Last week we posted about the fast approaching May 26 deadline for member state implementation of the EU’s revised Privacy and Electronic Communications Directive concerning cookies on web sites. We noted the relative absence of final (if any) guidance from EU jurisdictions on the approach to be taken in their respective implementations.  On Monday, the UK’s privacy regulator, the Information Commissioner’s Office (commonly called the ICO), provided some official guidance. As expected, the official advice confirms the strict position set out by the Department of Culture, Media and Sport in April 2011. 

While the ICO also confirmed that the UK government is working with the major browser manufacturers to identify future browser setting capabilities that will be adequate to evidence consent, it makes very clear that existing browser settings (previously deemed sufficient) will not pass muster after the 26th.  So, for now, how are web site operators to obtain the necessary consent?  The ICO declined to adopt a closed set of options or any single approach, but it does offer several suggestions. 

One suggested method is a pop up request for consent at the point a cookie is to be set or when making a navigation choice that will later require cookies for support.  From the examples it gives, it is fairly clear the ICO does not believe it would be sufficient to rely on a blanket pop-up collected consent for all cookies on a web site that used them for varied purposes, but it does indicate that an approach reasonably designed to collect informed consent will be acceptable.  (Curiously, the ICO does not discuss the potential conflict between this approach and fairly common browser pop up blocking options, but it certainly is something to consider in planning a response.)

The ICO also points to terms of use as a solution, but is very clear in indicating that simply updating them will not be sufficient.  Rather, users must be made aware of the changes and that they concern your use of cookies.  Then, with this and the changes clearly disclosed, the user must provide a positive indication, e.g. by affirmatively ticking a box, of their consent to the changes to the terms.  The key, says the ICO, is to be “upfront with your users… .  Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.”

The ICO also notes that third party cookies (that is, cookies set by elements on your website provided by third parties, e.g. an advertising network) present special challenges.  Stressing again the need for full disclosure, the ICO concedes that it needs to continue working with industry and its counterparts in other EU jurisdictions to define the right approach.

In terms of enforcement, the official advice reiterates the UK government’s view that there should be a phased approach to the implementation of the changes required by the revised Directive and accordingly the ICO will issue separate guidance on how it intends to enforce the revised Directive. In the interim, the official advice states that if the ICO were to receive a complaint about a website, it would expect an organisation’s response to set out:

  • how they have considered the ICO’s official advice; and
  • that they have a realistic plan to achieve compliance.

The ICO states it would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.

What should you do now? 

  • The ICO suggests you start by gaining a full understanding of the type of cookies used on your site and the purposes to which they are put.  Be sure you consider all of the mechanisms that can be used to store and retrieve user choices—not just traditional cookies.
  • Then, assess how “intrusive” your use of cookies is.  The ICO suggests that cookies that simply support site functionality are much less intrusive than those used to create detailed profiles of a user’s browsing activity.  You should read the advice and carefully consider what you are collecting and how it is used from a user perspective. 
  • Finally, determine a reasonable approach for providing the user with information about your use of cookies and for collecting their consent.  “The more privacy intrusive your activity, the more you will need to do to get meaningful consent.”      

For service providers operating outside the EU, it should be noted that the EU data protection authorities take the view that setting cookies on computers of users in the EU is governed by the national law of the respective EU member state. Under this strict interpretation, any service provider with UK users who uses cookies will have to comply with the ICO guidance. Whether or not compliance can be expected or will be sanctioned in these cases is another question.

Overall, the ICO guidance seems to lay out a path to compliance that, while more involved than current typical approaches, is attainable with (some) effort.  Most critically, as the ICO notes on page 4, if you operate in the EU “the key point is that you cannot ignore these rules.”  

As noted in our prior post, we do not expect further guidance from France or Germany before the May 26 deadline, but we will be on the lookout for additional developments that bear reporting here.