Saturday 26th May 2012 saw the end of the year moratorium on the enforcement of the e-Privacy Directive (better known as the cookie regulations) which came into law on 26 May 2011. This blog sets out what the new regulations in relation to cookies are and what you need to do. Cookies are not the only tracking device (cookies account for about 60% of tracking activity) that the regulations encompass, but the blog focuses on their application to cookies as the requirements for other tracking activities is much the same.
The new regulations reverse this opt-out standpoint to an opt-in one. It is therefore necessary for a website to gain consent from user prior to the placing of cookies (barring the ‘strictly necessary’ exemption discussed below). The user should be informed about:
- What information is to be collected;
- What the website is going to do with that information;
- Who is the information going to be shared with;
- Will the collected information identify the individual user;
- How long will the cookie remain on their device; and
- How can they disable the cookies.
A common question I am asked is do I have to seek consent for all cookies, and the answer is no where the cookie is strictly necessary consent is not required.
- Purchase path cookies (discussed above);
- Security cookies (e.g. those necessary to comply with certain legislative requirements); and
- Operational cookies (e.g. ensure the website loads quickly).
The definition does not stretch to cover analysing or tracking cookies (both first and third party) or to recognition cookies (e.g. personalised greeting and personal preferences) and therefore the website must obtain user consent prior to their use.
In practical terms what do I have to do?
Step 1: The website owner should undertake, if they have not already, a cookie audit (your website developer should be able to assist) to understand what cookies are being used on the site and to collate the information that needs to be given to the user.
Step 2: You should determine whether you are going to seek express consent or rely upon implied consent. Under the latest guidance from the regulator (the Information Commissioners Office (“ICO”)) implied consent can be sufficient despite earlier guidance that suggested otherwise. Obtaining express consent will give the website owner greater certainty that the website is compliant but (depending upon the method used to obtain the express consent) may result in a lower user experience.
So what do suitable options look like?
Terms and conditions
Where a site requires a user to sign up to terms and conditions prior to their use of the site (or part of the site) then the use of terms and conditions may be an acceptable option. The user’s attention would still need to be drawn to the relevant cookie information and this may be possible by a separate tick box that says that the website will be placing cookies.
Based outside of the UK?
I have also been asked whether websites that are based outside the UK need to comply with the regulations. The answer to this is yes, firstly the regulations (in slightly different guises) will be implemented across all the 27 EU member states. Secondly even where the site is located outside of the EU it is the location of the user that is paramount (albeit that enforcement of any breach will be more difficult) and therefore the website must be compliant.
The guidance from ICO is that they are not likely to be strongly enforcing the new regulations in the coming months. They will act upon complaints of infringing websites by users opposed to be actively seeking out non-compliant websites. The punishments available to the ICO include a maximum fine of up to £500,000 (although they have said they are unlikely to issue a fine except in extreme circumstances), negative publicity, compliance notices and undertakings from the website. The ICO’s aim is that websites are compliant or making steps to achieve compliance and will seek to encourage infringing websites to fix issues opposing to financial punishing them.
For further details please contact me at email@example.com or on Twitter @iaintaker
This blog was written by Iain Taker who is a qualified lawyer with Kemp Little and who specialises in Commerical, Technology and Sports law and is a registered lawyer under the FA Football Agency Regulations.