UPDATE (24TH FEBRUARY): I attended an IPA “update” seminar on this, on Wednesday 22nd February. It largely confirmed our understanding.
[NB. I am not a legal expert and the opinions in this post are mine alone. Each website owner will need to make their own decisions on what is required in order for them to be compliant….but hopefully this summary is valuable in helping you make that decision].
The Information Commissioner’s Office (ICO) published its “half term report” on enforcing the new e-privacy regulation back on the 13th December. It makes slightly better reading for online advertisers than previous releases and - provided you are taking action in a number of areas - means that it is becoming a little clearer on how to ensure you are compliant by the 26th May.
We’ve been working closely with Clients to provide guidance on the steps to take throughout this process; below we revisit some of these and go into a little more detail on what the latest ICO statement tells us.
[The ICO quotes included below are all taken from the ICO’s updated “guidance for UK website owners” – a PDF of which can be downloaded here.]
Do you have to do anything?
The ICO has stated that it fully appreciates that this is a complicated area (both technically and legally) but failure to show any action has been taken at all will be looked at negatively by them if a complaint is brought against your company. If you are finding it difficult to fully comply by the 26th May, then you will need to be ready to explain why this is and how you plan to address it if a complaint is raised.
You don’t however need to panic:
“…on 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”
Can we rely on cookie settings in web browsers?
“At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie… Government is working with the major browser manufacturers to establish which browser level solutions will be available and when. In future many websites may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying themselves of consent to set cookies. For now relying solely on browser settings will not be sufficient”.
What are the things you can do now?
Although there is still room for interpretation and debate over some areas of the regulation, there are certain actions that you clearly have to take:
1. Cookie Audit: By now you should have conducted a cookie audit of your website. You should have collated information on each cookie that is dropped and what the cookie is used for. It would seem clear that failure to have conducted this housekeeping exercise will be viewed negatively by the ICO, should they receive a complaint about your site.
A previous blog post here explains more on how to conduct a cookie audit.
2. Remove unused cookies: If you can demonstrate that during your audit, you found and removed some cookies that were no longer useful, this will show progress being made.
“If websites are open and honest about how they work, if the mechanisms for exercising user choices are integrated into the presentation and user experience of the site, the users will be more confident about using the site and more comfortable with how websites collect and use information derived from their online behaviour”.
The latest document also states that you should:
I also suggest linking to the mechanisms for opting out of Adserver technologies (such as Doubleclick tracking) and Web Analytics packages (such as Google Analytics).
“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices.”
Make your cookie information incredibly visible.
(I recommend keeping a close eye on websites such as www.bbc.co.uk and www.guardian.co.uk to see what their privacy / cookie pages contain and how prominent they are).
Are some cookies more acceptable than others?
As stated above, it would appear that there is a spectrum here, largely defined by “intrusiveness”. The ICO has given some more specific direction on which cookies could be made an exception to the requirement for informed consent from users.
Clearly, from this table, Web Analytics and Advertising cookies aren’t identified as exceptions to the consent requirement. However, for Web Analytics, the latest document also states:
“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”
So it would appear that provided you take the steps above, you can fairly confidently continue to use a Web Analytics package such as Google Analytics without necessarily facing a penalty. However, what else do you need to do if you use 3rd party advertising cookies?
Do we need to gain prior consent?
This appears to be the most challenging area of the regulation. There are various ways in which this is being interpreted, plus the technical practicalities of implementing a solution are difficult. Let’s take the interpretation first….
Consent? It is absolutely clear that the regulation requires that users consent.
Prior? The ICO guidance certainly states that this is the ICO’s preference, but “prior” is not expressed in the regulations and the ICO also makes reference to the difficulty of achieving this. A key point is:
“…websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.”
There is a very interesting blog post here from Eduardo Ustaran, a partner at Field Fisher Waterhouse (a “market leading Privacy and Information Law Group”). In it he states:
“At the very least, it has to be reasonable to assume that someone can easily find out and exercise effective control over the cookies being served on their terminal equipment. A prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way….”
The ICO document also mentions...
Therefore, although the ICO explicitly state that you cannot rely on “implied consent” alone, by clearly demonstrating efforts in other areas, you will be making tangible progress towards compliance.
One of the key parts of the OBA framework is that advertisers need to include an icon on all behaviourally targeted advertising which explains why the banner is displayed and how they can manage their targeting. The ICO has given positive feedback to this framework, but suggests that it does not achieve compliance on its own.
Furthermore, this is for banners, what about websites? Well, if we still assume that the focus of the ICO is on behavioural advertising, then there are already solutions available for delivering the management of behavioural cookies using an “opt out” mechanism. For example, see the Ad Choices link towards the bottom of the www.adobe.com. I think it is very likely that this sort of mechanism will become more commonplace and these technology providers will have a part to play in this area in the future. However, is it necessary now?
I am currently talking to several providers of this technology to evaluate the cost and resource requirements for implementation. If there is a cost effective solution, then the more appropriate and feasible it will be to consider implementation. Until then however, I suggest you focus on the other actions mentioned.
In summary therefore, I suggest you do the following (as a minimum):
- Conduct a comprehensive cookie audit
- Understand the use of all these cookies on your website
- Remove any cookies that are outdated or unnecessary
- Assess the intrusiveness of the remaining cookies
- Seek opportunities for including mechanisms for cookie consent – for example wherever you already have a “T’s and C’s” consent requirement, update the T’s and C’s to include reference to your website cookie use
I suggest you do the same.
(Any thoughts or comments on this, please find me on Twitter - @ryanwebb).