Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cookie Law (Dwf 190511)


Published on

  • Be the first to comment

  • Be the first to like this

Cookie Law (Dwf 190511)

  1. 1. DWF E-Brief (May 2011)The law on cookies is about to change – what every website owner needs to doOn 26 May 2011 the law on cookies is going to change.The shift is small but potentially very significant: an opt-out approach was previously acceptable, nowconsent will be needed to each cookie from each end user.The change is relevant to all but the simplest of websites; those seeking to ride the cusp of theimpending behavioural advertising wave will be particularly affected.Regrettably, full details have come very late in the day (the relevant regulations and guidance onlycame out earlier this month) so there is little time for businesses to adapt. As a result, the InformationCommissioner’s Office (ICO) is not expected to require 100% compliance on day one, but has made itclear that it expects every website owner to demonstrate what it is doing to comply in the event of acomplaint.We look at the steps your organisation will need to take.Speed readThe new law covers all technologies that involve the storing and accessing of information on an enduser’s computer, not just cookies.In order to comply with the new law you need to: Establish what cookies you store on end user machines (including those generated by third party software embedded in your site); Establish how, when and where you use those cookies and the data they generate; Identify who uses those cookies and such data, in particular any third parties; Risk assess your cookie usage and prioritise the ones you need to tackle first (i.e. those with greatest privacy implications); and Decide what methods you are going to use to obtain “consent” (you will need to differentiate between different classes of end user, and the relative privacy implications of your cookies in doing so).The ICO recognise that obtaining consent is likely to be challenging in many cases.The ICO have the power to (amongst other things) levy fines of up to £500,000 for breaches of thenew law, and we would expect them to make examples of particular cases in due course.You should stay alive to other legal implications when implementing any solution, for example, new orincreasing use of personal data regulated by the Data Protection Act 1998.Scope of the new lawIt is worth pointing out at this stage that this note talks about cookies, but the new law is of widereffect. It applies to all technologies which involve storing information on an end user’s computer forsubsequent access. It therefore covers, for example, Adobe Flash’s “locally stored objects” (otherwiseknown as “flash cookies”). Locally stored objects have been the cause of particular privacy concerns,© DWF LLP 2011
  2. 2. as until relatively recently they could not be managed by any mainstream web browser, unlike“normal” http cookies.Step 1 - what cookies do you store on end user machines?You may already have an exhaustive list, but if not an audit would be appropriate. Ultimately, youneed to identify all files stored and accessed from time to time, without any exceptions.You need to consider cookies which enable end user functionality, but also those that power aspectsotherwise hidden to users – e.g. that track how they use your site.Don’t forget arrangements you have with third parties – e.g. if you run Google Analytics, or other thirdparty advertising software through your website. Such applications may generate cookies for whichyou are responsible. Check the terms of your related contracts and/or contact the relevant supplier ineach case to ensure you understand the position in full. The ICO recognises this is a potentiallythorny area given that some of these suppliers will be operating from other jurisdictions which applydifferent standards (e.g the US) but there is no carve out for their activities in the new law.Step 2 - how, when and where do you use those cookies, and the data they generate?Amongst other things, you need to know the purpose for which each file is created, stored andaccessed, when you access it, and what the implications would be for both you and the end user ifyou did not access it.This question is particularly key because cookies and files which are “strictly necessary” forperforming a service an end user has “explicitly requested” are exempt from the need for consent. Nostatutory definition of these terms has been given, but the ICO has confirmed it will interpret thisexemption narrowly. One example would be a cookie to ensure selected goods are transferred into anelectronic shopping basket and then to checkout on a shopping website because a customer wants tobuy them. Each cookie will need to be assessed separately to see if they are “strictly necessary”: ifyou have any doubts, we’d recommend erring on the side of caution because that is what the ICO ismost likely to do.Don’t forget that the data created by the file is also significant – depending on its nature and purposeit may be personal data the use of which is separately regulated by the Data Protection Act 1998.Step 3 - who uses those cookies and the resulting data?Again this information needs to be obtained without exceptions. Third parties in particular need to beidentified and explicitly flagged to end users.Step 4 - risk assess your usage and prioritise the cookies to tackleThe law is being changed to help address the growing privacy concerns over collection and usage ofdata relating to individuals’ behaviour, without them being aware this is going on.However, the ICO tends to take a holistic approach and recognises that not all cookies stored on enduser machines have the same privacy concerns: some have more implications than others. With thisin mind, and given the rushed timescale with which this change in law has been brought in, we’dsuggest the following prioritised approach:© DWF LLP 2011
  3. 3. High 3 1 (Low privacy + (High privacy + Functional / high need) high need) Commercial Need 4 2 (Low privacy + (High privacy + low need) low need) High Low Privacy ImplicationsStep 5 – Decide how to obtain “consent”First of all, it is worth restating that some (but not many) cookies may fall outside of the requirementfor consent because they are “strictly necessary” for you to provide a service “explicitly requested” bya user.For all other cookies, you will need to obtain the end user’s consent.To date, the standard approach has been to include cookies as a topic in a website’s privacy policywith a link from each page, or from the site’s terms of use. This policy would set out some basicdetails of the cookie and leave the position at that.For practical reasons, this approach on its own will not suffice under the new law if your use ofcookies is anything other than vanilla and fundamental to the service your site provides. In particular,it is static and does not allow your site to deal with the consequences of consent being declined.Furthermore, it is increasingly open to challenge because it gives the sense of “burying the issue inthe small print”.What you should be aiming for is an interactive page which seeks an “unambiguous, freely given,specific and informed indication” of an end user’s wishes. This phrase really boils down to oneconcept: transparency. However, it is not the same as saying you must put a page in front of everyend user that dryly goes on about all cookies and other technical terms en masse (although this wouldbe useful for a person to check back to on occasion, in particular so as to vary his/her consents overtime). The ICO guidance makes it clear that you can seek in effect “consent as you go” - highlightingthe need for a cookie to access particular features and/or functionality when an end user firstaccesses them – a far more dynamic and less off-putting approach.Consider the following: Differentiate between types of end users. For casual visitors to your site the existing privacy policy-only approach alluded to above will probably have to remain – its lack of intrusion means it will not drive away traffic - although it is very debatable whether this gives© DWF LLP 2011
  4. 4. rise to any consent worthy of the name (e.g if a casual user automatically receives a session cookie). To mitigate the risk of substantive complaints, the cookies such casual visitors receive should be the most vanilla possible, their numbers kept very low, and ideally only used to provide basic functionality. For registered users who access more functionality, (and whose usage is probably more cookie intensive) far clearer means will certainly be required, managed through the log-on process. New users also have to be treated differently to existing users. For existing users, ideally you should not be relying on the position that has gone before unless this is examined and sufficient to constitute “consent”. Any attempt to seek consent now may involve changing your terms and conditions of use. You will need to comply with any express right and/or the general law of contract in doing so. How do you want to display your information on cookies? As alluded to above, it would be sensible to maintain an up-to-date privacy policy page that an end user can refer back to which outlines all cookies used on your site. Ideally this should be dynamic so an end user can see all their consents in one go, and vary them. This can be used in combination with other techniques though, such a pop ups for new areas of functionality. How do you want an end user to actually convey consent? It will be hard to avoid the need for a tick box, “ok” or other acceptance button for any action in which a cookie or similar file having material privacy implications will be stored on an end-user’s machine. Once given, such consent would not have to be renewed periodically, provided the end user has the opportunity to change its mind, and the means of doing so have been flagged up. How much information do you need to provide for each cookie? The basic requirement remains unchanged in the new law. You have to give “clear and comprehensive information about the purposes of the storage of, or access to” each cookie. That said, a lot of privacy policies only touched upon cookies at the highest of levels, and it is open to question as to whether this is enough to create “unambiguous, freely given, specific and informed” consent. Furthermore, the ICO guidance on the changes suggest additional areas of information that are relevant. As a general rule, if in doubt, it is worth being more transparent. The more invasive the information being collected, the more information you should be giving. We would suggest best practice would involve providing the following for each cookie: o Whether it is a session cookie or permanent cookie o Its purpose o What it will enable (and conversely what will be disabled without it) o Whether there is any other means of achieving the same end without that cookie o When and how often you will access it o Whether any third parties access it, and if so, who they are, where they access it from (plus the purpose(s) they use it for, and what it enables, if different to your position) o How an end user can change his/her mind regarding that cookie and remove it o What will happen to the information you obtain from the cookie (this strays into data protection law – see below) For ease of understanding, a standardised table or similar format would work well. Aim to convey the information simply, but accurately. Don’t use technical terms and sweeping generalisations. If you want to use “consent as you go” features as well, this is fine, but make sure you do not scrimp on appropriate context (an obvious link to more information would be ok though).© DWF LLP 2011
  5. 5. You may want to re-write your site in part to minimise its use of cookies and/or better track consents. This could be time consuming because it is likely to involve changes to all architectural layers, but could be beneficial down the line. Society (and the law) appears to be slowly moving towards better practices and more regulation in this area. Keep track of what your competitors are doing. Complying with best practice sooner rather than later may be a source of competitive advantage. Beware other legal implications. For example (and as mentioned above) by differentiating between individuals regarding cookies, you may be straying into use of personal data, which is separately regulated by the Data Protection Act 1998. If you are not already up to speed on the obligations this Act imposes, you should seek legal advice. Watch this space. The ICO has still to issue its enforcement guidance, which should further clarify the position, and has intimated it may provide examples regarding particular types of cookies. Furthermore, keep track of general progress within the website industry and especially regarding browsers (see below). The entire EU is grappling with the same problem and it is likely that practice will converge towards an accepted form over time. It would not be surprising if we end up with pop-ups for cookies being downloaded, in the same way that firewalls presently ask if you want to download a file from a particular source and warn you of the risks of virus’ etc.Overall, as a rough litmus test it is worth bearing in mind that the “unambiguous consent” test to beused is only one, somewhat grey, step down from the “explicit consent” test to be applied when usingsensitive personal data under the Data Protection Act 1998. Ask yourself “Have we given nearly asmuch information to end users regarding our use of cookies, and taken almost as many steps toobtain their consent to that use, as we would have done if we were looking to collect and use detailsof their medical conditions / political beliefs / sex life / trade union membership?” If not, you haveprobably not done enough.Use of browser settingsThe government has engaged with the major browser developers with a view to adding functionality toallow cookies and similar files to be fully administered in accordance with the new law via an enduser’s browser. This remains work in progress though; most (if not all) browsers are not sufficientlysophisticated at present to enable consent to be inferred from their settings, and none have beenapproved by the ICO for the purpose of the new law.Why doing nothing is not an option.We’ve touched upon the way in which society and the law is moving regarding issues of privacy. Ifthat isn’t enough of a reason, in line with the recent beefing up of its powers across the aboard, theICO can (amongst other things) levy fines for up to £500,000 for breach of the new law. Furthermore,the ICO is increasingly looking to exercise its powers. We would not be surprised if it sought to makeexamples out of particular cases in due course “pour encourager les autres”.That said, the ICO’s normal approach is to seek binding undertakings to get entities to change theirpractices before using heavier sanctions. It recognises that “gaining consent will, in many cases, be achallenge”. It has also gone on record to say (in essence) that it will be applying more of a softly softlyapproach to begin with given the relatively little time between the publication of the relevantregulations and guidance, and the law coming into effect. UK business has some breathing space asa result, but should not be too complacent about what is coming down the road.Robert Machin (Senior Solicitor)© DWF LLP 2011