EU Cookie Law Regulations
Buy Cookie Policy - part of CompactLaw Business Pack
Implied Consent
Information Commissioner’s Office (ICO) has stated it is acceptable for websites to infer that visitors have given their implied consent to the use of cookies, by their use of the site. However, sites still need to have a clear and prominent Cookies Policy in place.
Also, the EU is now proposing changes to the regulations to allow sites to read the general cookie preferences set in the user's browser. This is to avoid having to agree to accept cookies by clicking on tick boxes on every site visited.
Our opinion is that this has been a significant waste of time and resources for websites attempting to comply, and threatened the provision of free information and services on the internet - most of which rely on advertising revenue to pay for the free services.
Introduction
In the UK the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implements European Directive 2009/136/EC. This is more commonly known as the cookie law and came into force on 26th May 2012.
What are cookies?
Cookies are small files containing a short string of numbers and letters placed automatically by a website into the cookie folder in your browser. Cookies are primarily used to make use of a website easier and faster. The cookie recognises that a device is or has accessed the website and acts accordingly, (depending on what the cookie is designed to do.) Mostly cookies perform mundane, but necessary tasks, such as:
- Remembering you as a registered user, if you signup to a website.
- Monitoring a website to ensure it loads correctly and efficiently.
- Allowing customers to add items to a shopping basket and pay.
- Serving ads that are more relevant to you.
- Analysing how visitors use a website to spot ways to improve it.
Cookie abuse
The cookie law was drafted to combat those websites that over-use or abuse the cookie process. Only a small percentage of sites do this, and most are located outside the UK or EU anyway – and so are not covered by the regulations.
Typical abuse of cookies occurs when a website places a cookie on your computer or device, and the cookie is permanent and tracks your activity as you surf the internet – not just on the site it was placed from. The purpose of such a cookie is to track you and your surfing habits. These cookies over time build up a profile of what you do, which can then be sold on to third parties. These types of cookie may or may not be able to personally identifying you. In the most extreme case, they will be able to.
Shopping basket exception
Cookies used during the shopping basket/checkout process on e-commerce websites do not require any consent as such. This is because the visitor has specifically requested a service from a website - to buy something. Cookies are used to ensure what is added by the customer to their basket remains in their basket throughout the checkout and payment process – to ensure the customer receives the item.
However, even e-commerce websites use cookies for other purposes, such as remembering customer account login details - so a Cookie Policy would be required in this instance.
The Information Commissioner’s Office
From our discussions with the Information Commissioner’s Office (ICO), we have obtained the following broad guidance.
1. The law is designed to stop websites using intrusive cookies that track visitors on a website, and in some cases continue to track visitors when they subsequently visit other sites. These cookies are purposefully designed to obtain as much data about visitors as possible. This data is not required to provide a service to the visitor on the website; it is obtained to create a data profile of the visitor.
The use of such cookies are clearly to the detriment of visitors – this is a key point of the regulations – are the cookies used detrimental to the visitor?
2. The ICO has stated that if a website can show it has taken reasonable steps to comply with the law that website will be less likely to have broken the law.
Enforcement and Penalties
The ICO has stated they will look at any website reported to them to see if a breach has been committed. As stated above, action is less likely to be taken where the website can show that it has attempted to comply with the regulations.
The ICO has the following enforcement and penalty options under the regulations, (taken directly from the ICO’s guidance):
Information notice: this requires organisations to provide the Information Commissioner with detailed information within a specified period.
Undertaking: this commits an organisation to a particular course of action to improve its compliance.
Enforcement notice: this compels an organisation to take action specified in the notice to bring about compliance with the regulations. For example, a notice may be served to compel an organisation to display a clear Cookies Policy. Failure to comply with an enforcement notice can be a criminal offence.
Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met if any person has seriously contravened the regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. Also, the contravention must either have been deliberate, or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
Even though these powers may seem draconian, a website would need to be in serious breach to receive a monetary penalty notice. The level of breach would be more akin to installing spyware on a visitor’s computer or mobile device.
Attempting to comply
Website owners can take simple steps to highlight the use of cookies on their site and provide clear information about the use of such cookies.
From a practical point of view, we would suggest that websites provide clear and prominent links, (either in the footer or header) on the site to their new Cookie Policy.
The actual cookie policy should also be worded in a clear way, without the use of technical language or jargon.
A site does not have to list all the cookies they use; they should, however, describe in broad terms how and why they use cookies on their website and the benefits of using them.
Any such cookie policy should be clear, succinct and easy to read and understand – taking the average non-technical user as the baseline. (At the risk of being patronising – would your grandfather or grandmother understand it?)
Buy Cookie Policy - part of CompactLaw Business Pack, see under "E-commerce and Internet" section.
Useful Links & News