On the 26th May 2012 the one year ‘grace’ period for websites and their owners, to comply with the revised Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May 2011, to address new EU requirements. The new requirements and ICO guidelines make it clear that organisations and companies in the UK must get permission to store cookies on users computers. The aim is to protect the privacy of users and consumers. They can be found here.
So what is a cookie? Basically, it is a small piece of code that can remember information that can be used at a later date when the user visits the site again. This may login details or preferences. Many websites user cookies for commercial reasons – to analyse user behaviour, remember payment details and gain statistical data.
The ICO put forward a practical and common-sense approach:
“If you have not started work on complying with these rules it is important to do so now. First steps should be to:
1. Check what type of cookies and similar technologies you use and how you use them.
3. Where you need consent – decide what solution to obtain consent will be best in your circumstances.”
The exact detail of the guidelines is complex and extended. But the take-home lesson is that website owners must make clear how they are using user data and make an effort to gain consent, except for exempted situations such as:
“For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”
The first situation would include ecommerce websites, the second membership websites where the function of the website implicitly requires the collection of user data.
Another area of concern is the use of Google Analytics and other equivalent code to collect user activity data and statistics. The guidelines state:
“We do not consider analytical cookies to fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent. In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”