Our blog | equimedia

ICO, DCMS and Cookies - Implementing the e-Privacy Directive

Written by Andrew | 25-May-2011 15:58:00

Whatever you do when reading anything to do with the e-Privacy Directive it is important not to panic.

It is however important that owners of websites take appropriate action over their use of cookies and the value they add to the user experience and how this is explained to site users.   

How this is implemented, and whether opt in consent is required, has led to much confusion - not least what would constitute a complaint to the ICO.  

The DCMS (Department for Culture, Media and Sport) rode to the rescue on the 22nd May with an Open Letter defining the UK implementation of Article 5(3) of the e-Privacy Directive on Cookies.

It makes the point that the UK has an approach that allows for developing technology to deliver a solution in the future - browsers might be the solution but not exclusively the solution.  

Only time will tell and we all probably have around twelve months to react to "tweaking" of the legislation and interpretation in technology as to how cookie permissions are managed.

One thing is clear, all website owners do need to have a plan in place to inform users as to what they use cookies for.

Equi=Media Clients have for some three months been kept abreast of what this means for them -  and this has been listed below.

Ironically today, the ICO have implemented an Opt In to receiving onsite cookies - but then they do need to demonstrate to their 28 partners in the Article 29 Group (other country ICO equivalents) that they are setting a standard.  Whether you feel compelled to follow the ICO is of course an option (and it is clear that the ICO are not requiring you to do anything similar for 12 months) but you might wish to implement a solution with a cleaner implementation and a better user experience. http://www.ico.gov.uk/

Again, all the advice we have received from the IAB, IPA and DCMS is that this is not necessarily what "consent" to cookies will mean in the future.

So wait and see but do follow through on the following;

1.  Audit the business's use of cookies

What the ICO do expect is to see evidence that businesses are taking their responsibilities seriously. To be able to demonstrate that a review has been undertaken is a very good way of doing this.

2.  Classify cookie usage and pay particular attention to uses that may be considered more intrusive

These are more likely to require a demonstration of more direct and obvious consent being obtained based on the intrusiveness however there is no fixed way of doing this - the IPA’s Legal Director has stated the following:

"if you think of it on some sort of sliding scale, at one end there'll be cookie use which is fine and for which no consent is necessary because it is "strictly necessary" (e.g. the shopping basket scenario), and at the other end, they'll be the more intrusive type of cookie used, for example, for targeting and for which more transparency will be required. "

3. Always consider how to more prominently explain to consumers how the business uses cookies

- "organisations must be upfront with their users" they must gain consent by providing specific information - reasons for use probably needs to be more upfront rather than being buried in the terms and conditions of the website.

Do review your approach to meeting the terms of the directive regularly - we will post another blog post our meeting with the ICO on the 9th June.