Has the Cookie Finally crumbled?

On the 26th of May 2011, a small amendment was made in the EU to a little known EC directive.  This may of gathered a small amount of media coverage at the time, but I don’t think many business owners realised the effect it was going to have on their company, or more specifically, their website.

For the record, here is a copy of the relevant amendment which is more commonly known as the EU Privacy Law or the ‘Cookie Law’.

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the ‘Privacy Regulations’) enacted last summer require that any person setting cookies (or similar technologies) on the terminal equipment of users, or accessing any information stored in the cookies, must have provided users with “clear and comprehensive” information about the purposes for which the cookies are used and obtained their consent to the setting and use of the cookies.

The main exemption from this obligation is where the cookies are “strictly necessary” for a service which the user has requested.  This exception will be narrowly construed.   By way of guidance, the ICO has stated that the following are likely to be considered strictly necessary: cookies remembering the goods a user has put in a virtual basket; cookies providing essential security to comply with data protection law; and cookies ensuring that the content of a page loads effectively by distributing workload across numerous computers.  The following uses are not strictly necessary and so require consent: cookies used for analytical purposes (e.g. counting visitors); first and third-party advertising cookies; and cookies recognising a user so that the website can be tailored.

They go on to say that non-compliance can result in fines of up to £500,000!  WOW!

Companies where given a 12 month lead time to put their house in order before the directive was enforced and that 12 month ‘grace’ period came to an end last Friday.

I appreciate that some of the readers of this blog may not know what I am talking about at this point so I will briefly explain what a ‘cookie’ is.  A cookie is a small baked biscuit often containing chocolate chips or nuts.  Those with a nut allergy should be particularly careful when eating cookies as even though the biscuit may not contain nuts, it may of been prepared in a factory where nuts are prepared (sorry I couldn’t resist).  However, a cookie may also refer to a small amount of data that is often downloaded by your computer when you visit a website.  The data stored in that cookie may contain information about what items you have added to your shopping basket so when you next visit the site the items will still be there, or it may contain your user details for the site so you do not have to continually have to login every time you return to a site.  Cookies are also used to monitor visitor behaviour on your website and can be used for ‘targeted advertising’ purposes.

The directive states that if you use cookies on your website, you must gain explicit consent to do so.  Explicit consent involves providing your site visitors with an option as to whether or not they wish to let you install cookies on their computer before you start using their site.  On the face of it that may seem fair enough.  The reality is wholly different.  A significant proportion of people, who may not be aware of how harmless cookies can be, will probably choose to object to you installing data on their computer which could potentially monitor their internet behaviour.

I am not sure I even use cookies.  So what if they object?  Will it impact me?

Well, over 97% of websites do use cookies.  If you can answer yes to any of these questions, your site will almost certainly use cookies in some form.

1. Can you monitor site traffic? Do you have analytics software installed?
2. Do you have a blog?
3. Do you sell any thing through your website?
4. Do you have a client login?
5. Was is built in WordPress, joomla, drupal or magento?
6. Do you have a gallery on your website?
7. Are you able to edit any areas of the website yourself?
8. Did you build your site yourself using an easy to use design tool?
9. Do you have adverts on your site?
10. Do you link to social media on your website?

As you can see, you probably do use cookies.  The consequences of visitors declining to accept cookies may stop your site working as it should and will also stop you being able to monitor your site statistics via Google Analytics or any other monitoring tool.

To ensure compliance, the Information Commissioners Office (ICC) suggest the following:

Carry out an audit

The first thing you need to do is make an inventory of the type of cookies you are using and what you are using them for.  You need to check which cookies are necessary and which might require a user’s consent. You should also consider if your website displays content from a third party (e.g. advertisements) as that third party could be setting cookies on your users’ devices. The ICO states that all parties have to ensure that users are aware of what is being collected and by whom.

Assess how intrusive your use of cookies is

The purpose behind this law is to protect users’ privacy, so the more intrusive your use of cookies, the more urgency there is for you to put a consent process in place. The International Chamber of Commerce (the ‘ICC’) has produced a cookie guide to help organisations comply with the law.  This guide helps you work out how invasive the cookies you use are by splitting them into four categories, from least intrusive to most intrusive:

(i)      strictly necessary;
(ii)     performance cookies;
(iii)    functionality cookies; and
(iv)    targeting/advertising cookies.

The ICO is most worried about the very intrusive cookies; it informed The Register that “provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

Decide which method of obtaining consent best suits your circumstances

The ICO has made it clear that consent must involve “some form of communication where the individual knowingly indicates their acceptance.”  This means that any form of implied consent, such as a privacy policy hidden at the bottom of a webpage which states ‘by using this website you consent to our use of cookies’ is not compliant.
There are a number of ways you may be able to obtain consent through:

• pop-ups;
• terms of use (note that users must indicate that they understand and accept any changes to the terms of use);
• settings (whereby you explain to users that by allowing the website to remember certain choices, they are consenting to the use of cookies); and
• scrolling text in a header or footer when you want to set a cookie on a user’s device which prompts a user to make further choices.

Apart from the headaches involved and expense in doing this, here is where is gets really confusing.

24 hours before the new laws where to be enforced, the ICO published updated guidance stating that implied consent through non-explicit means can be valid consent.

The ICO has recognised that obtaining active consent is not always the most appropriate method for organisations: “While explicit consent might allow for regulatory certainty […] this does not mean that implied consent cannot be compliant.”  This is in contrast to the previous ICO guidance which stated: “At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent”.  The new ICO guidance also seems to be at odds with the Article 29 Working Party’s review of the e-Privacy Directive. The Article 29 Working Party, a body comprised of representatives from each EU member state’s data protection authority, stated in its Opinion 2/2010 that “only in very specific, individual cases, could implied consent be argued.”

Over the last few weeks, in conjunction with our solicitors, we have been devising plans to make the transition as painless as possible for our clients.

Due to the last minute u-turn from the ICO we can currently recommend the following steps.

1. Carry out an audit to find out what cookies are currently active on your website.   We have 9 and that will not be a particularly high number depending on your line of business.
2. Prepare an inventory including what these cookies actually do and when they expire.  Some cookies expire when you leave your website and some cookies may remain active for indefinite periods.
3. Prepare a privacy policy which explicitly details what cookies are installed, what they do and when they expire.
4. Publish this on your website with links in a prominent place to ensure people cannot justifiably claim ignorance.

Although there is certainly a lot of confusion at present, following these simple steps should ensure you are not in breach of a EC Directive and not likely to pay a fine of up to £500,000.

If this seems like too much of a headache, get in touch as we are working with solicitors at present to provide a simple, cost effective service which will make sure you are not caught short.