Nov 8, 2011
* Update 30/05/2012 The ICO’s latest guidance is here and provides additional information around the issue of implied consent.
* Update 22/05/2012 Econsultancy post on ‘EU cookie law: ICO to contact 50 UK websites about compliance’ is ‘ here and link to their guide to compliance is here. The Direct Marketing Association and Interent Advertising Bureau’s how to guide on email and cookie legislation is here.
In principle the regulations are right but how practical are they? Remember back to when 3D Secure came about, originally this was seen as an inhibitor to online shopping but is now seen as a necessary evil. Although, by comparison, the cookies compliancy will have a much bigger impact.
So what do you need to know?
Well, most importantly, the Regulations came into force on 26th May 2011 – so there are only 7 months left to work towards compliance before risking a fine – this is the law now…. (Fines are possible up to £500,000).
Why are the rules changing?
The European Directive on which the Regulations are based has been revised. UK law has to change to implement that changed Directive.
What are the rules?
Not all cookies are included in this legislation, and it’s unclear what cookies are excluded. Basically, only essential cookies such as eCommerce shopping baskets are allowed – provided they dont store personal data.
The original rule was set out in Regulations 6 of the Privacy and Electronic Communications Regulation 2003 (PECR), more here.
The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment–
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
So who’s compliant?
Well, it seems that few have acted on the new rules as yet. The BBC have taken some steps listing the cookies they use on the site, the purpose of the cookies and telling you how to reject or delete cookies see here.
What to do now?
Our suggestion is to start thinking about it now and implement incrementally, with small changes:
- Audit your site and highlight the most “intrusive” cookies
- Plan how to gain consent: browsers, pop-ups, T&C’s, etc
- Consider Third Party cookies (e.g. from an advertising network or a streaming video service)
- Consider devices (website, phone, in store kiosk)
- 8 months before action (fines up to £500,000)
It’s not all doom and gloom
Looking at the positives that will come out of this, it offers a great opportunity for you to talk to your customers and for you to come up with some innovative marketing campaigns to encourage customers to understand and accept your cookies.
The Information Commissioner’s Office (ICO), the UK’s information watchdog, will publish a report before Christmas on progress UK organisations have made to comply with the new cookie rules.
Note: This blog does not constitute legal or other professional advice and should not be relied on as such. Specific advice should be sought about your individual circumstances.