EU investigate

Cookies and compliance: Has your website taken these six steps?

With a European Union deadline approaching for websites to obtain opt-in consent for cookies, businesses should be putting measures in place now to ensure they are compliant.

Under new EU rules, website operators that store or use cookies have to obtain prior express opt-in consent from users or subscribers. Photo: Shutterstock

Across the EU, the law relating to the use and storage of cookies on computers and mobile devices changed on 25 May 2011. The new law requires that opt-in consent to use or store cookies is obtained from website users - rather than the opt-out that was previously the case.

The implementation of the new law varies across EU member states, depending on how individual countries have interpreted the directive. DLA Piper has published a summary of how the law has been implemented across the EU.

UK implementation of the Directive

The UK has adopted a strict interpretation for implementing the E-Privacy Directive into national law. The approach adopted means website operators that store or use cookies are required to obtain prior express opt-in consent from the user or subscriber.

The Information Commissioner (ICO), the UK's data protection regulator, has given businesses until 25 May 2012 to comply. Failure to comply could not only mean reputational damage, but also fines of up to £500,000 ($800,000).

Cookie compliance guidance

The ICO has provided a number of guidance notes to assist with compliance with the UK law. On 13 December the ICO published its most recent guidance, which sets out the rules on use of cookies. To the disappointment of many website operators, the ICO emphasised that the changes are not going to go away.

So here are six steps that website owners should consider taking:

1. Check the types of cookies you use and how you use them

Identify the types of cookies and similar technologies used by your websites. You should note the name of the cookie, the duration of the cookie - for example, a single session, 24 hours or one year - whether it is first or third party, the domain to which it relates, and the purpose of the cookie.

2. Determine the intrusiveness of the cookies

Next, you should look at the purpose of the cookie and the information that it stores or collects. To be compliant with the law, the more intrusive the cookie, the higher the obligation to notify what it collects.

For example, a website that uses only analytic cookies - for example, for Google Analytics - will be low on the enforcement agenda of the UK's ICO, compared with a website that uses more intrusive tracking and monitoring cookies.

3. Is consent needed?

The law includes an exception to the opt-in consent requirement, where the cookie is "strictly necessary" for the service requested by the user.

But this condition is narrowly interpreted and will apply only to things such as shopping basket-related cookies, but will not include cookies used for analytic purposes. You should assess whether the narrow "strictly necessary" exemption applies.

4. Consider the best solution for obtaining consent where required

Once you have identified and understand the nature of cookies being used, you should consider which mechanism to obtain consent would be best for your website.

The options suggested by the ICO include pop-ups, terms and conditions, settings-led consent, and features-led consent. There is no universal approach to consent, so managers, the tech team and legal advisers will have to determine the best approach.

5. Update your privacy policy

The law requires you to give the user "clear and comprehensive" information about the purposes of the cookies. This requirement means you will need to update your privacy policy and include comprehensive information about your use of cookies. You may have to provide a stand-alone cookie notice, depending on the types of cookie used by your website.

6. Check your agreement with third parties

One of the key issues for many websites is the use of third-party cookies, which often go under the radar in cookie audits. In your agreement with third-party service providers - such as advertising agencies, affiliates and marketing companies - you should think about including an obligation to assist you with compliance with the new law, and also provide you with detailed information about any third-party cookies that they control.

In the UK, businesses have until 25 May 2012 to ensure they have a solution in place. Adopting a wait-and-see approach will not be enough to protect them from enforcement risks.

About

Paul McCormack is a solicitor in the Intellectual Property and Technology group at law firm DLA Piper.

1 comments
cougar.b
cougar.b

Google is not a UK company, but any UK company that uses Google Analytics must comply, though the article says that Google Analytics is low priority for enforcement in the UK. So Google as a company has a business reason for having EU compliant options available for EU businesses. However, this European law will affect more than just that. Marketing companies that provide opt-in incentives to users are the ones that will get used in Europe. European marketing companies may have a leg up in Europe, but they could conceivably find a way to extend their opt-in options elsewhere, thus gaining credibility with users. Businesses around the world will eventually want to have the same credibility as European businesses. European companies may find that the restrictions on their use of tracking cookies make them less competitive. So they may ask Google to provide a flag to distinguish EU companies--much like the site report for safe browsing that some antivirus programs place onto our Google searches. If this happens, businesses around the world will begin to see and sometimes use the EU options. I personally use NoScript for all my browsing, but a lot of people are not sensitized to the issues of privacy that tracking cookies raise. The EU rules will sensitize a much larger percentage of the world to these issues, just like IWS sensitized the whole world to the excesses of the 1 percent. I think that the European rules are going to change everything for everyone, though it may take some time to filter down to you and me.