In May 2011 changes to UK law required website owners to obtain active consent from website users before setting ‘cookies’ and similar technologies onto their computers is regulated and enforced by the Information Commissioner’s Office (ICO).
Early reports from ICO suggest website owners need to try harder. For those still unsure of what this entails, Gary Hopkins, a lawyer in Farrer & Co’s intellectual property team offers the following advice:
What are cookies and why does this matter to media organisations?
Cookies are small files downloaded onto a user’s computer when accessing a website which allow the website to ‘remember’ information about the user. They can be used to track the number of unique website visitors, personalise the user’s browsing experience, preferences or purchases, or enable website functionality, security, or online behavioural advertising (OBA).
How to comply?
The ICO has issued detailed guidance with practical examples of what ‘consent’ means in practice and answers to numerous FAQs (including the million dollar question: “what happens if I do nothing and wait for it all to go away?”). Some clear messages emerging from the report and the new guidance are as follows:
Know your enemy
What cookies are in use on your website (the ICO recommends an ‘audit’). If the only person who knows this is your web developer, it’s time to ask them some searching questions.
…and talk to your friends
Compare notes on compliance with others in the same sector and ask ‘if they can do it, why can’t you?’ (Although claiming safety in numbers in a group of non-compliant companies is unlikely to work!)
Cookie information should be clear
There is a legal requirement to provide information about cookies and website owners should make this relatively prominent. Burying information in a Privacy Policy or website T&Cs with a link at the bottom of the webpage may no longer be enough.
…but not exhaustive
A general description of ‘the types of things’ different cookies do on a website may even be more helpful to users than an exhaustive list of cookies.
All cookies are not created equal
A failure to obtain consent to particularly intrusive cookies (e.g. those which help to build ‘profiles’ about identifiable users, or ‘persistent’ cookies which enable OBA) will be prioritised for ICO enforcement action; whilst ‘analytical’ cookies (e.g. Google Analytics) will not, provided the user is properly informed about them.
Consent doesn’t have to mean pop-ups
The user has to understand how cookies will be used and has done something active to agree to them such as actively signing up for a service, where the Ts&Cs contain clear information about cookies, or accessing content or making choices in the clear understanding this will result in cookies being set.
Effort is (almost) everything
Website owners who can show they have made some effort to comply will, it seems, be given the opportunity to improve even if they get it wrong, but those who do nothing will be first in line for ICO enforcement action.
And for those wondering how the regulator answered that ‘million dollar question?’ The ICO has this message “This isn’t going to go away. It’s the law!”
The ICO’s enforcement powers
Theoretically, the ICO has the power to issue monetary penalties of up to £500,000 for breaches of this new law. Although we won’t see many of those for breaches of this new law, naming and shaming of organisations which fail to comply (e.g. via ‘undertakings’ published on the ICO website) seems much more probable. Media organisations wanting to avoid the wrong kind of publicity may be well-advised to act now and involve your webmasters, communications and IT staff, or risk being exposed as bottom of the class for internet privacy.
Gary Hopkins is a professional support lawyer in the
IP & Commercial team of Farrer & Co
, which provides advice on the creation, protection and commercialisation of intellectual property rights.