A cookie is a small file of letters and numbers downloaded onto a device when a user accesses certain websites. Cookies allow a website to recognise a user’s computer/mobile etc, which can be useful in enabling a more customised setting for users.
- been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
- given his or her consent to this.
The consent must be explicit ie specific and informed based on the information provided. No longer is it adequate for a website to infer consent if a browser is not set to block a particular cookie.
Is consent required for all cookies?
The regulations provide for a limited exception to the consent rule where cookies are “strictly necessary”. This includes cookies that are:
- set for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- strictly necessary for the provision of an information-society service requested by the subscriber or user.
The guidance issued by the ICO gives as an example of an exempted cookie a cookie which is used to enable an online checkout or payment system to function. The guidance also advises that this exception should be construed narrowly, so it is unlikely that this exception will be very useful for website owners.
How can consent can be obtained?
There a number of ways website owners can get their users’ consent to setting cookies and some of these are discussed in the ICO guidance. As a general rule they advise that the more intrusive the activity of the cookie, the more steps a website owner will need to take to get meaningful consent
Options for obtaining consent include:
- pop-ups: perhaps the easiest way of getting a user’s consent, this is a direct way of getting a user to agree to cookies being placed. The ICO acknowledges however that this option may potentially spoil the experience of using the website and be very frustrating for the user if there are a large number of cookies.
- terms and conditions: this can be a good way of obtaining consent where the user is required to subscribe to the site or register when making a purchase. The ICO guidance notes, however, confirm that to satisfy the new rules, existing users should be made aware of the changes and the cookies in use. For sites where users are not required to register and agree to terms and conditions, changes to the terms and conditions alone will not be sufficient.
- settings-led consent: in situations where a cookie is required to ‘remember’ a setting selected by the user e.g. a colour scheme or language option, it may be sufficient to warn users that turning on this setting will place a cookie on their browser.
- highlighted text: websites could perhaps ensure compliance by placing text in the header or footer of a webpage which is highlighted when a cookie is to be placed.
Steps to be taken
The ICO allowed websites a transitional period of 12 months in which to ensure compliance with the regulations. This means that by 25th May 2012 website owners will need to ensure that their websites are compliant.
In assessing what measures to take, organisations should consider the following:
- what type of cookies they use and how they are used
- how intrusive those cookies are
- what solution is best to obtain consent in the circumstances relating to their business.
One issue that remains unclear, despite ICO guidance, is exactly how compliance will be achieved with third party cookies. These are the cookies that are often used by advertisers when placing adverts on others’ websites. Although it is clear some collaboration will be required with the third party setting the cookies, it is still not certain how this will work in practice. We would recommend that businesses, for the time being, take reasonable and practical measures to work with third parties and at least draw to users’ attention the fact that third party cookies are being used, pending further guidance.