How can we help you?

Cookies Update January 2012

Contact us now for advice

As you may now already be aware, laws surrounding the download of cookies changed in May 2011. The amended E-Privacy Regulations require websites to seek the consent of end-users prior to the download of cookies onto their machines. End-users must also be given comprehensive information about the use of cookies on the websites they visit. Here is our last update on the matter for further details.

The Information Commissioner has put in place a one year moratorium on enforcement of the new regulations to allow businesses sufficient time to formulate their plans for compliance. Businesses have been reluctant to implement consent measures on their websites, citing reasons such as the options available being very detrimental to the user experience (e.g. pop-ups) and fears surrounding the paucity of key site analytical data that will be collected should users not consent to the download of cookies.

Clearly mindful of the confusion and apprehension surrounding implementation of the new cookies regulations, the Information Commissioner published updated advice regarding cookie compliance on 13 December 2011. The Commissioner’s additional interpretation of the new regulations is summarised below.

Consent

Consent must involve the end-user knowingly indicating their acceptance, for example by actively clicking an icon or subscribing to a service.

Although the cookies regulations do not use the term “prior”, the Commissioner expects cookies to be set only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. However, if delaying the download of cookies is not possible, then websites should ensure they minimise, as much as possible, the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent can be given.

Responsibility for compliance

The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookies regulations. However, when a third party’s cookies are dropped via a website, the Commissioner takes the stance that both parties are responsible for compliance with the law. In practice, the information requirements and opportunity for a user to give their consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites they drop cookies from, are encouraged to work together to achieve compliance. Third parties should seek to include contractual obligations upon the websites they drop cookies from in respect of the consent and information requirements in the regulations.

Organisations contemplating avoidance tactics have been considered by the Commissioner also. A website hosted overseas (outside the EU) will still likely have to comply with the cookies regulations if:

  • the organisation which owns the website is based in the UK; or
  • the website itself is designed for the European market; or
  • products and services are provided from the website to customers predominantly based in Europe.

Enforcement

The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the cookies regulations, namely:

  • Information notice. A request for specific information from an organisation within a specified time frame.
  • Undertaking. An organisation must carry out specific action to improve its level of compliance.
  • Enforcement notice. An organisation must carry out specific actions to ensure compliance with the regulations. Failure to comply with this notice may be considered a criminal offence.
  • Monetary penalty notice. A fine up to a £500,000 maximum, to be used for only for the most serious breaches.

Enforcement action will be proportionate to the issue that it seeks to address. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement. The Commissioner has gone as far as suggesting that, while not considering them exempt from the regulations, he is unlikely to embark on “any consideration of regulatory action” in respect of the cookies referenced above, so long as organisations have done all they can to provide users with prominent and sufficient information about the purpose of such cookies. On the other hand, organisations dropping cookies which closely relate to user’s personal information should be prioritising implementation of the consent (and information) requirements of the regulations.

Conclusion

The additional guidance from the Commissioner suggests that a common sense attitude will be taken in respect of enforcement of the regulations from May onwards. However, what is stressed throughout the updated guidance is that the new regulations cannot be ignored and organisations should currently be doing all they can to achieve compliance.

« Territorial Jurisdiction V The Internet – The EJC adopts a wider interpretation of jurisdiction in relation to privacy rights

© 2010 Kingsley Napley LLP.

All Rights reserved. Terms and conditions apply.

Regulated by the Solicitors Regulation Authority.

RSS . Sitemap . Legal Notice . Contact . Addthis