Over the course of the 12-month grace period, we have seen guidance released from, amongst others, the ICO, setting out its interpretation of the new rules; the International Chamber of Commerce (ICC), working with industry to publish a helpful website for operators; and the Internet Advertising Bureau (IAB), proposing a self-regulatory compliance scheme for online advertisers.
THE ICC APPROACH
The ICC guide was developed to help website operators standardise terminology, by organizing cookies into four categories and providing standard disclosures for each, in the hope that consistency will expedite increased consumer understanding.
The four categories are:
- Strictly necessary (essential in order to use the site and receive services, e.g. online shopping basket functionality, session cookies for managing security tokens throughout the site, multimedia flash cookies enabling media playback, load balancing session cookies, user interface customization session cookies etc.);
- Performance (aggregate / anonymous tracking of how users use the site, e.g. analytics cookies, error management cookies);
- Functionality (to enable certain site functionality, e.g. to provide localised information, auto-completing usernames, remembering customised settings over multiple browser sessions or previous suppressions of services by the user etc.); and
- Targeting / advertising (to target advertising to user relevance, to track advertising click-throughs etc.).
The guidance has been well received by the ICO, but has not been commented on by the Article 29 Working Party. It is nonetheless a great starting point when analysing your cookie use and when putting in place cookies notices and disclosure statements.
THE IAB GUIDANCE
The IAB also has issued guidance for its members (e.g. those in the targeted advertising industry), setting out a self-regulatory scheme based around an icon to be displayed by all targeted adverts and links to further information, so that the user understands targeted advertising is in place and the advertising network is using cookies on the PC. When clicked, the icon takes users to the youronlinechoices.eu site which explains how targeting advertising works and allows the user to opt-out of targeted advertising (but not out of advertising in general) from all or any one or more of the advertisers in the IAB’s network. The Article 29 working party, whilst welcoming the initiative, stated that it alone was insufficient to obtain valid consent to the setting of cookies for targeted advertising (or for associated cookies such as frequency capping, ad affiliation, de-bugging or click fraud prevention cookies), as the icon is not currently meaningful to consumers; insufficient information is provided to the user about the relevant cookies; and the scheme provides for consent on a generic, opt-out basis which does constitute valid consent in this context, where anything short of informed, active consent will be inadequate.
COMPLIANCE APPROACHES IN PRACTICE
In practice, we are seeing a range of compliance approaches being taken by businesses operating in the UK, ranging from banner notices with tick boxes for active consent (the only example of which we have seen is the ICO’s solution), to one-time banners or pop-overs (such as those adopted by the BBC or Financial Times) giving brief information and allowing the user to take steps to disable the site’s cookies if they wish to do so before continuing to use the site (“implied” consent). There are few examples of express “opt-in” consents, and most website operators seem to be taking an implied consent approach, with some offering users an “opt-out” while others rely on users blocking cookies through browser settings (or simply ceasing to use the website).
Methods of informing users of cookie usage in order to ensure any implied consent is “informed” vary in their intrusiveness and persistence. For example, The Telegraph‘s popover appears at the bottom of the window and disappears once the user navigates to another page on the site. By contrast, the Financial Times’ popover must be dismissed by the user before browsing is permitted. Similarly, whilst some banner notices appear only on the homepage and disappear once the user navigates to a different page (e.g. BBC), others (such as Channel 4‘s) persist across the whole site until dismissed by the user. Whilst the more persistent and intrusive solutions are more likely to result in obtaining informed consent if challenged, they also are more disruptive to the user experience.
As noted above, website operators have also taken different approaches in implementing opt-out functionality enabling users to modify their cookie settings. Some website operators (e.g. BBC and BT) offer the user a control panel where all but strictly necessary (ICC category 1) cookies can be disabled. Other operators, however (e.g. Apple, Channel 4), simply explain how users may disable cookies in their web browser settings.
Some website operators have implemented separate cookies policies alongside full privacy policies to give users information about the types of cookies in operation on their website. We are also seeing a significant number adopt the ICC categories as a way of explaining the various purposes of the different cookies.
You can access our detailed review of several UK cookies policies at this link.
If you are not yet compliant, then you should do the following as soon as possible:
- Conduct a full audit of the cookies on all websites operated by your organisation to determine which categories of cookie each site uses and for what purposes, so you have the information needed to develop a proportionate compliance approach;
- At the very least, explain in your cookies policy how customers can disable non-essential cookies through browser settings, and consider implementing a control panel on the site itself to allow cookies to be disabled in a more granular manner. Such an approach has the advantage of allowing users to disable some but not all of your site’s cookies.
- Consider how to obtain consent from users if required, e.g. whether to rely on implied consent or express consent; whether to use an opt-in consent (in which case your site should not set any cookies prior to receipt of such consent) or an opt-out approach (where the user is merely informed that the site sets cookies and told how to disable them);
- Consider the wording of your consent notice carefully, to be certain that it allows the user to provide informed consent, whilst minimising the risk that the user will elect to disable cookies, e.g. try and strike the elusive balance between describing what your cookies do in plain English without scaring consumers into de-activating them; and
- Consider how to display the consent request / notice on your website, i.e. through a popover or banner-type interface, and whether the user must respond to the notice prior to interacting with other site content.
Latham & Watkins can provide advice and guidance to assist you in developing a workable compliance solution, including advising on:
- The relative merits of opt-in vs. opt-out consent and various notice methods in relation to the specific cookies you use on your website;
- Drafting and updating your cookies and privacy policies;
- Providing optimal consent wording to mitigate risk of non-compliance; and
- General privacy and data protection law advice concerning your web presence.
ARE YOU COMPLIANT? Access our detailed review of several UK cookies policies at this link.