Update: Having spoken to Greg at the ICO’s press office, we have the following update.
Greg explained: “Users have to give their consent for cookies before any are stored on the device. So a pop-up that offers an ‘opt-out’ is a move towards compliance but to follow the letter of the law users must give consent before any cookies are stored on their device.”
A new set of guidelines from the ICO are said to be imminent, their current guide can be found here.
What do the new regulations cover?
In the UK the Information Commissioner’s Office (ICO) was appointed to enforce the changes to the EU Cookie Directive in the UK. Although the directive has been around for almost a year now, the ICO granted UK website owners a 12-months’ grace period before the rules come into effect.
According to the ICO, the directive demands that: “a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. “Regulation 6 of the Privacy and Electronic Communications Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011)”
This means that those setting cookies must tell people that the cookies are there, explain what the cookies are doing and obtain their consent to store a cookie on their device.
So what is a cookie?
Cookies are small text files, stored by a user’s browser, which enable personalised web pages, manage user’s shopping carts and login areas, and sometimes enable targeted advertising.
The ICO and the International Chamber of Commerce (ICC) has issued a set of guidelines that give a general explanation of the changes, describing the different types of cookie and how the legislation affects each.
Firstly, cookies defined as strictly necessary are covered but not affected by the legislature, as long as the website explains what the cookies are and why they are there.
Strictly necessary cookies enable a site to remember text entered in a page within the same session or to remember whether a user is logged in or not – they are cookies that are vital to the working functionality of the website.
The second category of cookies is performance cookies, which collect information about website usage to enhance the user’s experience and its performance. Examples of these include website analytics (i.e. Google Analytics) and ad-response rates (where data is collected exclusively for calculating click-through rates). They don’t collect information that can identify a particular visitor. These cookies are usually persistent and have fairly long expiry rates.
Functionality cookies fall into the third category. These remember the choices that users make within a web page, such as usernames, language or region to provide an enhanced, more personalised web experience. They cannot track your activity on other websites and are anonymised.
The final type of cookies is the main target of the legislation. Targeting or advertising cookies collect information about your browsing habits to tailor third-party advertising to meet your interests. They are usually placed by advertisers with the website operator’s permission.
How can my site comply?
There are several different interpretations of the new data privacy law, the ICC guide offers template consent requests for each of the types of cookie mentioned above.
The main message among those offering advice on the matter is ‘to be clear and concise about the cookies you use, and use them sparingly.’
The full report from the ICO provides a detailed breakdown of how the law will be enforced throughout the UK and explains that the ICO will focus its efforts on the most intrusive cookies.
The report suggests that the key with each type of cookie is to allow users to make a clear and informed choice.
BT’s interpretation is to have a pop-up window on the first visit to the site that explains what cookies are used for and allows you to adjust the level of cookies, in line with the definitions above and set out by the new directive. They give the option to lower cookie usage to ‘strictly necessary’ and ‘performance’ cookies, but not to opt-out completely. This option is still left to the user to instigate. This ‘settings’ option is available at the bottom of each page.
- Understand how the EU Directive applies to your site with help from guidance released by the ICO.
- Review the cookies that are used on your site – are they all necessary?
- Evaluate the information obtained by them and whether this is vital for your business
- Begin adding consent requests to cookies relating to login, registration and similar processes
- Clearly link to explanations of what each cookie is, the information they store, and when they expire
- Build a plan to extend this to the rest of your site.
Don’t waste any more time! Ensure that you know which cookies your site uses, understand how the law applies to these by seeking legal counsel if it’s needed and set a schedule to make sure that your site complies before the May 26th deadline.
Disclaimer: Please note that this is a summary of opinions regarding the new cookie law but does not amount to legal advice since the writer of this blog is not authorised to advise on the interpretation and the application of the new cookie law to particular circumstances or matters and any such comments made by the said writer of this blog will not constitute and must not be relied upon as legal advice.