The Information Commissioner's Office ("ICO") has recently published further guidance on the implementation of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. We take a look at the guidance and summarise the key messages for businesses.
What do I need to do?
•tell people that the cookies are there,
•explain what the cookies are doing, and
•obtain their consent to store a cookie on their device." (ICO Guidance 13 Dec 2011).
The Regulations cover both persistent and session cookies however cookies which are "for the sole purpose of carrying out the transmission of a communication over an electronic communications network" or which are "strictly necessary for the provision of an information society service by the subscriber or user" are excluded from the requirement to obtain consent. This means that cookies such as those which remember what a user has put in the shopping basket would be considered to be "strictly necessary" and exempt from the requirement to obtain consent. The following types of cookies will be likely to fall within the exception:
•cookies used to remember what a buyer has placed in their shopping basket
•cookies used with online banking services which provide security in order to comply with the seventh data protection principle
•cookies which help to ensure that content is loaded quickly.
How do I obtain consent?
There are a number of ways in which you could obtain user consent to the use of a cookie. Which method you use will largely depend on how your site is configured and which cookies you deploy. Examples of ways in which consent may be obtained include:
- Pop ups or splash pages.
- Features led consent. This can be achieved at the time the user has to click on the link or switch on the feature e.g. using a video.
Can I rely on a User's Browser Settings?
In time, you may well be able to rely on the user's browser settings as a way to satisfy yourself that consent has been given. At present, however, most browser settings are not sophisticated enough to rely on this mechanism. The Government is working with major browser manufacturers to establish which browser settings will be available and when.
Third Party Cookies
If you display content from a third party on your website (e.g. an advertisement or a video service) then you will need to ensure that information is provided to the user about the cookies which may be used by the third party. This information can either be provided by you or the third party. It is therefore important that you establish this upfront with the third party.
What if I do nothing?
The ICO has given businesses a lead-in time of 12 months in order to achieve compliance (i.e. until May 2012). After this time it will follow up complaints made by users and take enforcement action where appropriate. In the first instance it will contact the website owner to discuss the complaint. The ICO has a number of remedies which are open to it including the imposition of monetary penalties of up to £500,000.
McKenna Hughes is currently working with web developers to provide a solution to its clients. If this is of interest to you please contact us on firstname.lastname@example.org or 01789 721831. You can download a copy of the ICO guidance by going to www.ico.gov.uk.