Cookies: ICO Prods and Guides

December 13, 2011

According to the Information Commissioner’s Office, web site owners ‘must try harder’ on complying with what the ICO calls ‘the new cookies law’. The statements accompanied publication of its half term report on enforcing the new rules.

The ICO has also published updated guidance for UK web site owners, setting out specific examples of what compliance looks like.

Information Commissioner, Christopher Graham, said:

‘The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.’

The UK government has revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May 2011, to address new EU requirements. The Regulations make clear that UK businesses and organisations running web sites in the UK need to get consent from visitors to their web sites in order to store cookies on users’ computers.

Mr Graham continued:

‘Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder”. Many people running web sites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you? Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running web sites are far better placed to know what will work for them and their customers.’

Key points set out in the amended cookies advice include:

·        More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’

·        The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.

·        However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a web site, will need to comply with the new rules.

·        Achieving compliance in relation to third-party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.

·        The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.