Contenu connexe
Similaire à Cookie Law (Dwf 190511)
Similaire à Cookie Law (Dwf 190511) (20)
Cookie Law (Dwf 190511)
- 1. DWF E-Brief (May 2011)
The law on cookies is about to change – what every website owner needs to do
On 26 May 2011 the law on cookies is going to change.
The shift is small but potentially very significant: an opt-out approach was previously acceptable, now
consent will be needed to each cookie from each end user.
The change is relevant to all but the simplest of websites; those seeking to ride the cusp of the
impending behavioural advertising wave will be particularly affected.
Regrettably, full details have come very late in the day (the relevant regulations and guidance only
came out earlier this month) so there is little time for businesses to adapt. As a result, the Information
Commissioner’s Office (ICO) is not expected to require 100% compliance on day one, but has made it
clear that it expects every website owner to demonstrate what it is doing to comply in the event of a
complaint.
We look at the steps your organisation will need to take.
Speed read
The new law covers all technologies that involve the storing and accessing of information on an end
user’s computer, not just cookies.
In order to comply with the new law you need to:
Establish what cookies you store on end user machines (including those generated by third
party software embedded in your site);
Establish how, when and where you use those cookies and the data they generate;
Identify who uses those cookies and such data, in particular any third parties;
Risk assess your cookie usage and prioritise the ones you need to tackle first (i.e. those with
greatest privacy implications); and
Decide what methods you are going to use to obtain “consent” (you will need to differentiate
between different classes of end user, and the relative privacy implications of your cookies in
doing so).
The ICO recognise that obtaining consent is likely to be challenging in many cases.
The ICO have the power to (amongst other things) levy fines of up to £500,000 for breaches of the
new law, and we would expect them to make examples of particular cases in due course.
You should stay alive to other legal implications when implementing any solution, for example, new or
increasing use of personal data regulated by the Data Protection Act 1998.
Scope of the new law
It is worth pointing out at this stage that this note talks about cookies, but the new law is of wider
effect. It applies to all technologies which involve storing information on an end user’s computer for
subsequent access. It therefore covers, for example, Adobe Flash’s “locally stored objects” (otherwise
known as “flash cookies”). Locally stored objects have been the cause of particular privacy concerns,
© DWF LLP 2011
- 2. as until relatively recently they could not be managed by any mainstream web browser, unlike
“normal” http cookies.
Step 1 - what cookies do you store on end user machines?
You may already have an exhaustive list, but if not an audit would be appropriate. Ultimately, you
need to identify all files stored and accessed from time to time, without any exceptions.
You need to consider cookies which enable end user functionality, but also those that power aspects
otherwise hidden to users – e.g. that track how they use your site.
Don’t forget arrangements you have with third parties – e.g. if you run Google Analytics, or other third
party advertising software through your website. Such applications may generate cookies for which
you are responsible. Check the terms of your related contracts and/or contact the relevant supplier in
each case to ensure you understand the position in full. The ICO recognises this is a potentially
thorny area given that some of these suppliers will be operating from other jurisdictions which apply
different standards (e.g the US) but there is no carve out for their activities in the new law.
Step 2 - how, when and where do you use those cookies, and the data they generate?
Amongst other things, you need to know the purpose for which each file is created, stored and
accessed, when you access it, and what the implications would be for both you and the end user if
you did not access it.
This question is particularly key because cookies and files which are “strictly necessary” for
performing a service an end user has “explicitly requested” are exempt from the need for consent. No
statutory definition of these terms has been given, but the ICO has confirmed it will interpret this
exemption narrowly. One example would be a cookie to ensure selected goods are transferred into an
electronic shopping basket and then to checkout on a shopping website because a customer wants to
buy them. Each cookie will need to be assessed separately to see if they are “strictly necessary”: if
you have any doubts, we’d recommend erring on the side of caution because that is what the ICO is
most likely to do.
Don’t forget that the data created by the file is also significant – depending on its nature and purpose
it may be personal data the use of which is separately regulated by the Data Protection Act 1998.
Step 3 - who uses those cookies and the resulting data?
Again this information needs to be obtained without exceptions. Third parties in particular need to be
identified and explicitly flagged to end users.
Step 4 - risk assess your usage and prioritise the cookies to tackle
The law is being changed to help address the growing privacy concerns over collection and usage of
data relating to individuals’ behaviour, without them being aware this is going on.
However, the ICO tends to take a holistic approach and recognises that not all cookies stored on end
user machines have the same privacy concerns: some have more implications than others. With this
in mind, and given the rushed timescale with which this change in law has been brought in, we’d
suggest the following prioritised approach:
© DWF LLP 2011
- 3. High
3 1
(Low privacy + (High privacy +
Functional / high need) high need)
Commercial
Need
4 2
(Low privacy + (High privacy +
low need) low need)
High
Low
Privacy Implications
Step 5 – Decide how to obtain “consent”
First of all, it is worth restating that some (but not many) cookies may fall outside of the requirement
for consent because they are “strictly necessary” for you to provide a service “explicitly requested” by
a user.
For all other cookies, you will need to obtain the end user’s consent.
To date, the standard approach has been to include cookies as a topic in a website’s privacy policy
with a link from each page, or from the site’s terms of use. This policy would set out some basic
details of the cookie and leave the position at that.
For practical reasons, this approach on its own will not suffice under the new law if your use of
cookies is anything other than vanilla and fundamental to the service your site provides. In particular,
it is static and does not allow your site to deal with the consequences of consent being declined.
Furthermore, it is increasingly open to challenge because it gives the sense of “burying the issue in
the small print”.
What you should be aiming for is an interactive page which seeks an “unambiguous, freely given,
specific and informed indication” of an end user’s wishes. This phrase really boils down to one
concept: transparency. However, it is not the same as saying you must put a page in front of every
end user that dryly goes on about all cookies and other technical terms en masse (although this would
be useful for a person to check back to on occasion, in particular so as to vary his/her consents over
time). The ICO guidance makes it clear that you can seek in effect “consent as you go” - highlighting
the need for a cookie to access particular features and/or functionality when an end user first
accesses them – a far more dynamic and less off-putting approach.
Consider the following:
Differentiate between types of end users. For casual visitors to your site the existing
privacy policy-only approach alluded to above will probably have to remain – its lack of
intrusion means it will not drive away traffic - although it is very debatable whether this gives
© DWF LLP 2011
- 4. rise to any consent worthy of the name (e.g if a casual user automatically receives a session
cookie). To mitigate the risk of substantive complaints, the cookies such casual visitors
receive should be the most vanilla possible, their numbers kept very low, and ideally only
used to provide basic functionality. For registered users who access more functionality, (and
whose usage is probably more cookie intensive) far clearer means will certainly be required,
managed through the log-on process. New users also have to be treated differently to existing
users. For existing users, ideally you should not be relying on the position that has gone
before unless this is examined and sufficient to constitute “consent”. Any attempt to seek
consent now may involve changing your terms and conditions of use. You will need to comply
with any express right and/or the general law of contract in doing so.
How do you want to display your information on cookies? As alluded to above, it would
be sensible to maintain an up-to-date privacy policy page that an end user can refer back to
which outlines all cookies used on your site. Ideally this should be dynamic so an end user
can see all their consents in one go, and vary them. This can be used in combination with
other techniques though, such a pop ups for new areas of functionality.
How do you want an end user to actually convey consent? It will be hard to avoid the
need for a tick box, “ok” or other acceptance button for any action in which a cookie or similar
file having material privacy implications will be stored on an end-user’s machine. Once given,
such consent would not have to be renewed periodically, provided the end user has the
opportunity to change its mind, and the means of doing so have been flagged up.
How much information do you need to provide for each cookie? The basic requirement
remains unchanged in the new law. You have to give “clear and comprehensive information
about the purposes of the storage of, or access to” each cookie. That said, a lot of privacy
policies only touched upon cookies at the highest of levels, and it is open to question as to
whether this is enough to create “unambiguous, freely given, specific and informed” consent.
Furthermore, the ICO guidance on the changes suggest additional areas of information that
are relevant. As a general rule, if in doubt, it is worth being more transparent. The more
invasive the information being collected, the more information you should be giving.
We would suggest best practice would involve providing the following for each cookie:
o Whether it is a session cookie or permanent cookie
o Its purpose
o What it will enable (and conversely what will be disabled without it)
o Whether there is any other means of achieving the same end without that cookie
o When and how often you will access it
o Whether any third parties access it, and if so, who they are, where they access it from
(plus the purpose(s) they use it for, and what it enables, if different to your position)
o How an end user can change his/her mind regarding that cookie and remove it
o What will happen to the information you obtain from the cookie (this strays into data
protection law – see below)
For ease of understanding, a standardised table or similar format would work well. Aim to
convey the information simply, but accurately. Don’t use technical terms and sweeping
generalisations.
If you want to use “consent as you go” features as well, this is fine, but make sure you do not
scrimp on appropriate context (an obvious link to more information would be ok though).
© DWF LLP 2011
- 5. You may want to re-write your site in part to minimise its use of cookies and/or better
track consents. This could be time consuming because it is likely to involve changes to all
architectural layers, but could be beneficial down the line. Society (and the law) appears to be
slowly moving towards better practices and more regulation in this area. Keep track of what
your competitors are doing. Complying with best practice sooner rather than later may be a
source of competitive advantage.
Beware other legal implications. For example (and as mentioned above) by differentiating
between individuals regarding cookies, you may be straying into use of personal data, which
is separately regulated by the Data Protection Act 1998. If you are not already up to speed on
the obligations this Act imposes, you should seek legal advice.
Watch this space. The ICO has still to issue its enforcement guidance, which should further
clarify the position, and has intimated it may provide examples regarding particular types of
cookies. Furthermore, keep track of general progress within the website industry and
especially regarding browsers (see below). The entire EU is grappling with the same problem
and it is likely that practice will converge towards an accepted form over time. It would not be
surprising if we end up with pop-ups for cookies being downloaded, in the same way that
firewalls presently ask if you want to download a file from a particular source and warn you of
the risks of virus’ etc.
Overall, as a rough litmus test it is worth bearing in mind that the “unambiguous consent” test to be
used is only one, somewhat grey, step down from the “explicit consent” test to be applied when using
sensitive personal data under the Data Protection Act 1998. Ask yourself “Have we given nearly as
much information to end users regarding our use of cookies, and taken almost as many steps to
obtain their consent to that use, as we would have done if we were looking to collect and use details
of their medical conditions / political beliefs / sex life / trade union membership?” If not, you have
probably not done enough.
Use of browser settings
The government has engaged with the major browser developers with a view to adding functionality to
allow cookies and similar files to be fully administered in accordance with the new law via an end
user’s browser. This remains work in progress though; most (if not all) browsers are not sufficiently
sophisticated at present to enable consent to be inferred from their settings, and none have been
approved by the ICO for the purpose of the new law.
Why doing nothing is not an option.
We’ve touched upon the way in which society and the law is moving regarding issues of privacy. If
that isn’t enough of a reason, in line with the recent beefing up of its powers across the aboard, the
ICO can (amongst other things) levy fines for up to £500,000 for breach of the new law. Furthermore,
the ICO is increasingly looking to exercise its powers. We would not be surprised if it sought to make
examples out of particular cases in due course “pour encourager les autres”.
That said, the ICO’s normal approach is to seek binding undertakings to get entities to change their
practices before using heavier sanctions. It recognises that “gaining consent will, in many cases, be a
challenge”. It has also gone on record to say (in essence) that it will be applying more of a softly softly
approach to begin with given the relatively little time between the publication of the relevant
regulations and guidance, and the law coming into effect. UK business has some breathing space as
a result, but should not be too complacent about what is coming down the road.
Robert Machin (Senior Solicitor)
© DWF LLP 2011