How to deal with the new law on cookies

On the 26th of May the grace period granted by the Information Commissioner’s Office (ICO) to comply with laws on cookies ended. Websites have since been subject to a higher risk of sanctions if they fail to comply.

Before discussing the implications of the new law and how businesses can adhere to it, it is worth explaining what cookies are and why the law takes an interest in them.

Cookies

Cookies are pieces of information that websites store and access on visitors’ computers for a variety of reasons. For example, a website might store a cookie on your PC so that when you return to that site, it can remember you, so you don’t, for example, need to enter your password multiple times. Cookies make our user experience of sites more enjoyable. They are also used to track your activity for marketing analysis purposes.

The aim of the law is to protect people’s online privacy. The ICO’s main concern, noted in ‘Guidance on the rules on use of cookies and similar technologies’, was online tracking of individuals and the use of spyware.

New regulations

So, what do the new rules mean? The regulations build on the previous law laid down in 2003, which required websites to provide visitors with clear and comprehensive information about how and why cookies were being used on a site, and to give users the ability to ‘opt-out’ of cookies being stored on their devices.

The new law means cookies can no longer be stored on a visitor’s device unless the visitor specifically consents in advance, for example by clicking a button, sending an email, checking a box and subscribing to a service.

However, in some cases consent is not strictly necessary. For example, using cookies to remember items in an online shopping basket for the purposes of security in online banking or to help load webpages faster is acceptable.

Still, these exceptions are limited, and the majority of sites have since been obliged to seek explicit consent to use cookies. Examples of common use of cookies for which sites need consent include web analytics (such as Google analytics), for advertising, or to recognize visitors when they return.

A controversial law?

For many, the law is controversial because it can be difficult to implement these measures in a way that does not spoil visitors’ experiences.

A crucial issue, attracting much attention, is that if a site cannot use cookies to remember that a visitor has not given consent to the use of cookies, it may need to keep asking for consent every time a page is loaded.

In response, the ICO has provided a range of examples of how to get around this particular issue.  These are on pages 19-25 of the ICO guidance on the new cookies regulations.

The ICO is unlikely to impose colossal fines for first offences or minor breaches. The deputy commissioner has said that enforcement of the law ‘doesn’t mean the ICO is going to launch a torrent of enforcement action’, though the ICO announced it would send out 50 letters to some of the UK’s biggest websites, asking them to demonstrate that they are explicitly asking for users’ consent before using cookies to track behaviour.

Having sent these letters, the ICO intends to wait for users to specifically complain about cookies being used on particular sites before investigating individual organizations.

While only serious breaches of data protection will lead to the maximum fine, the ICO does have the power to commit an organization to take steps towards compliance, to compel an organization to comply (failure to do so would be a criminal offence) and if necessary, for more serious cases, to impose fines of up to £500,000.

Ensure you have a Privacy Policy

So what can businesses do to ensure their websites comply? First, it is important to find out whether your website uses cookies. Also, consider whether you can avoid using cookies (the majority of business sites will likely be already using, or might want to use, cookies for the purpose of analytics).

Next, ensure your privacy policy mentions cookies, or if you don’t already have a policy, implement one as soon as possible.

Simply mentioning cookies in your terms may not be enough, because explicit rather than implicit permission is necessary for strict compliance, and for users to see your terms they would need to have loaded your website, and so may already have had a cookie placed on their device before being given the option to opt-in or out.

Under certain circumstances, the ICO suggests implied consent might be enough, provided a cookie-notice is displayed prominently, but this is a risky approach. Although the UK ICO is taking a pragmatic approach to implementation of the cookie rules, the changes are the result of European legislation, and other countries in the EU where the website is accessible might not be as lenient.

Every website is different, so businesses need to consider the best way for their particular site to inform visitors about their use of cookies, and obtain consent.

Unfortunately, it can be difficult to avoid spoiling the user experience for visitors who decline cookies. So it is important to work with web designers to develop an acceptable solution, and cookie consent should be a key design consideration if you are having a new site built. The Guardian recently updated their site with the below notice, but your site may merit a different approach:

The focus of the ICO is likely to be on big business, so it should necessarily be a significant concern if you have not yet addressed the changes on your site. This is especially true where you make judicious use of cookies, given that we expect smaller businesses to be targeted by the ICO only if they receive complaints. Still, this is not a good reason to ignore the issue.

Legal advice should be taken as early as possible, to ensure the solution for you works both from a legal and branding perspective, and avoids damage to reputation due to poor user experience. Similarly, you want to avoid investigation or sanction for a breach of rules designed to protect visitors.

Although in future compliance might be made easier by browser integration of cookie consent settings, for now a more creative solution is necessary.