Countdown to UK cookie compliance
Under this lead-in period, organisations were expected to take steps to comply with the cookie rules. However these rules, although well intentioned, are in the words of the UK Government, “difficult to work in practice” with the result that there has been confusion and a genuine reluctance on the part of UK businesses to make changes which may have a real commercial impact.
So what are the rules and, as we approach the deadline, what evidence is there of meaningful efforts being taken to overcome the challenges these pose and to achieve compliance?
In December 2009, the European Union passed an amended e-Privacy Directive. Prior to this change, websites only had to tell their users how cookies were used and how they could opt-out. Under the revised e-Privacy Directive this became instead an obligation to tell users about cookies and to get their consent, unless a cookie is “strictly necessary” for a service “explicitly requested” by the user, (such as a cookie needed to present a person’s purchases in their shopping basket or certain security cookies).
The UK implemented the e-Privacy Directive in the UK, in May 2011 through the Privacy and Electronic Communications (EC Directive) Amendment Regulations 2011 (the ‘PECAR’).
What is the scope of the PECAR cookie rules?
PECAR does not refer expressly to cookies, instead it requires consent for the storage of, or access to, information stored in the equipment of a user (or subscriber). Cookies are small pieces of information that include a unique reference code that a website transfers to a users device so that it can be uniquely recognised and remembered. PECAR therefore applies to all cookies, however other technology that can store or access information is also covered by these rules.
The key concerns
The cookie rules have generated some confusion as to how they should be applied and what steps are needed to obtain consent for different cookies.
The view of the Information Commissioner is that for consent to work:
- there must be a communication, so that an individual’s action knowingly indicates their agreement to receiving cookies; and
- the action should happen (wherever possible) before the cookie is set (but is only needed the first time the cookie is set).
This is a challenge for websites where certain cookies are served with the first page-load. Where this cannot be resolved in the short-term, genuine efforts must still be made, to reduce the time gap between the user receiving cookie information and being able to exercise choice.
The plan of action
Over the past twelve months the Information Commissioner has expected businesses to comply with the rules by taking action to:
- stage 1 – identify the cookies placed on the devices of users who visit the website;
- stage 2 – assess how intrusive those cookies are; and
- stage 3 – implement the most appropriate way of obtaining the users consent for those cookies.
In addition, clear information must be give about the types of cookies served and how and why these are used.
Evidence of action?
With less than two months before the compliance deadline expires, evidence that businesses are rolling-out solutions for their websites is limited. Where measures have been taken, these focus on giving out more information on cookies through privacy policies.
There are a number of possible reasons for this including:
- businesses are waiting until the last minute before they go-live;
- no one wants to be the first to adopt a specific approach, particularly if there is a risk that this raises the bar on compliance higher than is perhaps necessary;
- there is a desire to see what everyone else does and align with that model, (a kind of “I’ll ’show you mine if you show me yours” approach); and
However there is one further important reason to consider. For many businesses, the process of going through the three-stage action plan has been a big undertaking, with efforts to implement solutions happening behind the scenes throughout the past year and likely to continue right up to (and beyond) the compliance deadline.
Measures that have been taken by some websites, include:
- offering more visible links to information on cookies.
What if a business doesn’t make the deadline – don’t panic!
With the expiry of the deadline the Information Commissioner can enforce the cookie rules, although he is unlikely to take immediate action in cases where an organisation has:
- already implemented a sensible plan of action,
- a valid reason why it could not meet the deadline;
- a clear timeline by when it will be compliant; and
- can show how this will be achieved.
Although action by the Information Commissioner is not entirely possible to predict, it is likely that this will initially, focus on those who have clearly taken no action or are using intrusive cookies in ways a person would not expect.
Those who have yet to address their cookie compliance do therefore still have time, but they now need to act fast.
Sally Annereau considers the UK cookie rules and the evidence of measures to comply ahead of the expiry of the Information Commissioner's enforcement amnesty.
"With less than two months before the compliance deadline expires, evidence that businesses are rolling-out solutions for their websites is limited. Where measures have been taken, these focus on giving out more information on cookies through privacy policies."