What about cookies essential for my website?
There is an exemption for
technology used to transmit a communication and cookies which are 'strictly
necessary' to meet a user's request. This is interpreted narrowly: it will cover
cookies used in shopping carts, but not used for ad-serving or tracking.
What do you need to do to comply?
The Information Commissioner
recommends the following:
1. Carry out a 'cookie
audit'
For each of the cookies that your website uses, you should
know:
-
What does the cookie do?
-
What information does it
collect?
-
When does it expire?
-
Does our website need that
cookie?
-
If third party, who places it?
2. Determine how
intrusive your cookies are
Cookies that facilitate tracking across
sites are more intrusive; analytics cookies less so. While the rules apply to
all cookies, particular care should be taken in informing users and obtaining
consent in respect of intrusive cookies.
3. Produce an
appropriate information notice
The Information Commissioner
advocates a "layered" approach so that those who wish to find out more can do
so. This could be in a separate 'cookie policy' or your privacy policy.
4. Put in place a
mechanism for obtaining consent
No single way has been promoted by
the Information Commissioner. There is flexibility as to how you put the rules
into practice. This could involve express consent (e.g. interstitial), consent
via terms and conditions, or notice and implied consent.
Can I rely on browser settings to obtain consent?
Browser settings don't yet
satisfy the requirements. The Information Commissioner has advised that, longer
term, this may be an option but only when browser settings block cookies by
default.
What is the deadline for compliance and why is 26 May 2012 important?
The cookie rules came into force
on 25 May 2011. Helpfully, the Information Commissioner declared a twelve month
'lead in period' to allow industry to get to grips with the new cookie consent
regime, during which no enforcement action would be taken. This comes to an end
on 26 May 2012. However, even after this date the Commissioner's Office advised
that "all of our enforcement actions are likely to be in the form of
negotiations. If people listen to our advice and are prepared to take steps
towards compliance, there shouldn't be a problem. However, if businesses
deliberately stop short compliance of total compliance, then this is a risk".
How will the new cookie rules be enforced?
Initially, as above, by
negotiation. Ultimately, the Information Commissioner's usual powers of
enforcement could apply:
-
a monetary penalty of up to
£500,000 – although only in cases of "serious or substantial breach";
-
requiring an undertaking from
your business' senior management guaranteeing future compliance; or
-
an enforcement notice – breach
of which is a criminal offence.
Individuals who suffer damage, or
damage and distress, can also claim damages.
What's happening in other countries?
The revised Privacy and
Electronic Communications Directive, which brought about these new rules,
applies across the European Union. However, there is local variation. Implied
consent is feasible in the UK, but may not equate to compliance in all other
Member States, some of which are more prescriptive about compliance.
When deciding how to tackle
the new regime, there is a balance to be struck between complying with the new
rules and maintaining a commercially effective website. However, the Information
Commissioner has made quite clear that "doing nothing, is not an option".
More information about rules
elsewhere in the EU can be found
here.
Contact Us
Ruth Boardman
Partner
+44 (0)20 7415 6018
ruth.boardman@twobirds.com
Laura Acreman
Associate
+44 (0)20 7905 6355
laura.acreman@twobirds.com
Patrick Camerer Cuss
Associate
+44 (0)20 7982 6480
patrick.camerercuss@twobirds.com