Out-Law News 5 min. read
10 Apr 2012, 4:57 pm
Cookies are small text files that record internet users' online activity. Websites store the information on a user's computer, but new EU laws say users should be given the choice whether they consent to websites tracking their behaviour.
Most sites use cookies to measure the number of users of their site and how they use it. These are data analytics cookies.
The Information Commissioner's Office (ICO) is due to begin enforcing the new rules on cookies from 26 May. When the laws came into force on that date last year, the ICO announced a year's hiatus in its enforcement action to allow businesses time to comply with the new requirements. The ICO has now confirmed that its enforcement action will not be focussed on "cookies used for analytical activities" even though consent will be required from users to permit this activity.
"The [UK's Privacy and Electronic Communications] Regulations do not distinguish between cookies used for analytical activities and those used for other purposes," the ICO said in a statement, according to a report by The Register. "We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent."
"In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement," the ICO said. "This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals."
"Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies," it said.
In 2009 the EU's Privacy and Electronic Communications (e-Privacy) Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
The Privacy and Electronic Communications (Amendment) Regulations implemented the changes in the Directive into UK law. The ICO has been given extra powers to impose penalties of up to £500,000 on websites that breach the new regulations.
In a speech earlier this month the UK's Culture Minister said he 'wished' consent did not have to be obtained by businesses looking to use cookies for web analytic purposes.
"[The ICO's guidance on cookies] sets out very clearly which cookies they consider to fall in the strictly necessary category," Vaizey said. "Of course we all wish that category could be extended to include things like analytics but that isn’t what the law says."
"But we need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to. Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account," he said.
"Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here. But there is no getting away from the fact that there is no simple answer. Ultimately, you need to take responsibility. Think about the cookies you use; think about the way you access and use data; think about how you can better inform your users of what you are doing and why; and think about how you can give them the tools to exert control over that if they so wish," Vaizey said.
The ICO delayed its enforcement of the e-Privacy rules because it was waiting for browser manufacturers to create new setting controls for users that would enable those individuals to specify their consent to cookies. However, despite industry developments in this area, a universal 'do not track' option is still unavailable for internet users.
In the absence of such controls, the ICO has issued non-prescriptive guidance to website operators that sets out alternative methods they can use for obtaining users' consent to cookies. However, the ICO has left it up to individual operators to determine what methods to choose.
The options include using 'pop-up' prompts on users' screens that ask for consent to cookies when the individuals access web pages. Consent can also be obtained by using terms of use or terms and conditions that ask for consent from users when they first register or sign-up to websites.
Consent can also be gleaned from preferences that users choose when visiting a website. Website features, such as videos, that remember how users personalise their interaction can also determine user consent.
Website operators can also elect to display text at either the top or bottom of web pages that asks for consent and links through to more detailed explanation about their use of cookies.
One area that cookies are used prominently for is in online behavioural advertising (OBA). Publishers and advertising networks use cookies to track user behaviour on websites in order to target adverts to individuals based on that behaviour.
The Internet Advertising Bureau (IAB) Europe has developed a voluntary code that requires businesses sign up to display an icon if they use adverts that track users' behaviour. If users click on the icon they are taken to a website that will enable them to switch off behavioural adverts delivered by companies that use the icon.
However, whilst EU privacy watchdogs have said that businesses following the IAB's code are not necessarily complaint with the new rules on consent to cookies, Ed Vaizey has praised the framework.
"It offers users further information about the ads they are seeing without doing so in an obtrusive or disruptive way," he said in his speech. "And it is a fantastic example of the willingness of industry to work together to find solutions which suit both business and users."
"The OBA framework is an essential element of a series of measures being taken across industry, which we believe will give users more control over their privacy online," the Culture Minister said.
The International Chamber of Commerce (ICC) UK has recently issued new guidance (15-page / 296KB PDF) on cookies. The guidance, which has been welcomed by the ICO, contains information on the different categories of cookies that website operators use and when consent to those cookies will be required to be obtained.
The ICC UK's guidance also contains suggested wording that website operators can use when asking users' consent.
"The ICC UK guidance provides useful information on how organisations can achieve this and reinforces the ICO’s key message that giving users better and more consistent information will make it easier to gain their consent," David Evans, group manager for business and industry at the ICO, said in a statement.
"We are almost at the end of the year long lead in period and it is vital that organisations start demonstrating that they are moving towards compliance,” Evans said, according to the ICC UK's blog.