Online privacy: how to comply with the new law on cookies

ONLINE PRIVACY: HOW TO COMPLY WITH THE NEW LAW ON COOKIES – 29 MAY 2012

On 26 May 2012 the Electronic Communications (EC Directive) Regulations 2003, which governs websites’ use of cookies in the UK, came into force. At the time of writing, very few websites are compliant.
The new law requires websites to gain explicit user consent to receive a cookie prior to deployment. The precise requirements for compliance were not, and remain somewhat, unclear. The Information Commissioner’s interpretation of the new Regulations (see also) is summarised below.
Consent
Consent must involve an end-user knowingly indicating acceptance of the cookie(s) that it is downloading, this could for example be by way of click acceptance.
Although the cookies Regulations do not use the term “prior”, the Commissioner expects cookies to be sent only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often automatically downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. If delaying the download of cookies is not possible, websites should ensure they minimise the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent to permit the cookie to remain on its machine can be given.
Responsibility for compliance
The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookie Regulations. However, when a third party’s cookies are deployed via a website, the Commissioner takes the stance that both the website owner and the third party are responsible for compliance.
In practice, the information requirements and opportunity for a user to give its consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites through which they drop cookies, are encouraged to work together to achieve compliance. Third parties should seek to impose contractual obligations upon the websites through which they drop cookies in respect of compliance with the consent and information requirements in the Regulations.
Avoidance tactics have also been considered by the Commissioner. A website hosted overseas (outside the EU) will be likely to fall within the ambit of the Regulations if:
the organisation which owns the website is based in the UK; or
the website itself is targeted at the European market; or
products and services are provided from the website to customers predominantly based in Europe.
Enforcement
The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the Regulations, namely:
Information notice. A request for specific information from an organisation within a specified time frame.
Undertaking. An organisation must carry out specific action to improve its level of compliance.
Enforcement notice. An organisation must carry out specific actions to ensure compliance with the Regulations. Failure to comply with this notice may be considered a criminal offence.
Monetary penalty notice. A fine of up to £500,000 to be used for only for the most serious breaches.
Enforcement action will be proportionate to the associated privacy concerns. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement.
The Commissioner has gone as far as suggesting that, while not considering them exempt from the Regulations, he is unlikely to take action in respect of cookies that do not impinge on users’ privacy. On the other hand, organisations dropping cookies which focus on gathering user’s personal information will be the main focus for enforcement.
Potential Exemptions for providers of online gaming services
Of particular interest to operators in the online gaming sector is the statutory exemption from obtaining prior consent where a deployed cookie is “strictly necessary for the provision of an information society service requested by the subscriber or user”.
In this context, an ‘information society service’ is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment… at the individual request of a recipient of a service”. The Information Commissioner has indicated that this definition covers cookies that manage online ‘shopping baskets’, serving to remember information about products or services that an individual has indicated a desire to purchase whilst it navigates around, or temporarily leaves, the site.
This exemption should serve to lighten the burden for the online gaming industry. Specifically, it could allow sites to continue to use cookies to record information such as an individual’s balance of funds, ticket purchases, and winnings in much the same way as they do now. As involvement in online gaming activity is actively requested by users when they choose to play games online, the download of cookies which specifically manage their engagement with that service seems likely to fall within the exception set out above.
What needs to be done now?
Web managers in the UK should therefore be doing the following:
Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a ‘cookie audit’).
Gauging the likelihood of existing cookies’ fitting within the ‘provision of service’ exemption detailed above.
Deciding on which method(s) of obtaining consent to cookies are best for their website, given the results of the cookie audit.
Recording the cookie audit and implementation methods in an easily digestible form, lest the ICO investigate the site.
Suggested methods of implementation
Below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded onto its machine:
Pop-ups each time a new type of cookie is to be downloaded onto a user’s machine.
Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively accept upon visiting the site for the first time (e.g. via a tick box).
Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to feature access.
Web managers should bear in mind the “strictly necessary” exemption, but be careful not to place excessive reliance on it.
What next?
The ICO has suggested that, in the near future, consent could be validly provided through users’ web browsers. ICO guidance envisages a future scenario whereby a user accesses a website via a sufficiently sophisticated web browser set up to reject certain cookies and accept others, allowing a web manager to assume that the user has provided its consent accordingly. However, it is acknowledged that many web browsers are not sufficiently sophisticated for this method to be currently viable. The Government is therefore currently consulting with the major web browser manufacturers and it is envisaged that an announcement as to compliance via this unobtrusive method will eventually be made.
However, the Article 29 Working Party (a group of data protection regulators from EU member states) has given a non-binding (albeit very persuasive) opinion on consent via web browsers. The Working Party has suggested that reliance on users navigating websites via sophisticated web browsers is not, in itself, a substitute for procuring their positive consent to the download of cookies. Instead, the Working Party has suggested that web browsers need to be supplied to consumers with a default setting of rejecting cookies. In order for consent to be validly given via these browsers, users would also have to be provided with comprehensive information about cookies before actively changing their browser settings to allow cookies.
Conclusion
The fundamental problem seems to be a disconnect between the law and technology. In most cases the law is running to try to keep up with the technology (e.g. super-injunctions failing to keep pace with the rise of social media). However, in this case the law is way ahead; making unrealistic demands of the current technological landscape and necessitating that developers build innovative solutions to meet the new legal requirements.
For further information on compliance with the new legislation on cookies, please contact Simon Halberstam or Raoul Lumb.

On 26 May 2012 the Electronic Communications (EC Directive) Regulations 2003, which governs websites’ use of cookies in the UK, came into force. At the time of writing, very few websites are compliant.

The new law requires websites to gain explicit user consent to receive a cookie prior to deployment. The precise requirements for compliance were, and remain somewhat, unclear. The Information Commissioner’s interpretation of the new Regulations (see also) is summarised below.

Consent

Consent must involve an end-user knowingly indicating acceptance of the cookie(s) that it is downloading, this could for example be by way of click acceptance.

Although the cookies Regulations do not use the term “prior”, the Commissioner expects cookies to be sent only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often automatically downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. If delaying the download of cookies is not possible, websites should ensure they minimise the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent to permit the cookie to remain on its machine can be given.

Responsibility for compliance

The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookie Regulations. However, when a third party’s cookies are deployed via a website, the Commissioner takes the stance that both the website owner and the third party are responsible for compliance.

In practice, the information requirements and opportunity for a user to give its consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites through which they drop cookies, are encouraged to work together to achieve compliance. Third parties should seek to impose contractual obligations upon the websites through which they drop cookies in respect of compliance with the consent and information requirements in the Regulations.

Avoidance tactics have also been considered by the Commissioner. A website hosted overseas (outside the EU) will be likely to fall within the ambit of the Regulations if:

  • the organisation which owns the website is based in the UK; or
  • the website itself is targeted at the European market; or
  • products and services are provided from the website to customers predominantly based in Europe.

Enforcement

The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the Regulations, namely:

  • Information notice. A request for specific information from an organisation within a specified time frame.
  • Undertaking. An organisation must carry out specific action to improve its level of compliance.
  • Enforcement notice. An organisation must carry out specific actions to ensure compliance with the Regulations. Failure to comply with this notice may be considered a criminal offence.
  • Monetary penalty notice. A fine of up to £500,000 to be used for only for the most serious breaches.

Enforcement action will be proportionate to the associated privacy concerns. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement.

The Commissioner has gone as far as suggesting that, while not considering them exempt from the Regulations, he is unlikely to take action in respect of cookies that do not impinge on users’ privacy. On the other hand, organisations dropping cookies which focus on gathering user’s personal information will be the main focus for enforcement.

Potential Exemptions for providers of online gaming services

Of particular interest to operators in the online gaming sector is the statutory exemption from obtaining prior consent where a deployed cookie is “strictly necessary for the provision of an information society service requested by the subscriber or user”.

In this context, an ‘information society service’ is defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment… at the individual request of a recipient of a service”. The Information Commissioner has indicated that this definition covers cookies that manage online ‘shopping baskets’, serving to remember information about products or services that an individual has indicated a desire to purchase whilst it navigates around, or temporarily leaves, the site.

This exemption should serve to lighten the burden for the online gaming industry. Specifically, it could allow sites to continue to use cookies to record information such as an individual’s balance of funds, ticket purchases, and winnings in much the same way as they do now. As involvement in online gaming activity is actively requested by users when they choose to play games online, the download of cookies which specifically manage their engagement with that service seems likely to fall within the exception set out above.

What needs to be done now?

Web managers in the UK should therefore be doing the following:

  • Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a ‘cookie audit’).
  • Gauging the likelihood of existing cookies’ fitting within the ‘provision of service’ exemption detailed above.
  • Deciding on which method(s) of obtaining consent to cookies are best for their website, given the results of the cookie audit.
  • Recording the cookie audit and implementation methods in an easily digestible form, lest the ICO investigate the site.

Suggested methods of implementation

Below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded onto its machine:

  • Pop-ups each time a new type of cookie is to be downloaded onto a user’s machine.
  • Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively accept upon visiting the site for the first time (e.g. via a tick box).
  • Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to feature access.
  • Web managers should bear in mind the “strictly necessary” exemption, but be careful not to place excessive reliance on it.

What next?

The ICO has suggested that, in the near future, consent could be validly provided through users’ web browsers. ICO guidance envisages a future scenario whereby a user accesses a website via a sufficiently sophisticated web browser set up to reject certain cookies and accept others, allowing a web manager to assume that the user has provided its consent accordingly. However, it is acknowledged that many web browsers are not sufficiently sophisticated for this method to be currently viable. The Government is therefore currently consulting with the major web browser manufacturers and it is envisaged that an announcement as to compliance via this unobtrusive method will eventually be made.

However, the Article 29 Working Party (a group of data protection regulators from EU member states) has given a non-binding (albeit very persuasive) opinion on consent via web browsers. The Working Party has suggested that reliance on users navigating websites via sophisticated web browsers is not, in itself, a substitute for procuring their positive consent to the download of cookies. Instead, the Working Party has suggested that web browsers need to be supplied to consumers with a default setting of rejecting cookies. In order for consent to be validly given via these browsers, users would also have to be provided with comprehensive information about cookies before actively changing their browser settings to allow cookies.

Conclusion

The fundamental problem seems to be a disconnect between the law and technology. In most cases the law is running to try to keep up with the technology (e.g. super-injunctions failing to keep pace with the rise of social media). However, in this case the law is way ahead; making unrealistic demands of the current technological landscape and necessitating that developers build innovative solutions to meet the new legal requirements.

____________________________________________________________________________________________

COOKIES UPDATE – JANUARY 2012

As you may now already be aware, laws surrounding the download of cookies changed in May 2011. The amended E-Privacy Regulations require websites to seek the consent of end-users prior to the download of cookies onto their machines. End-users must also be given comprehensive information about the use of cookies on the websites they visit.

The Information Commissioner has put in place a one year moratorium on enforcement of the new regulations to allow businesses sufficient time to formulate their plans for compliance. Businesses have been reluctant to implement consent measures on their websites, citing reasons such as the options available being very detrimental to the user experience (e.g. pop-ups) and fears surrounding the paucity of key site analytical data that will be collected should users not consent to the download of cookies.

Clearly mindful of the confusion and apprehension surrounding implementation of the new cookies regulations, the Information Commissioner published updated advice regarding cookie compliance on 13 December 2011. The Commissioner’s additional interpretation of the new regulations is summarised below.

Consent

Consent must involve the end-user knowingly indicating their acceptance, for example by actively clicking an icon or subscribing to a service.

Although the cookies regulations do not use the term “prior”, the Commissioner expects cookies to be set only after consent and full information about the cookies to be downloaded has been given. It is recognised that cookies are often downloaded the moment a user arrives on a site. If possible, web managers should postpone the download of cookies until users have been given sufficient information to make a choice about whether or not they want cookies on their machines. However, if delaying the download of cookies is not possible, then websites should ensure they minimise, as much as possible, the time between the first cookie being downloaded and the point where sufficient information is provided to the user and consent can be given.

Responsibility for compliance

The Commissioner considers that the person or entity setting the cookie is primarily responsible for compliance with the cookies regulations. However, when a third party’s cookies are dropped via a website, the Commissioner takes the stance that both parties are responsible for compliance with the law. In practice, the information requirements and opportunity for a user to give their consent will be provided on the website that the cookies are dropped from. As such, third parties dropping cookies, and the sites they drop cookies from, are encouraged to work together to achieve compliance. Third parties should seek to include contractual obligations upon the websites they drop cookies from in respect of the consent and information requirements in the regulations.

Organisations contemplating avoidance tactics have been considered by the Commissioner also. A website hosted overseas (outside the EU) will still likely have to comply with the cookies regulations if:

  • the organisation which owns the website is based in the UK; or
  • the website itself is designed for the European market; or
  • products and services are provided from the website to customers predominantly based in Europe.

Enforcement

The Commissioner has also revealed the primary enforcement actions available to him for organisations which refuse or fail to comply with the cookies regulations, namely:

  • Information notice. A request for specific information from an organisation within a specified time frame.
  • Undertaking. An organisation must carry out specific action to improve its level of compliance.
  • Enforcement notice. An organisation must carry out specific actions to ensure compliance with the regulations. Failure to comply with this notice may be considered a criminal offence.
  • Monetary penalty notice. A fine up to a £500,000 maximum, to be used for only for the most serious breaches.

Enforcement action will be proportionate to the issue that it seeks to address. As such, cookies which do not greatly impinge on a user’s privacy rights (e.g. first party analytical cookies and those used to support the accessibility of sites and services) are likely to register extremely low on the Commissioner’s priority list for enforcement. The Commissioner has gone as far as suggesting that, while not considering them exempt from the regulations, he is unlikely to embark on “any consideration of regulatory action” in respect of the cookies referenced above, so long as organisations have done all they can to provide users with prominent and sufficient information about the purpose of such cookies. On the other hand, organisations dropping cookies which closely relate to user’s personal information should be prioritising implementation of the consent (and information) requirements of the regulations.

Conclusion

The additional guidance from the Commissioner suggests that a common sense attitude will be taken in respect of enforcement of the regulations from May onwards. However, what is stressed throughout the updated guidance is that the new regulations cannot be ignored and organisations should currently be doing all they can to achieve compliance.