I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.
Together with my colleague Mark Alsop, we finally went with this:
When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.
A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website. They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things. A website may place several cookies onto a user’s computer.
This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.
The change is practically difficult to implement without spoiling the user’s browsing experience. It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.
The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.
There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent. This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.
Two final observations. First, the ICO expects websites to deal with the more intrusive cookies first. Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued. Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.
The ICO states that further guidance will be issued “if appropriate, in future”.