From the 26th of May 2012 the UK Information Commissioners Office (ICO) will start prosecuting companies for breaches of the Privacy and Electronic Communications (Amendment) Regulations. These set out the obligations of website operators to provide users with information about cookies and obtain their consent when using cookies. Failure to comply with the rules can result in a fine of up to £500,000.
What is a Cookie?
The New Rules
The new rules apply to the use of all cookies or similar technologies for storing information such as flash cookies, web beacons or bugs. No distinction is made between different types of cookies in the rules. They apply to both session and persistent cookies and first party and third party cookies.
The more specific the consent is the less likely it is that you will be in breach of the rule. For example, if you obtain consent before the cookie is set you will have specific consent. If you rely on implied consent you will need to show that the user has taken some positive action to imply consent. The UK Chamber of Commerce has provided some suggested wording for use on websites.
Clear and comprehensive information about the type of cookies being used and the purposes for which these are being set must be provided. The UK Chamber of Commerce suggests categorising cookies into 4 groups – strictly necessary, performance, functionality and targeting/ or advertising cookies.
Who do the Rules Apply to?
The Regulations do not define who is responsible for complying with the rules so primarily it is the person/company setting the cookie. Where third party cookies are used both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
Organisations based in the UK will be subject to the rules even if their website is hosted outside of the UK. If organisations are based outside of the EU but their websites are designed or products and/or services are directed at EU customers they should provide information and choices about cookies that comply with the rules.
Guidance on How to Comply with the New Rules
The ICO has issued non-binding guidance suggesting ways in which consent to the setting of cookies can be obtained and the International Chamber of Commerce (ICC) UK’s guidance also suggests various methods for complying with the notice requirements. A summary of these suggestions and some examples from the guides have been set out below.
- Pop-ups: Each time a cookie is to be set a pop-up will inform the user. By continuing to use the website, the user will be deemed to have consented to the cookie. However in practice, these are not a very practical solution, particularly where numerous cookies are used.
- Settings /Features: Where users can choose preferences when using a website for example via the use of videos that remember how users personalise their interaction, these settings/feature could be used to obtain consent.
Additionally, the Internet Advertising Bureau Europe (IAB) has developed a voluntary code using the display of an icon on a website whenever an advert tracks a users’ behaviour. By clicking on the icon the user can switch off behavioural adverts. However this only apples to the adverts of companies who are members of the scheme.
How to Avoid Fines
Despite the impending May deadline, many companies have not taken any action to amend their websites and are simply waiting to see what happens. In light of the guidance from the ICO this is not advisable.
You also need to review the steps that you take to obtain consent to any cookies you use. How and when the consent is obtained. Is it implied, or specific. Also do not forget to provide information about any third party cookies that are placed and provide links to information about these that third parties may provide.
Enforcement by the ICO
From 26th May 2012 you must comply with the new rules and the ICO will start taking formal action. The ICO has stated that they will be selective. For example, they have clearly indicated that they are unlikely to prosecute companies who only use analytic cookies and will concentrate on websites where no steps have been taken towards collecting consent or where particularly intrusive cookies are used.
Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- Website – Legal Requirements – Cookies and Consent
- Website – Legal Requirements – Cookies and Consent Policies
- Website – Legal Requirements
- Website – Legal Requirements – Ecommerce Rules
- Website – Legal Requirements – New ASA Rules
- Website – Legal Requirements – Contact and Company Information
- Google Adwords & Trademark Infringement
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection – Data Commissioner Issues First Fines in UK
- SaaS Agreements – Distributor or Agent – Is There a Difference?
- SaaS Agreements, Software on Demand – Confused?
- Cloud Computing and the Legal Cloud