Across the EU, the law relating to the use and storage of cookies on computers and mobile devices changed on 25 May 2011. The new law requires that opt-in consent to use or store cookies is obtained from website users - rather than the opt-out that was previously the case.
The implementation of the new law varies across EU member states, depending on how individual countries have interpreted the directive. DLA Piper has published a summary of how the law has been implemented across the EU.
UK implementation of the Directive
The Information Commissioner (ICO), the UK’s data protection regulator, has given businesses until 25 May 2012 to comply. Failure to comply could not only mean reputational damage, but also fines of up to £500,000 ($800,000).
Cookie compliance guidance
So here are six steps that website owners should consider taking:
1. Check the types of cookies you use and how you use them
Identify the types of cookies and similar technologies used by your websites. You should note the name of the cookie, the duration of the cookie - for example, a single session, 24 hours or one year - whether it is first or third party, the domain to which it relates, and the purpose of the cookie.
2. Determine the intrusiveness of the cookies
Next, you should look at the purpose of the cookie and the information that it stores or collects. To be compliant with the law, the more intrusive the cookie, the higher the obligation to notify what it collects.
For example, a website that uses only analytic cookies - for example, for Google Analytics - will be low on the enforcement agenda of the UK’s ICO, compared with a website that uses more intrusive tracking and monitoring cookies.
3. Is consent needed?
The law includes an exception to the opt-in consent requirement, where the cookie is “strictly necessary” for the service requested by the user.
But this condition is narrowly interpreted and will apply only to things such as shopping basket-related cookies, but will not include cookies used for analytic purposes. You should assess whether the narrow “strictly necessary” exemption applies.
4. Consider the best solution for obtaining consent where required
Once you have identified and understand the nature of cookies being used, you should consider which mechanism to obtain consent would be best for your website.
The options suggested by the ICO include pop-ups, terms and conditions, settings-led consent, and features-led consent. There is no universal approach to consent, so managers, the tech team and legal advisers will have to determine the best approach.
6. Check your agreement with third parties
One of the key issues for many websites is the use of third-party cookies, which often go under the radar in cookie audits. In your agreement with third-party service providers - such as advertising agencies, affiliates and marketing companies - you should think about including an obligation to assist you with compliance with the new law, and also provide you with detailed information about any third-party cookies that they control.
In the UK, businesses have until 25 May 2012 to ensure they have a solution in place. Adopting a wait-and-see approach will not be enough to protect them from enforcement risks.