Check Your Website
Website owners should audit their websites for compliance by checking what type of cookies are used and how. Consider whether or not the “necessary” exception applies. Also, do not forget that third parties placing content on your website i.e. advertisements may be setting cookies.
How to Obtain Consent
A few weeks ago the UK Information Commissioner published guidance on how to comply with the new laws. The guidance states that “you need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future”.
It was suggested that consent could be obtained via:
- pop-ups, or
- text in a header or footer on pages of the website, or
- inclusion in preferences that users set when using a website
Relying on browser settings is not acceptable. However the Information Commissioner has indicated that in the future when an adequate technical solution is developed for browsers this may suffice.
Consequences of Non-Compliance
During the next 12 months the Information Commissioner’s Office (ICO) will not penalise an organisation for breaches of the new laws. However, organisations should be taking steps now to ensure compliance with the new rules by May 2012, as failure to take appropriate steps now will be taken into account when formal enforcement begins in May 2012.
Penalties for Breach
The ICO can impose a fine of up to £500,000 for a serious breach. A serious breach is defined as a serious contravention likely to cause substantial damage or distress. The breach must have been deliberate, or the person responsible must have known or ought to have known that a breach would occur and then failed to take reasonable steps to prevent it.
The ICO plans to provide further details on this in October 2011.
Requirement to Notify of Personal Data Breaches
Additionally, there is now a new requirement for telecoms and Internet companies to inform the ICO and customers when personal data is lost, destroyed, altered, disclosed or accessed as a result of a security breach.
The ICO can also investigate the measures taken by website providers to safeguard the security of public electronic communications, investigate and fine websites depending on how they deal with personal data breaches.
Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- Website – Legal Requirements
- Website – Legal Requirements – Ecommerce Rules
- Website – Legal Requirements – Cookies and Consent
- Website – Legal Requirements – New ASA Rules
- Website – Legal Requirements – Contact and Company Information
- Google Adwords & Trademark Infringement
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection – Data Commissioner Issues First Fines in UK
- SaaS Agreements – Distributor or Agent – Is There a Difference?
- SaaS Agreements, Software on Demand – Confused?
- Cloud Computing and the Legal Cloud