The Cookie Law: An update
Back in March we published an article regarding the new Privacy and Electronic Communications Regulations, referred to more commonly as “The Cookie Law”. The Cookie Law is a set of regulations being developed by the Information Commissioner’s Office (ICO) in the UK, and although it comes into force on the 26th May (this Saturday), details of what this means for website owners is still to become clear.
What’s a cookie? What’s the law? Does this affect my website? What Next?
If the Privacy and Electronic Communications Regulations are new to you, you’ll probably want to read our last article introducing the regulations and then come back to this one.
What’s the latest on the Cookie Law?
We’ve been keeping an eye on this topic, specifically trying to spot new & useful information from authoritative sources. These articles may be of interest:
1. It’s not about cookies, it’s about privacy – an article from the Government Digital Service who look after websites like direct.gov.uk & number10.gov.uk. It looks at the subject with some common sense and raises an interesting point that focussing on cookies may push sites into tracking users in other ways; using ‘super cookie’ methods that the user cannot detect or control/disable in the way they can with standard cookies, which would be more intrusive.
Interestingly the GDS has taken a stance that cookies such as those used by Google Analytics are ‘minimally intrusive’ and (most importantly) ‘essential’ – which is a different line to the ICO. There’s a link to a PDF with guidelines at the end for government departments and other public sector bodies:
“Use of web-analytics/metrics: The use of metrics are integral are to departments’ being able to provide the best possible user experience in order to encourage citizens to use more cost-effective channels for accessing government services. They also allow departments to assess and demonstrate whether the digital services they offer provide “value-for-money” as demonstrated by the recent National Audit Office (NAO) report.
Consequently, collecting these metrics are essential to the effective operation of government websites, at present the setting of cookies is the most effective way of doing this. The ICO guidance supports this view as it states ‘…it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action'”
2. EU cookie legislation – a look at some of the implementations – written by one of the Information Commissioner’s Office Technology Reference Panel:
“First of all the 27th May deadline for implementing the legislation is more a marker for ICO – not a hard date. This means that from this time the ICO will start looking at the subject more closely.
In the meantime in the run up to the end of May the ICO will publish information for individuals to allow them to raise concern via the ICO website. Note the ICO has not had much activity on the complaints front in last 12 months.
They will also be making it clear that on an individual level it is unlikely that ICO will pursue 1 cookie on 1 web page
The ICO can’t audit every UK website but can look at trends or patterns – e.g. if many issues raised about specific types of cookie
The ICO will also be issuing a clarification of its line on analytics cookies – these are not exempt from the law”
As yet the ICO haven’t published any further guidelines through its website, although they have been making comments through the media:
3. Lack of single EU approach to cookies enforcement would cause problems for cross-border businesses, expert says – David Smith is the Deputy Commissioner with responsibility for the Data Protection supervisory functions of the ICO, whilst David Evans is the ICO’s strategic liaison group manager for business and industry:
“David Smith said that people should not expect the end of the ICO’s moratorium deadline “to launch a torrent of enforcement action.” He indicated that firms that have at least begun a cookie audit will not immediately face enforcement action. Some companies that use thousands of cookies have taken “most of this year to work out what cookies they have,” Smith added.
The ICO will be keen to talk to companies that do not comply with the consent requirements for serving cookies to find out more about their practices before any infringement notices are served, Smith said. He added that companies would get a chance to respond to such notices before the ICO would make any later decision on whether to fine those firms over the activity.
David Evans also told Out-Law.com how website operators can generally avoid enforcement action when serving cookies stemming from the use of Google Analytics. ‘It is technically a first-party cookie if you are using Google Analytics,” Evans said. “If you explain your cookies and say ‘here’s the tool Google’s got and where to find it’ that is unlikely to prick our ears up in enforcement.’
David Smith said that the ICO is set to write to 50 organisations to ask them what they have been doing to obtain consent to cookies on their websites. Those bodies include Government departments and major businesses, he said.”
“We know that not every website can just switch its website off on May 25 and implement changes. We will bear redesign schedules in mind. There’s no point in rushing through a solution if a revamp is coming soon anyway.”
So what’s next for website owners?
In March we were unsure about how Google & the ICO were going to approach the cookies set by Google Analytics and similar products. Neither Google or the ICO have offered specific guidance yet, but strictly speaking the law does state that “Cookies used for analytical purposes” are “unlikely to fall within the exception” however, looking again at the first link referred to in this article, even the government’s own digital department consider analytical cookies ‘essential’ (and so exempt from the law) on the basis that the cookies “allow departments to assess and demonstrate whether the digital services they offer provide value-for-money”. It’s worth noting that the site direct.gov.uk uses Google Analytics, so can be used as a good example to follow if they make changes (they haven’t yet).
In terms of action, a few things have become clear:
- There’s no need for any knee-jerk changes to websites. Even in the worst cases where websites severely invade visitors privacy, the ICO will be taking a ‘softly softly’ approach and their first step will be to write to the website owners (rather than taking legal action).
- The ICO will continue to develop and issue its guidelines on the Privacy and Electronic Communications Regulations, so do keep an eye on their website. We’ll maintain updates via our blog too.
Guidance on this regulation seems to be distributed through the media at the moment, rather than via official channels. From the last excerpt from the third link (published 21 May) it would seem that the ICO are still getting this straight at their end too, allowing the big online players to set an example.