Cookie compliance: your 5 day emergency action planClaire Walker

www.olswang.com2

What you need to know…

If your company is one of the 95% UK organisations not yet obtaining consent to website cookies

• 5 working days until end of UK enforcement amnesty (26 May)

• 4 main types of cookie

• 3 practical steps to comply

• 2 key sources of guidance

• 1 example of creative good practice

www.olswang.com3

Consent rule adopted at EU level

UK transposes

rule - on time!

ICO guidance V1

ICO guidance

V2

ICC practical guidance

May2009

25 May 2011

May2011

April2012

UK “amnesty”

ends

“95% of UK companies not ready” (KPMG)

March2012

Cookie consent countdown

Dec2011

26 May2012

“Collusion” project

UK “amnesty”

www.olswang.com4

What is a cookie?

“information stored in the terminal equipment of a subscriber or user”

Regulation 6 Privacy and Electronic Communications Regulations 2003

www.olswang.com5

4 main types of cookie – Icons courtesy of BT

www.olswang.com6

Cookie consent: the new rule

Cookies or similar devices must not be used unless the subscriber oruser of the relevant terminal equipment:

a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

b) has given his or her consent.

Regulation 6 PECR 2003, as amended

(NB: pre 2011 requirement was information + opportunity to opt out)

www.olswang.com7

3 compliance steps: Step 1

www.olswang.com8

Audit

www.olswang.com9

Audit (continued)

www.olswang.com10

…or be audited!

www.olswang.com11

Step 2: provide information

ICO guidance

• “sufficiently full and intelligible to allow individuals to understand the practical consequences”

• Greater effort required now, as user understanding is likely to be low

Make sure users can see the information:

• Position – eg top of the page not the bottom (e.g. IAB)

• Formatting – eg font size or icon – make it stand out

• Description – eg “cookie policy” or “ how our site works” rather than “privacy”

• Blog post or new headline to draw attention [e.g. “updated” in red]

• NB: notice does not = consent – but it helps!

www.olswang.com12

Step 2: information

www.olswang.com13

Step 3: obtain consent

But what’s valid “consent” to a cookie?

Key points from the current ICO guidance (Dec 2011 version)

• Must involve some form of communication…

• …where user knowingly indicates their acceptance

• User must fully understand that by the action they are giving consent

• Ideally consent needs to be “prior”…

• …websites must “do as much as possible” to minimise time lag between setting cookie and giving users the choice

• …so cookie info must be “readily available”

• Avoid setting persistent cookies if visitors may be one -offs

www.olswang.com14

What could “consent” look like? (BT)

www.olswang.com15

What could “consent” look like? (BT again)

www.olswang.com16

Step 3: methods of consent

The ICO guidance suggests the following potential consent mechanisms –depending on the intrusiveness or otherwise of the cookies used:

• Pop ups (not all pop ups are bad!)

• Splash pages

• Footer bar with accept button

• Via online ts & cs which user accepts (but not by slipping in new terms post acceptance)

• Settings led (e.g. language of site, location for weather report, etc)

• Feature led

• What about browser settings? ICO view is that at present browser settings alone do not satisfy consent requirement

www.olswang.com17

Can “implied consent” work?

• Implied consent normally invalid in a DP context – see criteria listed earlier

• Level of consent required in given scenario depends on user’s understanding and awareness

• “reliance on implied consent…must be based on a definite shared understanding of what is going to happen”, i.e.

• that cookies will be set

• what the cookies do

• signifies agreement

So, shared understanding/ implied consent

• may be viable as consumer awareness grows over time

• Also depends on prominence of cookie information on the site

www.olswang.com18

Less creative solutions…

www.olswang.com19

What to do about Analytics

• Analytics cookies ARE covered by the consent rules

• Low enforcement risk - ICO has a pragmatic stance

• If analytics are the only cookies you use - what should you do?

• Provide information

• Seek “consent” via a notice route?

• Suggested wording: This site uses Google Analytics cookies to collect information about how visitors use this site. Click here [link to relevant section of privacy policy] for more details. By using this site you agree that we can place these cookies on your device."

www.olswang.com20

• ICO guidance – December 2011 – to be updated shortly

• International Chambers of Commerce UK Cookie Guide – April 2012

• Categorisation of cookies

• How to describe them to users; use of icons (e.g. BT)

• Consent mechanisms to use

• Endorsed as good practice by the ICO

• Will other websites follow suit?

2 essential sources for lawyers

www.olswang.com21

Third party cookies: who’s responsible?

• ICO’s view: website owner and third parties are both responsible

• In practice, website owner likely to receive any complaints about 3rd party cookies on site

• Website owner has direct interface with end user – therefore easier for it to provide information and obtain consent

• Tip: ensure your cookie audit covers 3rd party cookies

www.olswang.com22

Bottom line: UK enforcement risks?

What does the ICO expect of website owners by 26 May 2012?

• Audit cookies used

• Take “sensible measured action to move to compliance”

• Have a realistic action plan for compliance: timescales + specific actions

Will/ when will the ICO take enforcement action over cookies?

• ICO’s approach “practical and proportionate”

• Organisation refuses to comply…

• Use of particularly intrusive cookies with no information and no consent

• Who will be made an example of?

www.olswang.com23

Will the ICO issue fines?

• ICO's own guidance will be updated again before 26 May - watch this space

• ICO "does not anticipate a wave of enforcement action after the lead in period ends" ...

• but does expect organisations "to have used this time productively and ensured that they are working towards becoming fully compliant."

In what circumstances will the ICO impose monetary penalties?

• Serious contravention +

• Deliberate or reckless +

• Likely to cause substantial damage or substantial distress

• Reckless = knowledge of risk; failure to take “reasonable steps”

Cookie compliance: your 5 day emergency action plan

For more informationplease contact:

Claire Walker

+44 (0) 207 067 3174claire.walker@olswang.com