From the end of May 2012, organisations that operate websites that collect ‘cookies’ from site visitors must obtain their consent or potentially face consequences from the Information Commissioner’s Office.
Organisations have had a year’s notice to put in place plans to inform users and obtain their consent; for those organisations that have not yet started work, the expression ‘doing nothing in not an option’ is now extremely appropriate!
A cookie is a small file, typically consisting of letters and numbers, that is downloaded onto a device when a user accesses certain websites. Cookies enable websites to recognise a user’s device and potentially save the user time on the current and subsequent visits.
They also enable the website operator to gather information, possibly personal, on website visitors. It is this latter aspect that is of concern to the regulators.
The requirements flow from the Privacy and Electronic Communications (EC Directive) Regulations 2003, updated in 2009. It was this latter directive that required governments in Europe to implement these changes by 25 May 2011, although a subsequent 12 month moratorium on the use of the ICO’s enforcement powers has given organisations additional time to conform to the new requirements.
The main change in the regulations has seen the move from an ‘opt-out’ system to an ‘opt-in’ for cookie use.
There are different types of cookie, some of which are more intrusive (and of greater interest to the ICO) than others. Some cookies are essential for the operation of the website (such as making online shopping baskets work) and are exempt from the regulations. Third party cookies (set on a user’s device by a third party website) are one of the more challenging areas in which to achieve compliance with the rules.
Those setting cookies must:
• Tell people that the cookies are there
• Explain what the cookies are doing
• Obtain their consent to store a cookie on their device.
It is this third point, obtaining consent that is proving most problematic. Organisations should start their projects with an audit of cookies so that they are aware what cookies they are collecting, whether they are necessary and the best method to gain consent.
Over time it is assumed that users’ knowledge of cookies will improve (especially given the wave of website changes likely to arise in May) and that website operators will increasingly be able to rely on settings in web browsers.
However, given the lack of knowledge of users currently and the different capabilities of web browsers, implied consent through this means will not be acceptable for some while.
An interesting example site to visit initially is the ICO website where you can see how the ICO has implemented its solution by means of a separate header bar seeking user consent.
As noted at the start, the regulations are now in force – the 12 month moratorium is simply over the ICO’s enforcement powers.
The most important thing is that organisations have plans in place to achieve compliance and that from the end of May they are operating their websites in accordance with the regulations, or at the very least have plans in place to achieve compliance that they can show to the ICO if asked.
Richard Anning is head of the IT Faculty at the ICAEW. For more information visit the Faculty site