With two weeks to go until implementation of an EU-wide amendment to the law on cookies and consent, the UK's data protection regulator, the Information Commissioner's Office (ICO), has issued initial guidance on compliance. It proposes three actions that organisations can take to mitigate their potential exposure to enforcement action in the short-term. In the meantime, industry and the authorities are working on finding solutions to the most complex and challenging issues presented by the new law.
The guidance confirms that the new rules provide that cookies require consent from a user unless they are "strictly necessary" for a service requested by the user. This exception will be narrowly interpreted by the ICO and is likely to be limited to, for example, cookies that enable you to shop online easily and quickly (using the 'add to basket' and 'proceed to checkout' functions). Other cookies, including all third-party cookies and flash cookies, will be subject to the new consent rule.
As the regulatory authority charged with enforcing these new rules, the ICO has been placed in a very difficult position. While it and the government department responsible for policy and legislation in this area, the Department for Culture Media and Sport (DCMS), are trying to find a practical technical solution, working with browser manufacturers and others, the ICO is going to come under immediate pressure to enforce the new regulations. The ICO intends to issue separate guidance on how it will enforce the rules.
In the meantime, the ICO has made it clear that those organisations that do nothing will be more vulnerable to enforcement action than those that start planning now and take the following three steps:
- Cookie Audit - Check what type of cookies and similar technologies you use and how you use them. Depending on your use of cookies, this exercise will range from a comprehensive website audit to a simple review of what data files are sent to users and why. An assessment of cookie use will also likely identify cookies no longer needed or in use.
- User Impact Assessment - Assess how intrusive your cookies are. As the new rule on cookies is intended to strengthen the privacy protection of internet users, conducting this assessment is fundamental to determining compliance to determine privacy intrusiveness and which cookies result in a higher risk. Cookies that enable the creation of profiles of browsing activity, or that provide geo-location information, are more intrusive than session cookies that merely record how long a user spends on a site.
- Action Plan - Decide on the right solution. Do you want cookies with that? After identifying what cookies are used for what purpose and where they lie on a sliding scale of intrusiveness, organisations will need to think about what's needed to obtain meaningful consent from users. In the absence of any widely available built-in technical solutions, this will be the most challenging aspect of the guidance to address.
The full ICO guidance is available here.
The ICO is expected to update and expand its guidance over the next few months and will issue further guidance related to how it will enforce this new cookie regime.
The ICO guidance leaves it to organisations to "work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do." We can assist our clients by helping your team identify the types of cookies you use, assess the level of intrusion of those cookies, your risk exposure and devising a compliance solution.
The ICO will take a 'softly-softly' regulatory approach for the next two to three months, to allow organisations to assess their cookie use and to put steps in place to become compliant, because it recognises that organisations have much to do before they can confidently say they know what 'stale' or 'bad' cookies are in their jar!
Client Alert 2011-114