News & events
24/02/2012 - Have you got consent for your cookies?
The Information Commissioner’s Office (ICO) has published further guidance on obtaining consent to cookies on websites. Many people feel this law, which must be complied with by May 2012, is impractical, however, in the words of the Information Commissioner: ‘this isn’t going away. It’s the law’. With the Information Commissioner’s ability to issue financial penalties of up to £500,000 the new consent rules should be taken seriously.
When is consent to be obtained? Websites must provide users with information on the cookies. Where possible the user must, before the cookie is set, be provided with the opportunity to look at this and choose to accept or reject. If a website cannot currently do this, as much as possible needs to be done to reduce the amount of time before the user receives the information and is provided with the option to accept or reject.
Is implied consent sufficient? The ICO feels general awareness of cookie functions and uses is not high enough for websites to rely entirely on implied consent. This may change.
Who has to consent? Either the subscriber (being the person legally responsible to pay the bill for the internet connection) or the user (being any individual using a computer or other device to access a website). So long either one has provided consent this will be sufficient.
What must the consent include? Clear and comprehensive information about the cookies, i.e. telling people that cookies are there, explaining what they do and obtaining consent. This is more than providing an ‘opt out’ option.
How is consent obtained and users informed of cookies? Cookie information needs to be prominent, e.g. by using different text and font sizes, by positioning the information or linking to the information. Pop ups, header and footer bars, settings led and feature led consents asking users if they agree to the cookies can be used.
Any exceptions? The ICO gives the following examples of activities likely to be exempt: (1) cookies used to remember the goods a user wishes to buy when proceeding to a checkout or shopping basket; (2) cookies providing security essential to comply with the requirements of data protection, e.g. online banking; and (3) cookies which help webpages load quickly and effectively.
Who is responsible for compliance? The person setting the cookie is primarily responsible. However, if a separate company has set a cookie through a website, both are responsible for obtaining consent. Make sure you review agreements with web publishers to ensure appropriate steps will be taken to obtain consent and sufficient information about cookies is included on websites.
Can a user withdraw consent? Consent can be withdrawn at any time. Information on how to withdraw consent and ideally the consequences of this must be set out.
What now? Check the type of cookies and similar technologies you use, how you use them, assess the intrusiveness of the cookie and consider what consent solution is best.
If you would like to discuss this article or have any related questions please contact David Ashplant by email or on 01202 786165.