How to comply with new rules on cookies
22/11/2011
By James Herbert, Partner and Head of Corporate & Commercial.
May 2011 saw the introduction of new rules governing cookies. In this article, we consider what the change means for businesses and offer a checklist to ensure you comply with the new rules.
Cookies gather information about website visitor activity, a process which has been shown to lead to increased dissemination of personal data.
The changes
Before May 2011, website visitors had the right to ‘opt-out’ of having cookies downloaded onto their computers or mobile devices. Without proper information relating to the effects of the cookies, visitors rarely did so. The changes mean that the visitor’s consent will be actively required before cookies can be downloaded onto their devices. Website operators will need to give sufficient information to allow the visitors to make their decision. Businesses have been given a year’s grace, to May 2012, to deal with the practicalities of this change.
Scope of the changes
The new rules will apply to every type of cookie except where the use of the cookie is ‘strictly necessary’ for a service requested by the user. The Information Commissioner’s Office (ICO) gives as an example when a website visitor has chosen goods that they wish to buy and clicks the ‘add to basket’. The site ‘remembers’ the selections from a previous page. Here there is presumed consent to the cookie being downloaded as part of the purchase process. It remains to be seen how this exception will be applied in practice.
Action to take
- Prepare a cookie inventory
The ICO has suggested that a starting point for website operators will be to audit their websites to ascertain which cookies are strictly necessary and might not need consent and identify those that will.
- Understand your cookies
The new rules will give a higher level of privacy protection to internet users. By asking ‘how intrusive are the cookies?’ it will be possible to determine whether consent is required.
- Formulate a consent mechanism for intrusive cookies
Browser settings may act to give implied consent. Other possible approaches include pop-ups, terms and conditions, website settings and website features.
Irrespective of the mechanism used to obtain consent, website operators must tell users what cookies are used and what information will be taken.
- Take action to demonstrate that you are planning to comply with the new rules
The Information Commissioner has said that it will not take enforcement action against businesses and organisations while they are actively working to address their use of cookies.
- Keep up to date with official guidance
Both the ICO and the Department for Culture, Media and Sport have issued guidance and commentary on how the new rules will be implemented. See www.ico.gov.uk and
www.culture.gov.uk.
For more information, read about our experience with e-commerce or contact James Herbert, Partner and Head of Corporate & Commercial.