Cookies – handle with caution

On 26 May 2011 the law governing the use of cookies will change. Users will need to be provided with an opportunity to explicitly give their consent prior to having cookies downloaded on to their computers or mobile devices.

Frustratingly the government and the Information Commissioner’s Office (ICO) currently have no clear idea as to how the new legislation on cookies should be implemented by web managers. There is no guidance in the amended E-Privacy regulations as to exactly how “consent” should be given. The Government has left that remit with the ICO, and, as its latest briefing highlights, there is as yet no clear-cut method of ensuring compliance.

The consequences of non-compliance

UK-based web managers that do not make any changes to their websites before the morning of 26 May will not automatically be liable to a fine from the ICO. The ICO recognise that implementation of the new law will need to be phased. However, what all web managers need to be doing now is considering and planning their options for achieving compliance. If the ICO were to make any enquiries into a website shortly after the 26 May, a response explaining such preparatory steps might well be enough to avoid any sanctions. However, failing to make any changes to your website and being unable to demonstrate any consideration of implementation methods could lead to sanctions from the ICO.

What needs to be done now?

Web managers in the UK should therefore be doing the following:

  • Ascertaining what type of cookies are used by their sites and how they are downloaded onto users’ machines (effectively a “cookie audit”).
  • Deciding on which method(s) of obtaining consent is best for their website, given the cookie audit.
  • Recording the cookie audit and implementation methods in an easily digestible form should the ICO ever investigate the site during this transitional period.

Suggested methods of implementation

The list is non-exhaustive and will doubtless get longer, but here are a few options which have been suggested to procure user consent before cookies are downloaded:

  • Pop-ups each time a cookie is to be downloaded onto a user’s machine.
  • Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively agree to upon visiting the site (i.e. via a tick box).
  • Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to that action for compliance.

Web managers should be reminded that where the use of cookies is “strictly necessary” for the disclosed central purpose of the site, no consent needs to be given by the end user to their deployment. The most common situation in which this applies will be where a website remembers the contents of a user’s shopping basket as they navigate the site.

What next?

Ultimately, it is intended that consent will be provided through users’ web browsers and the Government is currently working with the major browser manufacturers to this end.

The ICO will be drafting further advice on the new law in the near future, potentially including other suggested methods of compliance and also how and when it intends to begin enforcing the regulations.

This alert was written by Simon Halberstam (partner) at SIMONS MUIRHEAD & BURTON LLP. If you need assistance please contact Simon Halberstam on 020 3206 2781 or simon.halberstam@smab.co.uk