EU Cookie Law (e-Privacy Directive)
We keep being asked questions about cookies so we thought we would use this space to provide a little update on recent developments in this sphere.
The law which applies to how you use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device changed back in May 2011 but people have been in a state of confusion about it ever since. To a vocal and influential minority, the Cookie law requirements have been derided as “so self-evident as to be stating the bleeding obvious”. It has therefore been a cause for celebration that, as has been widely reported in recent months, the “Cookie laws are crumbling”. However the reality is that the Cookie Monster is far from dead but he does seem to be getting less scary! Indeed the latest guidance provided by the Information Commissioners Office appears to some extent to relax the hoops you have to go through to show that the requisite consent has been obtained.
Taking a step back, to broadly summarise what information you are required to provide users with in order to use cookies: cookies or similar devices can only be used if the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
In relation to (a), the regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so.
In relation to (b), the big question that has arisen is around the sufficiency of “implied consent” and what that looks like now. The latest amendments and guidance on this regulation have now clarified that implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent. You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand. In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.
What should you do next?
- Review your website systems – what cookies is your business using?
- Check your privacy policy and if necessary, extend it to include the required disclosures about any cookies you are using.
- Decide on how best to obtain the requisite consent from your users/subscribers.
Depending on the type of cookies and information you are gathering, a good starting point for those of you wishing to adopt an implied consent approach is to check out the Information Commissioner’s Office website’s consent system: all their visitors are greeted with a prominent banner notice advising that cookies are being used. This links through to more detailed information, which categorises the different uses of cookies and lists the cookie IDs. Users are then given the ability to refuse the acceptance of cookies, and block them for future visits in one simple click.
Breach of data privacy laws can carry penalty fines of up to £500,000 for the most serious or persistent breaches. So, if you have any queries about the issues raised in this article or want help ensuring that your privacy policy and cookies practices are legally compliant, then please contact us.
Credit: This article contains materials provided by the Information Commissioner’s Office.
