By Gail Crawford, Amy Taylor, and Ben Wright
The UK Information Commissioner’s Office (ICO) 12-month grace period for enforcing compliance with the new cookie consent rules has now expired. If you are not yet compliant, you need to take action.
Over the course of the 12-month grace period, we have seen guidance released from, amongst others, the ICO, setting out its interpretation of the new rules; the International Chamber of Commerce (ICC), working with industry to publish a helpful website for operators; and the Internet Advertising Bureau (IAB), proposing a self-regulatory compliance scheme for online advertisers.
The ICO’s consolidated guidance promotes a transparent and proportionate approach, and makes clear that it expects organisations to understand exactly what cookies and other technology that collect user information (collectively referred to as cookies in this blog) are used on its site (by both the organisation itself and third party advertising networks), to take steps to give clear and accessible information to users and to obtain appropriate consent for such cookies. The ICO also makes clear that implied consent can be a valid option, depending upon the quality and accessibility of the information provided to the user–implied consent does not however equate to doing nothing with your site and presuming that the user understands what you use cookies for and consents merely by using the site.
In terms of cookies set to track browsing for the purposes of targeted advertising (seen as the most intrusive use of cookies), the ICO emphasises that website operators and third party advertising networks must work together to ensure the required consent is obtained–responsibility ultimately lies with the person setting the cookie (i.e. the third party ad network), but in practice the operator of the consumer facing site is best placed to obtain such consent with the assistance of the third party to understand exactly what cookies are being used and how. The Article 29 Working Party has made clear in its recent Opinion on the cookies rules exemptions that consent will always be required for third party advertising cookies, with no applicable exemptions (confirming its long standing view that targeting advertising cookies are intrusive and require the highest standard of consent; see Opinion 2/2010 and Opinion 16/2011.)
THE ICC APPROACH
The ICC guide was developed to help website operators standardise terminology, by organizing cookies into four categories and providing standard disclosures for each, in the hope that consistency will expedite increased consumer understanding.
The four categories are:
-
- Strictly necessary (essential in order to use the site and receive services, e.g. online shopping basket functionality, session cookies for managing security tokens throughout the site, multimedia flash cookies enabling media playback, load balancing session cookies, user interface customization session cookies etc.);
- Performance (aggregate / anonymous tracking of how users use the site, e.g. analytics cookies, error management cookies);
- Functionality (to enable certain site functionality, e.g. to provide localised information, auto-completing usernames, remembering customised settings over multiple browser sessions or previous suppressions of services by the user etc.); and
- Targeting / advertising (to target advertising to user relevance, to track advertising click-throughs etc.).
The guidance has been well received by the ICO, but has not been commented on by the Article 29 Working Party. It is nonetheless a great starting point when analysing your cookie use and when putting in place cookies notices and disclosure statements.
THE IAB GUIDANCE
The IAB also has issued guidance for its members (e.g. those in the targeted advertising industry), setting out a self-regulatory scheme based around an icon to be displayed by all targeted adverts and links to further information, so that the user understands targeted advertising is in place and the advertising network is using cookies on the PC. When clicked, the icon takes users to the youronlinechoices.eu site which explains how targeting advertising works and allows the user to opt-out of targeted advertising (but not out of advertising in general) from all or any one or more of the advertisers in the IAB’s network. The Article 29 working party, whilst welcoming the initiative, stated that it alone was insufficient to obtain valid consent to the setting of cookies for targeted advertising (or for associated cookies such as frequency capping, ad affiliation, de-bugging or click fraud prevention cookies), as the icon is not currently meaningful to consumers; insufficient information is provided to the user about the relevant cookies; and the scheme provides for consent on a generic, opt-out basis which does constitute valid consent in this context, where anything short of informed, active consent will be inadequate.
COMPLIANCE APPROACHES IN PRACTICE
In practice, we are seeing a range of compliance approaches being taken by businesses operating in the UK, ranging from banner notices with tick boxes for active consent (the only example of which we have seen is the ICO’s solution), to one-time banners or pop-overs (such as those adopted by the BBC or Financial Times) giving brief information and allowing the user to take steps to disable the site’s cookies if they wish to do so before continuing to use the site (“implied” consent). There are few examples of express “opt-in” consents, and most website operators seem to be taking an implied consent approach, with some offering users an “opt-out” while others rely on users blocking cookies through browser settings (or simply ceasing to use the website).
Methods of informing users of cookie usage in order to ensure any implied consent is “informed” vary in their intrusiveness and persistence. For example, The Telegraph‘s popover appears at the bottom of the window and disappears once the user navigates to another page on the site. By contrast, the Financial Times’ popover must be dismissed by the user before browsing is permitted. Similarly, whilst some banner notices appear only on the homepage and disappear once the user navigates to a different page (e.g. BBC), others (such as Channel 4‘s) persist across the whole site until dismissed by the user. Whilst the more persistent and intrusive solutions are more likely to result in obtaining informed consent if challenged, they also are more disruptive to the user experience.
As noted above, website operators have also taken different approaches in implementing opt-out functionality enabling users to modify their cookie settings. Some website operators (e.g. BBC and BT) offer the user a control panel where all but strictly necessary (ICC category 1) cookies can be disabled. Other operators, however (e.g. Apple, Channel 4), simply explain how users may disable cookies in their web browser settings.
Some website operators have implemented separate cookies policies alongside full privacy policies to give users information about the types of cookies in operation on their website. We are also seeing a significant number adopt the ICC categories as a way of explaining the various purposes of the different cookies.
You can access our detailed review of several UK cookies policies at this link.
NEXT STEPS
If you are not yet compliant, then you should do the following as soon as possible:
- Conduct a full audit of the cookies on all websites operated by your organisation to determine which categories of cookie each site uses and for what purposes, so you have the information needed to develop a proportionate compliance approach;
- Produce a cookies policy (or review the wording of your existing cookies or privacy policy) to explain which cookies you use, and why you use them. Consider using the ICC categories to guide your users;
- At the very least, explain in your cookies policy how customers can disable non-essential cookies through browser settings, and consider implementing a control panel on the site itself to allow cookies to be disabled in a more granular manner. Such an approach has the advantage of allowing users to disable some but not all of your site’s cookies.
- Consider how to obtain consent from users if required, e.g. whether to rely on implied consent or express consent; whether to use an opt-in consent (in which case your site should not set any cookies prior to receipt of such consent) or an opt-out approach (where the user is merely informed that the site sets cookies and told how to disable them);
- Consider the wording of your consent notice carefully, to be certain that it allows the user to provide informed consent, whilst minimising the risk that the user will elect to disable cookies, e.g. try and strike the elusive balance between describing what your cookies do in plain English without scaring consumers into de-activating them; and
- Consider how to display the consent request / notice on your website, i.e. through a popover or banner-type interface, and whether the user must respond to the notice prior to interacting with other site content.
Latham & Watkins can provide advice and guidance to assist you in developing a workable compliance solution, including advising on:
- The relative merits of opt-in vs. opt-out consent and various notice methods in relation to the specific cookies you use on your website;
- Drafting and updating your cookies and privacy policies;
- Providing optimal consent wording to mitigate risk of non-compliance; and
- General privacy and data protection law advice concerning your web presence.
Please contact Gail Crawford or Amy Taylor with any queries.
ARE YOU COMPLIANT? Access our detailed review of several UK cookies policies at this link.
Submit a comment about this post to the editor.