Posted on Wednesday 22 June 2011 byUlster Business
Rory Campbell, Partner in Downpatrick-based law firm Forde Campbell LLP, explains what the recent changes to the EU law around the storage of ‘Cookies' mean for consumer-facing businesses
Amendments to UK laws based on the EU's Privacy and Electronic Communications Directive came into force on May 26.
The effect of the changes is that all consumer websites in the UK will now need to get users' informed consent to store cookies.
Cookies are bite-size files which record a particular user's visit to a particular website. The record makes that user's future return to that website a more streamlined user experience, by storing and remembering details: for example, the user's user name, preferences, or the items placed by the user in a basket when shopping online.
The law changes result from growing concern that information stored within cookies may be used by consumer websites to analyse a user's browsing habits, or to target a user for advertising purposes, without that user's knowledge or consent. The changes also derive from EU government's wish for individual consumers to have more control over what information is collected about them, and how it is used.
CHANGES TO THE LAW
The Information Commissioner's Office, the government body responsible for policing UK data law, has given business and organisations operating consumer websites in the UK twelve months to "get their house in order" in line with the new changes.
Those who think that the cookie regulations are only half-baked at this stage are advised to proceed with caution, since the ICO has indicated that any consumer website using cookies which does nothing to comply with the legal changes will have its lack of action taken into account once formal enforcement of the rules begin.
According to the ICO, "The government's view is that there should be a phased approach to the implementation of these changes. In light of this, if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance".
WHAT TO DO?
So what can website owners do to obtain informed consent from their users? Welcome to the perennial battle between lawyers advising their website client that full compliance is the only solution, and site designers and owners fearful of the effect that clunky consent pop-ups and tick boxes has on user experience.
However, there are a number of solutions that can help ensure that website owners avoid the possibility of ICO enforcement action.
AUDIT: KNOW YOUR WEBSITE
A useful first step is to analyse your website, and understand how and why cookies are collected, what data files are placed on user terminals, and why? Check which cookies are strictly necessary, and which might not need consent. Use this process as an opportunity to tidy up your webpages and see which cookies are old and have been outdated as your site has evolved.
After looking at your website in detail you should be able to understand how your site stores cookies, what sort of information is collected and how it is used – you're now ready to think about methods on how to obtain consent.
FORMS OF CONSENT
The government is currently working with browser companies to see whether browser based forms of consent can be developed. At the moment UK websites will still need to consider other methods of containing consent, and the ICO has highlighted the following:
settings: some websites ask for the user's preference to confirm how the user would like the website to work for them. For example, the colour scheme and font size are user focused preferences. The ICO suggests that if, as part of offering customisation by settings, the website explained that cookies were collected to enable this customisation, this consent would not have to be obtained on a repeated basis. However, the benefit of this route only relates to settings-led consent.
The ICO have recently made it increasingly clear that they mean to police data protection legislation, and the organisation is getting more and more powers to do so. The cookie changes are part of a growing number of data protection requirements that businesses traditionally haven't focussed on (such as, for example, registering with the ICO as a data controller).
But the ICO guidance makes it clear that the changes must be taken seriously: as the guidance states, "The key point is that you cannot ignore these rules." Businesses should now begin to take steps (and be seen to take steps) to check their sites, understand how data is collected, and look at what forms of notification are appropriate to get users' informed consent.
Rory Campbell is a partner at Northern Irish law firm Forde Campbell LLP, specialising in IT, internet and data protection law. This article contains general information rather than legal advice: if you want advice, please feel free to contact Rory at email@example.com