The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative consent to the use of most cookies.
The ICO’s Advice invites companies to promptly conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain users’ consent. The ICO makes it clear that it expects companies to come up with a plan of action that shows that they have considered their obligations and that they have a realistic plan to respond to the new requirements and achieve compliance.
According to the ICO’s press release, this Advice was published in order to prompt organizations to start thinking about the practical steps that they need to take to respond to this new requirement. The ICO intends to provide additional guidance as innovative ways to acquire users’ consent are developed.
The New Rule, in Brief
Businesses and other entities will be permitted to use cookie technologies only if the user of the site or application (a) has received clear and comprehensive information about the purpose for the cookie in question; and (b) has given his or her consent to the use of the cookie. Once a user has consented to the use of a particular cookie, there is no need to ask permission each time the website needs to access that cookie. Cookies that are “strictly necessary” for the service requested by the user are not subject to the prior consent requirement.
The new rule requires that website obtain informed, affirmative consent to the use of almost any cookies that it would wish to install on a user’s machine or mobile device. The restriction applies both to the installation of the cookie and the subsequent access to the information stored on the cookie. Except for a small category of cookies that are “strictly necessary” for the proper operation of a site, or for providing a service requested by the user, such as shopping-cart type feature, all other cookies, including those that are used for analytics purposes require prior specific consent. Of course, flash cookies are also subject to the notice and consent requirement.
Until browser technology has made progress, it will not longer be possible to rely on browser setting as a method to show user’s consent. Even though the rule allows consent to be signified by the users amending or setting controls on their browsers, the ICO’s Advice clearly states that given the current state of technology, using browser settings is NOT a satisfactory method for expressing consent. The ICO’s Advice discusses several methods that might be used to implement the notice and consent requirement.
The ICO envisions a sliding-scale approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice. The ICO also suggests a tailored approach as opposed to the “one-size-fits-all” approach, commonly used currently in website privacy policies. The different models for expressing consent proposed by the ICO tend to be specific to a particular type of cookies, and the particular circumstances of its use.
The Basic Requirement
The previous rule on using cookies by UK entities - which was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) - required that users be informed about the existence of cookies, and be given the opportunity to refuse the storage of, or access to, the cookie information stored on their computers. Most companies provided the relevant information in their website privacy statement, and informed their users that, by changing their browser settings, they could arrange to block cookies.
- Repeated uses: The consent need not be given each time. Under the new rule, if the same information is stored or accessed by the same entity, regarding the same user, on more than one occasion, the consent need to be obtained only once.
- Transmission of communications: Notice and consent are not required for a limited number of cookie categories. Cookies that are required for the sole purpose of carrying out the transmission of communications over an electronic networks are exempt from the notice and consent requirement.
- Cookies that are “strictly necessary” : Cookies that are “strictly necessary” for the provision of a service requested by the user are also exempt from the notice and consent requirement. According to the ICO’s Advice, “strictly necessary” means that the use of the cookie must relate to the service explicitly requested by the user. The exception is narrow. It would apply, for example, to a cookie that is used in ecommerce applications when a user has selected goods to purchase and clicks the ‘add to basket’ or ‘proceed to checkout’ button, to ensure that the site remembers what was chosen, and post the information on the check-out page. On the other hand, as explained by the ICO, the exception would not apply, for example, to cookies used to track users to make the website more attractive because it remembers the users’ preferences, or cookies are used to collect statistical information about the use of the website.
Browser Settings Not An Approved Method
The rule allows consent to be signified by the user amending or setting controls on his or her browser, or by using another application or program to signify consent. However, the ICO does not agree that using browser settings is currently a satisfactory method to express consent.
How to Implement the New Rule
The ICO anticipates a phased approach to the implementation of these changes, and recommends that companies use the following steps:
- Identify what types of cookies are used and why: Companies should conduct an audit of their website to determine what cookies or data files are used and for which purposes. This would allow identifying which cookies are strictly necessary and might not need consent.
- Assess how intrusive these cookies are: The most intrusive cookies should be addressed first. For example, cookies that involve creating detailed profiles of an individual’s browsing activity are intrusive – the more privacy intrusive an activity, the more priority should be given to getting meaningful consent.
- Identify the best solution for obtaining consent: For each category of cookies or uses, the best method for gaining consent should be identified. The most privacy intrusive activities will require that the most information be provided to the user.
Suggested Methods for Obtaining Consent
The ICO’s Advice provides a detailed analysis of the different methods available to obtain the user’s consent. It recommends more specific, targeted approach. Cookies used for analytics purposes and cookies shared with third parties are likely to cause the most significant problems.
1 - Pop ups and similar techniques
Pop-ups may be used to ask for consent. However, this practice may be annoying if numerous cookies are used. Thus, the ICO cautions that the use pop ups or ‘splash pages’ may become frustrating if too frequent.
2 - Terms and conditions
3 - Settings-led consent
Some cookies are deployed when a user chooses how the site works for them each time they visit the site; for example, a particular language, the size of the text displayed on the screen, the color scheme, or a “personalized greeting”.
In these cases, consent could be gained as part of the process by which the user confirms what she wants to do or how she wants the site to work. At that time, the user should be told that by allowing the website to remember her choice, she is also consenting to set the cookie.
4 - Feature-led consent
In the same manner as above where the user conducts a specific activity, there are circumstances were tracking technologies are stored when a user chooses to use a particular feature of the site such as watching a video clip, or when the site remembers what the user did on previous visits, in order to personalize the content that the user is served.
In these cases, the user is often invited to open a link, click a button or agree to the functionality being ‘switched on’. The ICO suggests to ask for the user’s consent to set a cookie at this point.
As for prior example, it should be made clear to the user that by choosing to take a particular action, certain things will happen that will be interpreted as the user’s consent. If the anticipated use of tracking technology is complex or intrusive, it will be important to provide more specific information. In particular, as discussed below, users should be told whether some features are provided by a third party.
5 - Analytics and other functional uses
Many websites collect information about access to, and use of the site, and time spent on a page. While the ICO acknowledges that cookies used for analytics purposes might not appear to be as intrusive as others that might track a user across multiple sites, it nevertheless requires consent.
In this case, the ICO’s Advice suggests that companies should make information about the use of analytics cookies more prominent, particularly in the period immediately following implementation of the new Regulations. In addition, the ICO also suggests that website should give more details about the use of these cookies, such as a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.
If the information collected about website use is passed to a third party this information sharing must be made absolutely clear to the user. Any options available should be prominently displayed and not hidden away.
6 - Third party cookies
Finally, the ICO’s Advice addresses the use of third party cookies. When a website displays content from a third party from an advertising network or a streaming video service, this third party may send its own cookies to the user. While the process of obtaining consent for these cookies may be more complex, the ICO opines that nevertheless the user must be made aware of what is being collected and by whom. This is a challenging area for which the ICO expects that more research will be needed to find workable solutions.
How about the Remainder of the European Union?
It is highly likely that the ICO’s Advice will serve as guidance or a model to other data protection authorities who have been facing the same issues and need to implement the 2009 Amendment into their national laws. Thus companies that may not be subject to the UK laws, but otherwise do business in the European Union should read and understand the ICO’s Advice, as a way to prepare for their obligations to comply with the national laws of the countries where they operate.
The amendment to the UK rules comes into force on 26 May 2011. As a result of the implementation of this amendment into the UK laws, companies that operate websites in the UK must obtain informed consent from visitors to their websites and mobile applications in order to store and retrieve information on users’ computers through cookies or similar tracking technologies. Companies must provide clear and comprehensive information about the purpose for each cookie; and obtain the prior explicit consent to the use of the cookie. Until browser technology has made progress, browser settings can no longer be used as a method for expressing consent. While the ICO envisions a “sliding scale” approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice, it also expects companies to delve promptly into implementation of the rule.
At a minimum, companies should promptly update their website privacy statements to clearly and conspicuously explain how cookies are used. In a second phase, companies should conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain the requested consent.
The ICO has indicated clearly that it intends to enforce the new rule. While it concedes that full implementation will take time, the ICO wants companies to make every effort to start working on their use of cookie, and be prepared to provide tangible proof of their efforts to comply with the new rules.