Posted on Wednesday 22 June 2011 by Ulster Business

cookies

Rory Campbell, Partner in Downpatrick-based law firm Forde Campbell LLP, explains what the recent changes to the EU law around the storage of ‘Cookies' mean for consumer-facing businesses

Amendments to UK laws based on the EU's Privacy and Electronic Communications Directive came into force on May 26. The effect of the changes is that all consumer websites in the UK will now need to get users' informed consent to store cookies. Cookies are bite-size files which record a particular user's visit to a particular website. The record makes that user's future return to that website a more streamlined user experience, by storing and remembering details: for example, the user's user name, preferences, or the items placed by the user in a basket when shopping online. The law changes result from growing concern that information stored within cookies may be used by consumer websites to analyse a user's browsing habits, or to target a user for advertising purposes, without that user's knowledge or consent. The changes also derive from EU government's wish for individual consumers to have more control over what information is collected about them, and how it is used.

CHANGES TO THE LAW

The law now requires that consumer websites obtain users' "informed consent" to the use of cookies before collecting any information. There are certain exceptions, but the basic rule is that consumer websites now have to notify users of the operation of cookies, and gain the users' consent to the storing and processing of user information via cookies. The Information Commissioner's Office, the government body responsible for policing UK data law, has given business and organisations operating consumer websites in the UK twelve months to "get their house in order" in line with the new changes. Those who think that the cookie regulations are only half-baked at this stage are advised to proceed with caution, since the ICO has indicated that any consumer website using cookies which does nothing to comply with the legal changes will have its lack of action taken into account once formal enforcement of the rules begin. According to the ICO, "The government's view is that there should be a phased approach to the implementation of these changes. In light of this, if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance".

WHAT TO DO?

So what can website owners do to obtain informed consent from their users? Welcome to the perennial battle between lawyers advising their website client that full compliance is the only solution, and site designers and owners fearful of the effect that clunky consent pop-ups and tick boxes has on user experience. However, there are a number of solutions that can help ensure that website owners avoid the possibility of ICO enforcement action.

AUDIT: KNOW YOUR WEBSITE

A useful first step is to analyse your website, and understand how and why cookies are collected, what data files are placed on user terminals, and why? Check which cookies are strictly necessary, and which might not need consent. Use this process as an opportunity to tidy up your webpages and see which cookies are old and have been outdated as your site has evolved. Access how intrusive your use of cookies is on user privacy. What sort of information is collected? What is it used for? The more intrusive your use of user data may be considered to be, the more necessary it is for you to obtain meaningful consent. After looking at your website in detail you should be able to understand how your site stores cookies, what sort of information is collected and how it is used – you're now ready to think about methods on how to obtain consent.

FORMS OF CONSENT

The government is currently working with browser companies to see whether browser based forms of consent can be developed. At the moment UK websites will still need to consider other methods of containing consent, and the ICO has highlighted the following:
  • pop ups: these specifically request consent for the use of cookies, and are the easiest option for obtaining consent. However, even the ICO acknowledges that repeated pop ups can have a severe effect on the user experience, making the website tedious and frustrating to use. A good design of pop ups or splash screens may reduce this effect but there are other options.
  • settings: some websites ask for the user's preference to confirm how the user would like the website to work for them. For example, the colour scheme and font size are user focused preferences. The ICO suggests that if, as part of offering customisation by settings, the website explained that cookies were collected to enable this customisation, this consent would not have to be obtained on a repeated basis. However, the benefit of this route only relates to settings-led consent.
  • terms and conditions: a well drafted terms of use and privacy policy, prominently situated on the site and explaining what data was collected and how it was used, and requiring click-through consent could fulfil all the requirements of the legislation. Note that you have to make users aware of the changes to the law – you can't just bury the changes in terms and conditions in a link from the site. Instead, you have to make users aware that changes have occurred, and that these changes relate to how cookies are used. And you must go on to gain a positive indication that users understand and agree to the changes.

CONCLUSION

The ICO have recently made it increasingly clear that they mean to police data protection legislation, and the organisation is getting more and more powers to do so. The cookie changes are part of a growing number of data protection requirements that businesses traditionally haven't focussed on (such as, for example, registering with the ICO as a data controller). But the ICO guidance makes it clear that the changes must be taken seriously: as the guidance states, "The key point is that you cannot ignore these rules." Businesses should now begin to take steps (and be seen to take steps) to check their sites, understand how data is collected, and look at what forms of notification are appropriate to get users' informed consent. Rory Campbell is a partner at Northern Irish law firm Forde Campbell LLP, specialising in IT, internet and data protection law. This article contains general information rather than legal advice: if you want advice, please feel free to contact Rory at rory@fordelaw.com

Search ulsterbusiness.com

Follow us

Receive local business news
Direct to your inbox, once a week

Subscribe to Ulster Business Magazine

View Our Digital Library

New Top 100 Banner PNG FILE