Disclaimer: We have included below some advice taken from the UK's Information Commissioner's Office (ICO) website or by a ICO spokesperson. Wherever possible we have provided links back to the source of the information. If you have and doubts about how the new EU Cookie Law may affect your website then we recommend that you seek expert legal advice.
On 26th May 2012 the UK's Information Commissioner's Office (ICO) began enforcing an EU directive from May 2011 designed to protect internet users' privacy. Under the revised Regulations the legal requirement is not just to provide clear information about the cookies, but also to obtain consent from users or subscribers to store a cookie on their device.
The aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. You may well have noticed that many major websites have already instigated measures to comply - the BBC website for example.
The ICO has a range of options available to it to take formal action where companies cannot prove that they are working towards compliance within reasonable timeframes. These options include committing organisations to a particular course of action, enforcement notices and possible fines of up to £500,000.
... those setting cookies must:
The ICO guidance says:"If the information collected about website use is passed to a third party [such as Google] you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors." Therefore in the instance of "benchmarking" it is clear consent must be achieved for a website to pass information to Google."
Google Analytics installs a 'first party' cookie, however many Google Analytics accounts have the opt-out setting set to "True" which Google allows to anonymously track website metrics for the purposes of "benchmarking". Google says this information is used to categorise a website and show a relative performance line in visit graphs. This shows how well a website benchmarks for that category.
The ICO guidance says: "If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors." Therefore in the instance of "benchmarking" it is clear consent must be achieved for a website to pass information to Google.
The ICO says exceptions are likely to be made, for example if the cookie is "used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket".
The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:
"for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user."
The term 'strictly necessary' means that "such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data."
The ICO go on to say, "Where the use of a cookie type device is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent."
The ICO latest guidance (May 2012) sets out the changes to the cookies law and explains the steps you need to take to ensure you comply. The updated guidance provides additional information around the issue of implied consent:
"Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
The ICO website says, "It is true that you need to have a positive indication of consent, but it is not true that this must be obtained by the individual ticking a box."
"... the Directive on which these Regulations are based ... gives the ticking of a box on an internet site as an example of an 'appropriate method' to give consent but it is only an example. It is not the only method by which consent can be obtained.
The Directive ... defines 'the data subject's consent' as:
'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed'."
In the view of the ICO, "there must be some form of communication where the individual knowingly indicates consent. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent." ico
The Regulations are not prescriptive about the sort of information that should be provided, but the text should be "sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so".
While it is likely that most sites will get away with doing nothing for some time, you should take note that the ICO is encouraging members of the public to report noncompliant websites. The ICO have already started contacting websites asking why the have not yet complied. You should also consider how you want your website to be perceived by customers, or by those you provide services to.
No two websites will be the same when it come to compliance. You really need to discuss this with your web design company as they will be best placed to advise you on the technical and design aspects of making changes to your website.
You might want to consider undertaking some or all of the following:
If you require help identifying how the new EU Cookie Law affects your website, Integralvision can provide a paid consultancy service on your website's current status, revisions to your Privacy Statements, as well as a written plan of work you might undertake to reach compliance.