Cookie Law has changed – are you compliant?

In May 2012, a new law came into force (replacing the guidance issued in Dec 2011) requiring businesses to obtain consent from visitors to their websites to store or retrieve usage information from users’ computers or mobile devices.  Many businesses use what are known as “cookies” (small files that a website puts on a user’s computer to remember something) as a technique for storing information.

The use of cookies is only allowed if the user concerned has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed, and has given his or her consent (Regulation 6(1) and (2) revised 2003 Regulations).

The Information Commissioner’s Office (ICO) has now published revised guidance on the rules on the use of cookies and similar technologies together with a “Report your cookie concerns” tool through which individuals can notify the ICO about potentially problematic websites along with a short video designed to answer frequently asked questions.  The guidance includes a change in the ICO’s position on the requirements for obtaining internet users’ consent to the setting of cookies.

The revised guidance note has been designed to help organisations consider: what type of cookies or similar technology are used by their website and for what purpose; how intrusive their use is; and which solution for obtaining users’ consent would best suit them.  In its approach the guidance enforces the revised 2003 Regulations, which assures website owners that the Commissioner would allow a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements of the Regulations before he would consider using his enforcement powers.

Implied Consent:

The new guidance makes it clear that any reliance on implied consent must be based on the shared understanding between the website owner and the user of what is going to happen when the user visits the website.  For implied consent to be valid, the user must have a full understanding of the fact that cookies will be set and the purpose for which they are used.  Where non-sensitive personal data is concerned, a proposition for implied consent is reasonable in the context of the storage of information or access to information through the use of cookies.  A provider can only rely on implied consent on the understanding that it is specific and informed and there is some action on the part of the user from which consent can be inferred.

A provider must inform the user in a “clear and relevant” context that a specific action on his part will be interpreted as him giving consent to the use of cookies and by giving it there will be a shared understanding between the provider and user on the way and extent to which the cookies will be used.  The ICO leaves it to the provider to establish the exact ways in which they choose to provide this information, though it sets out a number of factors that providers should take into account when considering the level of information to be provided and the way in which it is brought to the user’s attention. These include: the nature of the intended audience of the website, for example, whether the site is directed at a technically advanced audience or not; the way in which users generally expect to receive information from this particular site; and the language that is likely to be appropriate for the audience the website targets.  The revised guidance makes it clear, however, that highly technical language should be avoided.

To demonstrate that a user’s action signifies his consent, it must give a strong enough indication that there is a shared understanding of what is happening.  One way to avoid this is if the website includes a clear and unavoidable notice that cookies will be used if the user enters the site, and if the user, on that basis, clicks through and continues to use the site, this would be sufficient to imply consent.  According to the revised guidance, the more users who become familiar with the fact that, on most sites certain things will happen that require the use of cookies, the more it will become acceptable for the users’ actions to be interpreted as an indication that they understand that cookies will be set and that they consent to this process.  It should be noted though that it must always be possible for the user to decline to accept cookies even if it means that the functionality of a site is affected.

There is one exception to the new consent rule and that is if your business has no requirement to obtain consent for an activity that is “strictly necessary” for a service requested by the user. For example, you would not need to obtain consent for a cookie which your business uses to ensure when a user of your site has chosen the goods they want to buy and clicks on an “add to basket” or “proceed to checkout” button, your site “remembers” what they chose on a previous page.

Steps businesses should take going forward should include checking the type of cookies they use and how they are used, assess how intrusive your use of cookies are and decide what solution to obtain consent will be best in your circumstances.