Frustratingly the government and the Information Commissioner’s Office (ICO) currently have no clear idea as to how the new legislation on cookies should be implemented by web managers. There is no guidance in the amended E-Privacy regulations as to exactly how “consent” should be given. The Government has left that remit with the ICO, and, as its latest briefing highlights, there is as yet no clear-cut method of ensuring compliance.
The consequences of non-compliance
UK-based web managers that do not make any changes to their websites before the morning of 26 May will not automatically be liable to a fine from the ICO. The ICO recognise that implementation of the new law will need to be phased. However, what all web managers need to be doing now is considering and planning their options for achieving compliance. If the ICO were to make any enquiries into a website shortly after the 26 May, a response explaining such preparatory steps might well be enough to avoid any sanctions. However, failing to make any changes to your website and being unable to demonstrate any consideration of implementation methods could lead to sanctions from the ICO.
What needs to be done now?
Web managers in the UK should therefore be doing the following:
- Ascertaining what type of cookies are used by their sites and how they are downloaded onto users’ machines (effectively a “cookie audit”).
- Deciding on which method(s) of obtaining consent is best for their website, given the cookie audit.
- Recording the cookie audit and implementation methods in an easily digestible form should the ICO ever investigate the site during this transitional period.
Suggested methods of implementation
The list is non-exhaustive and will doubtless get longer, but here are a few options which have been suggested to procure user consent before cookies are downloaded:
- Pop-ups each time a cookie is to be downloaded onto a user’s machine.
- Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to that action for compliance.
Ultimately, it is intended that consent will be provided through users’ web browsers and the Government is currently working with the major browser manufacturers to this end.
The ICO will be drafting further advice on the new law in the near future, potentially including other suggested methods of compliance and also how and when it intends to begin enforcing the regulations.
This alert was written by Simon Halberstam (partner) at SIMONS MUIRHEAD & BURTON LLP. If you need assistance please contact Simon Halberstam on 020 3206 2781 or firstname.lastname@example.org