EU Privacy Directive on website cookies

Disclaimer: We have included below some advice taken from the UK’s Information Commissioner’s Office (ICO) website or by a ICO spokesperson. Wherever possible we have provided links back to the source of the information. If you have and doubts about how the new EU Cookie Law may affect your website then we recommend that you seek expert legal advice.

On 26th May 2012 the UK’s Information Commissioner’s Office (ICO) began enforcing an EU directive from May 2011 designed to protect internet users’ privacy. Under the revised Regulations the legal requirement is not just to provide clear information about the cookies, but also to obtain consent from users or subscribers to store a cookie on their device.

The aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. You may well have noticed that many major websites have already instigated measures to comply – the BBC website for example.

The ICO has a range of options available to it to take formal action where companies cannot prove that they are working towards compliance within reasonable timeframes. These options include committing organisations to a particular course of action, enforcement notices and possible fines of up to £500,000.

Guidance on the rules on use of cookies

The ICO’s Guidance on the rules on use of cookies V3 download offers guidance on the new cookie rules. This states that:

… those setting cookies must:

  • Tell people that the cookies are there
  • Explain what the cookies are doing
  • Obtain their consent to store a cookie on their device

The ICO guidance says:”If the information collected about website use is passed to a third party [such as Google] you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors.” Therefore in the instance of “benchmarking” it is clear consent must be achieved for a website to pass information to Google.”

Google Analytics installs a ‘first party’ cookie, however many Google Analytics accounts have the opt-out setting set to “True” which Google allows to anonymously track website metrics for the purposes of “benchmarking”. Google says this information is used to categorise a website and show a relative performance line in visit graphs. This shows how well a website benchmarks for that category.

The ICO guidance says: “If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors.” Therefore in the instance of “benchmarking” it is clear consent must be achieved for a website to pass information to Google.

Exceptions from the requirement to obtain consent

The ICO says exceptions are likely to be made, for example if the cookie is “used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket”.

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:

“for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.”

The term ‘strictly necessary’ means that “such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data.”

The ICO go on to say, “Where the use of a cookie type device is deemed ‘important’ rather than ‘strictly necessary’, those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.”

Implied Consent

The ICO latest guidance (May 2012) sets out the changes to the cookies law and explains the steps you need to take to ensure you comply. The updated guidance provides additional information around the issue of implied consent:

“Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.” ico

Does consent mean ticking a box?

The ICO website says, “It is true that you need to have a positive indication of consent, but it is not true that this must be obtained by the individual ticking a box.”

“… the Directive on which these Regulations are based … gives the ticking of a box on an internet site as an example of an ‘appropriate method’ to give consent but it is only an example. It is not the only method by which consent can be obtained.

The Directive … defines ‘the data subject’s consent’ as:

‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.”

In the view of the ICO, “there must be some form of communication where the individual knowingly indicates consent. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.” ico

Information to be provided

The Regulations are not prescriptive about the sort of information that should be provided, but the text should be “sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so”.

Do you need to act?

While it is likely that most sites will get away with doing nothing for some time, you should take note that the ICO is encouraging members of the public to report noncompliant websites. The ICO have already started contacting websites asking why the have not yet complied. You should also consider how you want your website to be perceived by customers, or by those you provide services to.

What can you do?

No two websites will be the same when it come to compliance. You really need to discuss this with your web design company as they will be best placed to advise you on the technical and design aspects of making changes to your website.

You might want to consider undertaking some or all of the following:

  1. Do a “Cookie Audit” to check what cookies your site uses (if any) and include this information in your Privacy Statement. You can do this yourself if you know where to look for the cookie information, or ask your web designers. If you use Google Analytics, you will use cookies.
  2. Put together a plan covering the steps you intend to take to comply with the new EU cookie law. We recommend that you treat this as a serious exercise that includes how you will achieve any required technical changes, whether your site is signed up for Googles “benchmarks” program, changes you plan to your Privacy Statement and any technical changes you plan to make to your website. Put this in writing so it can be supplied to the ICO inspectors if requested.
  3. Update your current website Privacy Statement to cover the new cookie laws.
  4. If you are signed up for Google’s “benchmarks” program in Google Analytics, opt out of this by signing into your Google Account. Turn off “Share my Google Analytics data anonymously with Google and others“. Note: Integralvision never enables benchmarking on its client’s Analytics Accounts.
  5. Add a short “Cookie Statement” on the Home page of your website site that displays information about how your site uses cookies. This should link straight to your privacy page that contains a fuller explanation and advise on how to disable cookies.
  6. Provide a checkbox or some way for visitors to give consent to the use of cookies (see Implied Consent above).

If you require help identifying how the new EU Cookie Law affects your website, Integralvision can provide a paid consultancy service on your website’s current status, revisions to your Privacy Statements, as well as a written plan of work you might undertake to reach compliance.