Last week we posted about the fast approaching May 26 deadline for member state implementation of the EU’s revised Privacy and Electronic Communications Directive concerning cookies on web sites. We noted the relative absence of final (if any) guidance from EU jurisdictions on the approach to be taken in their respective implementations. On Monday, the UK’s privacy regulator, the Information Commissioner’s Office (commonly called the ICO), provided some official guidance. As expected, the official advice confirms the strict position set out by the Department of Culture, Media and Sport in April 2011.
While the ICO also confirmed that the UK government is working with the major browser manufacturers to identify future browser setting capabilities that will be adequate to evidence consent, it makes very clear that existing browser settings (previously deemed sufficient) will not pass muster after the 26th. So, for now, how are web site operators to obtain the necessary consent? The ICO declined to adopt a closed set of options or any single approach, but it does offer several suggestions.
One suggested method is a pop up request for consent at the point a cookie is to be set or when making a navigation choice that will later require cookies for support. From the examples it gives, it is fairly clear the ICO does not believe it would be sufficient to rely on a blanket pop-up collected consent for all cookies on a web site that used them for varied purposes, but it does indicate that an approach reasonably designed to collect informed consent will be acceptable. (Curiously, the ICO does not discuss the potential conflict between this approach and fairly common browser pop up blocking options, but it certainly is something to consider in planning a response.)
The ICO also notes that third party cookies (that is, cookies set by elements on your website provided by third parties, e.g. an advertising network) present special challenges. Stressing again the need for full disclosure, the ICO concedes that it needs to continue working with industry and its counterparts in other EU jurisdictions to define the right approach.
In terms of enforcement, the official advice reiterates the UK government’s view that there should be a phased approach to the implementation of the changes required by the revised Directive and accordingly the ICO will issue separate guidance on how it intends to enforce the revised Directive. In the interim, the official advice states that if the ICO were to receive a complaint about a website, it would expect an organisation’s response to set out:
- how they have considered the ICO’s official advice; and
- that they have a realistic plan to achieve compliance.
The ICO states it would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
What should you do now?
- The ICO suggests you start by gaining a full understanding of the type of cookies used on your site and the purposes to which they are put. Be sure you consider all of the mechanisms that can be used to store and retrieve user choices—not just traditional cookies.
Overall, the ICO guidance seems to lay out a path to compliance that, while more involved than current typical approaches, is attainable with (some) effort. Most critically, as the ICO notes on page 4, if you operate in the EU “the key point is that you cannot ignore these rules.”
As noted in our prior post, we do not expect further guidance from France or Germany before the May 26 deadline, but we will be on the lookout for additional developments that bear reporting here.