance on enforcement therefore states that there is a lead-in period of 12 months for a business to develop ways to ensure compliance with the new rules.  During this period every business needs to look at the cookies it uses and, where necessary, put in place steps to obtain users’ consent.  If the ICO believes a business is not taking appropriate steps in this period, it will ask it to explain what it is doing to be in a position to comply by May 2012. 

New powers

The ICO has new powers to enforce this law.  Serious breaches may attract monetary penalties of up to £500,000.  A serious breach is defined as a serious contravention likely to cause substantial damage or distress.  Such contravention must have been deliberate, or the person responsible must have known/ought to have known that a contravention would occur and then failed to have taken reasonable steps to prevent it.  The ICO has committed to producing further guidance on how it intends to use these powers; it is likely that this guidance will be published in October 2011. 

 This article is for general purposes and guidance only and do not constitute legal or professional advice. Copyright 2010 Anassutzi & Co Limited. All rights reserved. Information may be shared or reproduced only if accompanied by the author’s name and bio.