Cookies hit headines as the ICO deadline approaches

Cookies are starting to hit the headlines again as the UK deadline for meeting the EU Cookies directive draws nearer. The UK government had revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers, the ICO gave a year’s grace period starting the 26 May 2011 for companies to become compliant with new guidelines provided by the Information Commissioner Office.

Current regulation of cookies

The internet industry has tried to control the sue of cookies and protect privacy, if we look at the RFC’s about session management, they say the browsers should protect user privacy and not allow third party cookies by default, a number of the popular browser ignore the default deny of third party cookies. Some browsers allow the setting of third party cookies if they have a compact privacy policy and use a compact policy field as part of the Platform for Privacy Preferences Project (P3P) that was started by the World Wide Web Consortium (W3C) and officially recommended in 2002 but development ceased a short period afterwards.

A number of countries around the world have produced guidelines and regulations on cookies but these only affect the relevant country. In 2002 the EU developed a telecommunication privacy directive and article 5, paragraph 5 gave directive mandates that storing data on a user’s computer can only be done if certain conditions are meet. These cover giving information on how this data is used and giving the option for the user to opt out of storing the data. Data that is necessary for technical reasons are exempted for the user opting out of storing it.

In the UK the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) implemented a European Directive - 2002/58/EC concerned with the protection of privacy in the electronic communications sector. In 2009 this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment. The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

The government prior to the introduction of the Regulations expressed the view that there should be a phased approach to the implementation of these changes. The Information Commissioner agreed that businesses would need time to implement solutions. He therefore confirmed that he would exercise his discretion and allow organisations a ‘lead in’ period of 12 months to put in place the measures needed to comply. This lead-in period will come to an end on the 26^th May 2012, there is just two months left of the period.

During this period the Information Commissioner made it clear that organisation should be taking steps to comply with the rules, any complaints received about web sites during this period he would expect to see a plan of action on how the rules are going to be compiled with.

What can be done?

No matter what a business view on the law is, it won’t stop the Information Commissioners Office (ICO) from taking action about complaints websites are breaking the law.

The new regulations require more than just telling users about cookies and allow them to opt out and they need to be more pro-active in meeting the regulations.

The ICO recommend these three steps

1.       Check what type of cookies and similar technologies are being used and how are there are being used.

2.       Assess how intrusive the cookie use is

3.       If consent if needed then decide upon the method of obtain consent.

Although cookies required for technical reasons are exempt, the actual scope of the exemption has been discussed in various forums and there have been some very inventive technical reasons as to why a cookie should be exempt.

In general the following are not exempt

·         Cookies used for analytical purposes to count the number of unique visits to a website for example

·         First and third party advertising cookies

·         Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

The international nature of the internet and the use of third party cookies will make the scope for implementing the regulations and the responsibly difficult to establish clear.

From the information released by the ICO it is clear and UK organisation is subject to the regulations even if their web site is hosted outside the UK. Organisation from outside European with websites designed for the European market and offering services or products within European should consider that European users will be expecting information on cookies and the ability to opt out.

The responsibility for providing information on third party cookies and gathering the opt-in permission will be with the website owner as it will be technically very difficult for the third party to do so.