A new law comes into force this month that affects the way businesses can use cookies, the small text files that website operators employ to track user behaviour and traffic patterns.
The new law, effective on 26 May 2011, requires that cookies and similar technologies for storing information can only be placed on user machines when the user has given their consent. Consent in most cases cannot be implied, and for consent to be meaningful organisations will have to have change the statements describing their use of cookies.
In early May, the Information Commissioner’s Office (ICO) published advice on how UK businesses can comply with the new law. However, initial reaction from businesses has been that the ICO guidance is not detailed enough to help businesses put meaningful compliance policies in place and yet the deadline for compliance is rapidly approaching.
The guidance from the ICO makes it clear that there is no perfect solution at present. The UK government is working with browser manufacturers to find ways of making browser settings sophisticated enough to allow organisations to assume that a user has consented to the use of a cookie through their browser setting choices. However, the use of browser settings is currently not an immediate solution, and in any event not all users visit a website via a browser – some visit via mobile devices.
The most likely short-term solution for UK businesses, according to the ICO and the International Chamber of Commerce, which held a joint meeting on 12 May, is to develop improved cookie statements and pop-ups to ensure that users are given transparent and clear information about the types of cookies that a website wishes to use. That means that individuals can give meaningful consent to the use of those cookies.
But before that can happen, the ICO’s guidance makes it clear, businesses needs to audit the cookies currently being used in order to understand the degree to which they are collecting personal data.
Sophisticated websites can run many cookies, and websites that include click- through adverts, for example, will need to audit the third-party websites in order to understand how those third parties are interacting with users.
Degrees of privacy
The new law does not apply to every type of cookie. If a cookie is ‘strictly necessary’ for a service requested by a user, for example where a cookie is used to ensure a website remembers purchases added to a basket, then consent is not needed. However, it is not up to the business to decide whether a cookie is ‘strictly necessary’ – this classification is limited to a small range of activities and must relate to services ‘explicitly requested’ by a user.
Although the ICO has indicated that it expects a phased approach to compliance and enforcement, the guidance does state that the law is effective at 26 May 2011 and that doing nothing is not acceptable. Therefore, businesses must audit which types of cookies are being used and how. This may well include an analysis of which cookies are ‘strictly necessary’ and which are not.
This audit will allow a company to assess its exposure to risk of non-compliance with the cookie law and enable it to put in place appropriate cookie statements and pop- ups to enable meaningful consent to have been obtained.
Companies also need to consider the impact of third-party cookies. Many businesses use Google Analytics, for example, and a process needs to be put in place to notify users about how they grant consent to Google Analytics.
The more sophisticated the website, the more cookies it generally uses and, as a consequence, the more steps will need to be taken to provide compliant cookie solutions. This may detract from the user experience, particularly if a user is forced to read pop-ups and signify consent at every step.
If the intention of the cookie law is to protect individuals, the chances are that since many individuals will continue to always click ‘accept’ because they want to get on with the website interaction, then businesses with transparent cookie consent procedures will receive consent and the individual may still be targeted and tracked by cookies. And that’s the way the cookie crumbles.
Robert Bond is a partner in the IP, Technology & Commercial team at Speechly Bircham LLP