On May 26, 2012 a 12-month lead-in period to allow for the implementation of the new internet cookie regulations will come to an end. The Information Commissioners Office (ICO) will have the power to impose fines of up to £500,000 for failure to comply with the updated rules. If your company has not already made a genuine attempt to plan for these changes, then you could be at risk.
1. What are we discussing here
Internet cookies are commonly found in websites as a tool for storing information about customers’ browsing habits, and enabling or enhancing the use of certain parts of the website. The cookies are downloaded by the computer of the person accessing the site, and are recognised by the site if the user returns.
There are long or short-term memory cookies, and in some cases cookies can be placed on your website by third parties looking to analyse general consumer patterns.
2. What’s changing?
New European legislation, adopted by the UK back in 2011, has changed the emphasis on consent required from users to enable cookies to function on websites. It is now no longer sufficient to provide customers with an option to disable these cookies.
The updated regulations state that a website owner cannot store or gain access to stored information unless they have:
- Provided clear and comprehensive information about the purposes of the storage of, or access to, the information; and
- Obtained consent from the subscriber (the person responsible for paying the internet bill) or user (the individual actually browsing the internet).
These regulations apply to all websites in operation in the UK. There is an exception available if the storage of information is ‘strictly necessary” to provide the service that the customer requires. This is a very narrow definition that really only applies to online sales where a checkout service on the website requires that a customer’s selections can be stored.
3. How will this affect your business?
Your business must conform to these changes whatever the cost and effort required. The ICO decided to allow a 12-month period during which time no substantial enforcement of the rules would take place. That period is now coming to an end and the ICO has full discretion in how it decides to penalise any companies failing to comply.
4. What should you do to comply?
The moratorium period was provided to allow businesses to implement the required changes to their website. If you have not already done so, then following the recommended approach given by the ICO, would be a good starting point.
This would include:
- Undertaking a review of all the cookies that your website operates this can take the form of a comprehensive audit of cookies or simply checking the data files which your website places on customer’s terminals. Ensure that you know exactly what is placed on your website, whether by yourself or by third parties;
- Access how intrusive the cookies on your website actually are – ie, cookies creating a detailed profile on an individual’s pattern of browsing will be considered highly intrusive. The more intrusive that they are, the more meaningful the consent you will be required to obtain from users of the website; and
- Decide upon the best solution for obtaining consent going forward. There will be several appropriate methods for requesting permission from a customer but it is clear that the important aspect of whichever method you chose is that the customer must make a positive move to agree to the use of the cookies, and that they understand that they have given consent. Possible examples would be a pop-up icon, message bar, general terms and conditions or subscriber systems.
Your business will very shortly need to be compliant with the revised rules. Website developers will be able to assist with a cookie audit, and any technical problems arising out of your website.
Mark Agate is a lawyer in the commercial team at Spring Law.