The law in respect of cookies will change on the 26 May when users will need to be provided with an opportunity to give their consent prior to having cookies downloaded onto their machines. However, there is no guidance in the amended E-Privacy regulations as to exactly how “consent” should be given. The Government has left that remit with the ICO, and, as its latest briefing highlights, there is no clear-cut method of ensuring compliance. Simon Halberstam, Technology law partner at Kingsley Napley, provides the following guidance.
Non-compliance
Should a UK-based web manager make no overt changes to its website on the morning of 26th May, it will not automatically be liable to a fine from the ICO, as the ICO recognise that implementation of the new law will need to be phased. However, what all web managers need to be doing now is considering options towards achieving compliance and setting out a plan to that end. If the ICO were to make any enquiries into a website shortly after the 26th May, a response explaining the preparatory steps might well be enough to avoid any sanctions. However, making no changes to one’s website and being unable to demonstrate any consideration of implementation methods could lead to sanctions from the ICO.
What needs to be done now
Web managers in the UK should therefore be doing the following:
·Ascertaining what type of cookies are used by their sites and how they are downloaded onto users’ machines (effectively a “cookie audit”).
·Deciding on which method(s) of obtaining consent is/are best for their website, given the cookie audit.
·Recording the cookie audit and implementation methods in an easily digestible form should the ICO ever investigate the site during this transitional period.
Suggested methods of implementation
The list is non-exhaustive and will doubtless get longer, but here are a few options which have been suggested to procure user consent before cookies are downloaded:
·Pop-ups each time a cookie is to be downloaded onto a user’s machine.
·Having in place a privacy policy setting out the site’s use of cookies; the terms of which a user must positively agree to upon visiting the site (i.e. via a tick box).
·Settings and feature-led consent. If cookies are downloaded when a user does something e.g. watches a video or personalises the site, obtaining the user’s consent prior to that action for compliance.
In the future, consent will be provided through users’ web browsers and the Government is currently working with the major browser manufacturers to this end.
Web managers should be reminded that where the use of cookies is “strictly necessary” for the disclosed central purpose of the site, no consent needs to be given by the end user to their deployment. The most common situation in which this applies will be where a website remembers the contents of a user’s shopping basket as it navigates the site.
The ICO will be drafting further advice on the new law in the near future, potentially including further suggested methods of compliance and how and when it intends to begin enforcing the regulations.
This guidance note has been provided by Simon Halberstam, Technology law partner at Kingsley Napley LLP. For further information contact him on 00 44 207 814 1258 or by email to [email protected]