Cookies: ICO issues "Work in Progress Guidance"; 3 Steps businesses need to take now

Via Olswang


The Information Commissioner's Office has published guidance to give businesses a "starting point for compliance" with new rules requiring opt-in consent to the use of cookies. The new UK legislation comes into force on 26 May. The Government continues to work with browser manufacturers on a browser-based solution, but the ICO stresses that businesses do need to take compliance steps now, not simply wait and see.

The new rules and ICO guidance: what three steps should businesses take now?

The background to these changes will now be familiar to many of our readers - but for a quick recap please see our April 2011 update here. In short, the obligation on websites using cookies is being "upped" from a requirement for clear and comprehensive information about cookie use (and the opportunity to refuse cookies) to a requirement for opt-in consent.

The new rules are set out in Regulation 6 of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which amend the 2003 "PEC Regulations". As expected, the new regulations simply copy out the underlying EU Directive (although they do specifically allude to browser settings as one potential means of obtaining consent).

The ICO published its 9 page guidance on 8 May. In short, it advises businesses to:

  • review what types of cookies their websites use and for what purposes;
  • assess how intrusive such cookies are; and
  • decide which options for obtaining consent will be appropriate for their websites and the different cookies used.

The guidance goes a little further than expected in stressing that businesses should not simply be waiting for a browser-based solution to emerge, but considering and implementing alternative methods of obtaining users' consent.

The overriding message is, as ever, transparency. The guidance suggests providing lists of cookies used and how they work, to enable users to make an informed choice; it suggests suitably prominent text in the footer or header of the website when cookies are set on the user's device. It also recommends a spring clean to get rid of unnecessary/ obsolete cookies. The more intrusive a particular cookie, the greater the compliance effort required to make it transparent and to obtain users' consent to it.

What are the alternative methods of obtaining informed consent to cookies?

The guidance emphasises that - even when a browser solution does emerge - it may not be appropriate in every case. For example, users may not have the most up to date versions of the browser, and a website's use of cookies will in any event need to be considered on a case by case basis. The guide briefly considers the pros and cons of the following alternative methods of informing users about privacy choices and obtaining the requisite consent:

  • pop ups and splash pages;
  • using a tick box to terms and conditions (not simply informing users via a privacy policy);
  • settings-led consent; and
  • feature-led consent.

The guidance also emphasises that the opt-in rules also apply in the more complex scenario involving third party cookies, and that "everyone has a part to play" in ensuring compliance whilst unfortunately giving little help as to how to deal with them in this situation. This is disappointing, since this is the precise area where guidance is needed.

If I do nothing, what is the risk of enforcement action?

Despite the fact that the UK is still working on practical compliance solutions, businesses do need to take certain steps now to avoid user complaints and potential enforcement action by the ICO once the rules come into force on 26 May. In its guidance the ICO states that, although the UK is taking a phased approach to implementation of the new rules, in the event of a complaint about a website the ICO "would expect an organisation's response to set out how they have considered the points above [i.e. the three bullet points in our first paragraph] and to have a realistic plan to achieve compliance". A further guidance document on the ICO's approach to enforcement which will give more details is still pending.

What else should my business be doing in relation to cookies?

The three steps described above are seen by the ICO as being "a starting point" on the "road to compliance". We recommend that businesses also need to:

  • ensure their privacy policies reflect their current use of cookies;
  • keep an eye out for future ICO enforcement guidance; and
  • keep an eye out for any future browser based solutions and evaluate whether such methods are legally adequate and commercially workable means¦nbsp; to achieve users' consent in the context of their particular website.

What else is new?

While the cookie rules apply to all online businesses, the new Regulations also introduce new data breach notification requirements specific to the electronic communications sector. The EU has made it clear that in the future it plans to extend rules on reporting data breaches to all organisations, although it at this stage it is not clear when.

The ICO's guidance "Changes to the rules on using cookies and similar technologies for storing information" is available on the ICO's website.

To discuss the impact of this issue on your business, please Olswang's Head of Data Protection Marc Dautlich, Legal Director Elle Todd or another member of Olswang's Data Protection Team. See also