SCL Meeting Report: Cookie Consent – What Recipe?

April 1, 2012

On 28 March at Wragge & Co’s Birmingham offices, a seminar arranged by SCL’s Midlands Group took place, which looked at the implications of the ‘cookie law’ and the difficulties faced in ensuring compliance. The meeting, chaired by Richard Nicholas (Browne Jacobson LLP), included a variety of interesting perspectives including those from hosts and sponsors Wragge & Co and from Simon Lande (Magus), on both the impact of the law and how companies are choosing to respond to it.

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003 came into force on 26 May 2011, following an EC Directive; however, the ICO recognised the difficulty many businesses will face in implementing these Regulations and stated that it would not seek to enforce the Regulations for a period of one year. That year’s grace expires in May 2012.

A key provision of these Regulations is the requirement to obtain the explicit ‘opt-in’ consent of a web site user to the use of ‘cookies’- the small text files implanted by a web site operator on the hard disks and mobile devices of the web site user enabling the collection of information about the user. Previously, web site operators had to ensure only that information was available as to how to opt out, and the onus was on the web site user to choose to do so. Now, users must be given information as to the purposes for which cookies are stored. That information must be sufficiently full and intelligible to allow users to clearly understand the consequences of allowing cookies.

Our first speaker was Kirsten Whitfield, a Director at Wragge & Co, who is both the Chair of the SCL Midlands Group and a member of the SCL Privacy and Data Protection Group committee.

Kirsten outlined the legal backdrop and the impending May deadline for businesses to demonstrate compliance. She talked through the ICO’s enforcement powers (ranging from enforcement notices to financial penalties) and discussed the fact that, whilst businesses that can show attempts to ensure compliance are likely to be at low risk of enforcement proceedings, the real risk is reputational damage by being identified as a company that is not seeking the consent of web site users in the way that is now required.

Kirsten also dealt with a number of related issues, such as the fact that the legislation is neutral on whether cookies have to collect ‘personal data’, the exception that applies when a cookie is ‘strictly necessary’ for use of a site (for example to follow what you have purchased when online shopping) and the implications of having third-party cookies on your web site. In looking at the practical steps businesses are required to take to ensure compliance, Kirsten referred to the helpful guidance issued by the ICO in December of last year.

Sana Viner, also a solicitor in the commercial team at Wragge & Co, then took us through the practical issues Wragge & Co and other businesses have had in balancing the need to obtain the user’s consent to cookie use with ensuring that the user has the best possible web site experience.

Sana walked us through examples such as the single ‘pop up’ on arriving at the site, information bars on either the top or bottom of the web page or a central ‘text block’ that loads immediately on visiting the site. For each she outlined how they might impact on the user experience (and in turn reduce traffic to the web site), and how much information they gave the visitor on the types and intrusiveness of the cookies used.

Both Kirsten and Sana were assisted in their presentations by Wragge & Co’s resident technical expert and web site manager Sean Butler.

This practical walk-through of the issues raised a number of interesting questions from the audience, including how implementation of the cookie regulations might interact with existing laws on web site accessibility for users with disabilities, and how the examples provided would be received by web site users.

Sana recommended referring to the anticipated ICC cookie guide, which is due to be released in the first week of April and which is expected to offer guidance on implementation including sample wording for any pop ups. Both Sana and Kirsten observed that, whilst it is not sufficient at this stage to rely on implied consent of the user to cookies, once users become more informed on the meaning and intention of cookie use the information required to be given by a business may decrease, resulting in a better user experience.

Finally, we heard from Simon Lande, founder and Chief Executive Officer of Magus, which supports the daily web governance programs of some of the largest brands in the world.

Simon outlined the categories of cookies that are commonly used (session/persistent/first party/third party) on web sites according to their lifespan and who has set them. He stressed that cookie consent is not simply a UK issue, but is being addressed across Europe, which is causing difficulties for international companies as EU Member States interpret what is required of them in different ways, with some yet to implement the EC Directive. Simon also reminded us that the regulations are not only focused on cookies; other technologies (eg apps) are also affected.

Simon then addressed how a company might audit their cookie use in practice, and took us through a number of examples of how large international organisations are choosing to address the issue.

The audience then relayed their experiences of how companies are dealing with the regulations in practice, which raised the fact that, whilst some companies appear to be hoping for a browser setting to be implemented which solves the issue, this is not likely to be immediately available and will not assist businesses with demonstrating compliance to the ICO come May.

Thanks go to Wragge & Co for hosting and sponsoring the event, to the chairman, and to the speakers for such an interesting meeting.

Laura Mackenzie is a trainee solicitor with the Commercial and IT team at Browne Jacobson LLP.