Revised cookies’ law and lack of guidance takes the biscuit

Les Cookies © Jonathan Kowalski

I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.

Together with my colleague Mark Alsop, we finally went with this:

When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.

Regrettably, this is rather difficult to do for the new law on the use of cookies, which comes into effect on 26 May 2011.

A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website.  They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things.  A website may place several cookies onto a user’s computer.

The current law requires users to be given information about the use of cookies, which information must include details on how the user can opt out of cookies’ use – this is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003.  As their name implies, the Regulations implement a European Union Directive (Directive 2002/58/EC).  Compliance has usually involved no more than including a statement in website terms and conditions or privacy policy on the use of cookies.  The law applies not just to cookies, but also to alternatives that perform similar functions, such as tracking by IP address, hidden form fields and flash cookies – all covered by the word “cookies” for the purposes of this note.

This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.

The change is practically difficult to implement without spoiling the user’s browsing experience.  It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.

The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.

The Information Commissioner’s Office (ICO) has recently published guidance on the new cookie law (click here), but this does not give any definitive, practical assistance in compliance.  Instead, it recognises that the new law is difficult to implement.  It merely advises that companies review their use of cookies and consider how they may be able to obtain the consent called for by the new regulation.

We can therefore only repeat the ICO advice.  Audit your use of cookies and consider how intrusive your use of the cookies is.  Then see how best you can get (and record) users’ consent.  The guide suggests methods involving features such as pop ups, terms and conditions and settings, i.e. instances asking users for consent at the same time as they anyway have to make choices in relation to the website.   These methods will of course not always be available.  The guidance does acknowledge that it will be particularly challenging to obtain consent in relation to “third party cookies” (which allow third parties to set cookies on a user’s computer).

There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent.  This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.

Two final observations.  First, the ICO expects websites to deal with the more intrusive cookies first.  Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued.  Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.

The ICO states that further guidance will be issued “if appropriate, in future”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s