• home
• about us
  • About Shoosmiths
  • Awards we've won
  • Corporate responsibility
  • Diversity
  • Facts & Figures
  • Legal and regulatory
  • Office Information
  • Our culture
  • Way we work with clients
• services
  • In-house legal services
  • Services for business
  • Services for you
  • Services A to Z
  • Services for your industry
• news & events
  • Press releases
  • Legal updates
  • Events
  • RSS feeds / twitter
  • Media contact information
• careers
  • Professional recruitment
  • Graduate recruitment
• contact us
  • People search
  • Office information
  • Contact us

Home | News & events | Legal updates | New cookies guidance: Time to get a move on!

New cookies guidance: Time to get a move on!

09 February 2012

In December 2011, the Information Commissioner's Office (ICO) published updated guidance for website owners on the implementation of The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

With the 12-month grace period it granted set to end in May 2012, the time to comply is running out.

Background

For anyone who may have survived thus far without hearing about the recent changes, these Regulations amend The Privacy and Electronic Communications (EC Directive) Regulations 2003, which govern (amongst other things) the use of cookies and similar technologies used for storing and accessing information on a user’s equipment.

Whilst both sets of regulations require site operators to tell users that cookies are being used and what they are being used for, the Regulations go a step further, and require website operators to actually obtain a user’s consent before cookies can be stored on a user’s device.

Since coming into force in May 2011, the Regulations have attracted criticism and alarm.

The ICO has, however, observed that many website owners have been much less proactive in their efforts to comply as they have been in their efforts to complain and criticise.

What does the new guidance say?

The aim of the guidance was to review progress made since the Regulations came into force, and to provide website owners and operators with further insight into how to move towards compliance.

The key points to draw from the guidance are:

• Implementing these rules requires considerable work in the short-term, but compliance will get significantly easier with time.
• Consent to place cookies on a device must involve some communication by which the user knowingly indicates their acceptance to specific cookies being placed. The crucial factor is that the user must fully understand that by taking a certain action they will be giving consent.
• Website operators should obtain a user’s consent prior to the cookies being set, and should therefore (where possible) delay setting cookies until users have had the opportunity to understand and agree to them being set. Where this is not possible however (for example if a website sets cookies as soon as a user visits the site), consent should be obtained as soon as the user understands why cookies are being used and the website should be able to demonstrate that they are doing all that they can to reduce the amount of time before information and options are given.
• The level of consent required must take into account the degree of understanding and awareness the individual has in relation to what they are being asked to consent to. It may therefore be difficult to rely on implicit consent at this stage as there is clear evidence that most users have a very limited understanding and awareness of cookies at present. The more organisations that implement these requirements quickly, the more likely it is that awareness will improve, and that implicit consent could be relied upon properly, going forward.
• Where the use of a cookie is ‘strictly necessary’ for the service expressly requested by the user, there is no need to obtain consent to place that cookie on a user’s device. This exception may be used for security requirements, or to facilitate a ‘proceed to checkout’ function. The exemption must however be narrowly construed and cannot be relied upon for using cookies which are not strictly necessary for the services expressly requested by the user.
• Organisations based in the UK are likely to be subject to the Regulations even if their website is hosted overseas. Similarly, organisations based outside Europe with websites designed for the European market should consider that users in the UK and Europe will expect information and choices about cookies to be provided.
• Companies who design and develop websites or other technologies for customers must consider the requirements of the Regulations and make sure that the systems they design allow their clients to comply with the law.
• All website operators and owners should now have conducted or be in the process of conducting a ‘cookies audit’ with a view to determining the best method to gain a user’s consent. The audit process should involve three steps:
  (1) checking what cookies and similar technologies you use on your websites and how they are used;
  (2) assessing how intrusive they are;
  (3) where you need consent, deciding how it can be best obtained in your circumstances.
• Browser settings cannot currently be relied upon as a method of obtaining consent.
• Some quick win methods of moving towards compliance would be to make website information concerning cookies more obvious (for example placing an easily seen link headed How we use cookies in a prominent position on the site). Other methods for obtaining consent include pop-ups or ticking a box to agree to the use of cookies. The ICO has not been too prescriptive in its guidance, so that website owners and operators can implement solutions that best suit their website and their customers.

Whilst the ICO recognises that there are pockets of good practice where organisations have made significant efforts to comply with the Regulations, many website operators have been slow to implement change. 

The ICO has various options available to it in order to force website owners to comply, including the right to impose a fine of up to £500,000. As of 26 May 2012, it has indicated that it will investigate complaints regarding the use of cookies in the same way it would investigate any other complaint.

If you use cookies on your website, but are not doing anything to get users’ consent, it’s time to get a move on.

How we can help?

If you have not yet implemented a solution to comply with the Regulations, we can help you to:

• plan and carry out an audit of the cookies you use on your website;
• evaluate the results of the audit;
• decide upon the best solution for you to comply with the Regulations for each cookie you use; and
• make any required changes to your current privacy policies and statements in order to bring them into line with the new requirements.

For more information please contact Aisling Duffy on 03700 865089 or email aisling.duffy@shoosmiths.co.uk

© Shoosmiths. This page is for general information: it is not legal advice. Please read our full terms and conditions for details of the disclaimers and exclusions which apply.

Search the site

Enter the keywords below to search:

Get in touch

Aisling Duffy

Associate
T: 03700 86 5089
I: +44 (0)115 906 5089
E: aisling.duffy@shoosmiths.co.uk