The new law requires websites to gain explicit user consent to receive a cookie prior to deployment. A website hosted outside the UK will be likely to fall within the ambit of the regulations if:
- The organization which owns the website is based in the UK; or
- The website itself is targeted at the European market; or
- Products and services are provided from the website to customers predominantly based in Europe.
A fine of up to £500,000 could be imposed for the most serious breaches. Organizations dropping cookies which focus on gathering user’s personal information will be the main focus for enforcement.
What Should You Do Now?
Web managers in the UK should be:
- Ascertaining what type of cookies are used by their websites and how they are downloaded onto users’ machines (effectively a “cookie audit”),
- Gauging the likelihood of existing cookies’ fitting within the “provision of service” exemption,
- Deciding on which method(s) of obtaining consent to cookies are best for their website, given the results of the cookie audit, and
- Recording the cookie audit and implementation methods in an easily digestible form, lest the information commissioner investigate the site.
Suggested Methods of Implementation
Below are a few options which have been suggested to procure user consent before cookies are downloaded. Please note that consent only needs to be provided by a user the first time each type of cookie (used for the same purpose) is downloaded onto its machine:
- Pop-ups each time a new type of cookie is to be downloaded onto a user’s machine,
- Posting a privacy policy detailing the site’s use of cookies -- the terms of which a user must positively accept upon visiting the site for the first time (e.g. via a tick box), and
- Settings and feature-led consent. If cookies are downloaded when a user does something, e.g. watches a video or personalizes the site, obtaining the user’s consent prior to feature access.
What Next?
The information commissioner has suggested that, in the near future, consent could be validly provided through users’ web browsers. The Information Commissioner’s guidance sets out a future scenario whereby a user accesses a website via a sufficiently sophisticated web browser set up to reject certain cookies and accept others, allowing a web manager to assume that the user has provided its consent accordingly. However, it acknowledges that many web browsers are not sufficiently sophisticated for this method to be currently viable.
The Article 29 Working Party (a group of data protection regulators from EU member states) has given a non-binding (albeit very persuasive) opinion on consent via web browsers. The Working Party has suggested that reliance on users navigating websites via sophisticated web browsers is not, in itself, a substitute for procuring their positive consent to the download of cookies. Instead, the Working Party has suggested that web browsers need to be supplied to consumers with a default setting of rejecting cookies. In order for consent to be validly given via these browsers, users would have to be provided with comprehensive information about cookies before actively changing their browser settings to allow them.
Law vs. Technology
The fundamental problem lies in a disconnect between the law and technology. In most cases the law runs to try to keep up with technology (e.g. super-injunctions failing to keep pace with the rise of social media). However, in this case the law is way ahead, making unrealistic demands of the current technological landscape and necessitating that developers build innovative solutions to meet the new legal requirements.
This is general guidance from Simon Halberstam, head of IT law at Kingsley Napley LLP and should not be applied to any specific situation without consulting Simon Halberstam or another suitably qualified IT lawyer as to the appropriate way to proceed. For further information, contact Simon Halberstam at shalberstam@kingsleynapley.co.uk or tel: +44 020 7814 1258.
