Until very recently, cookies have simply been regarded as a technical aspect of web sites, a means for web site developers to make a web site operational and a valuable asset for them to gather information enabling them to evaluate their web site and endeavour to improve it. However, historically, web site operators have been able to derive benefit from cookies without having to give them any real active consideration, except, perhaps, as a way of enabling a certain function on their sites and to inform users that they were using them on their site. This indifference or lack of thought has been mirrored by web site users, many of whom, research suggests, have little or no knowledge of what cookies are, how they are used, or how to disable them.
In the EU, this indifference is being swept away with the implementation in Member States of Directive 2009/136/EC, which brings with it a sea-change requiring web site operators to obtain a user’s consent for the cookies they intend to place on a device. It is a change that has caused web site operators all over Europe to gasp with horror.
The Directive and its local law implementations have been analysed and summarised in many informative articles. Here, we do not repeat or try to better those articles, but instead focus on how one organisation – Experian – is currently getting on with the process of becoming compliant.
Our article uses the definition of cookies found in the December 2011 Guidance issued by the Information Commissioner’s Office, where cookies are web site browser cookies, Flash cookies, and equivalent technologies. We use the term ‘web sites’ to cover all technologies that use cookies.
Case study: Experian
The small print!
At the time of writing, there are a range of opinions on what organisations should do to achieve compliance with the amended law. There are also a raft of initiatives in the offing, such as industry standards and codes of practice, cookie control tools, web site standards and browser standards. It is unclear which, if any, of these initiatives will in the future be regarded as best-practice and which will fail to gain a footing.
Whilst these aspects of the cookies law and practice landscape have been a massive influence in what Experian has done in this area, the policy decisions made by Experian to achieve (and exceed) legal compliance will not be appropriate for all organisations. What will be appropriate for each organisation ultimately depends on how your particular organisation uses cookies as any solution will inevitably need to be tailored to those uses and indeed to the customers your web site serves.
Cookies law team
When the amended law came into effect, Experian created an internal cookies law compliance team (the ‘cookies law team’). Its purpose was to provide an internal contact point for the business, and to keep on top of developments in this area. The team comprises a mix of people from the Compliance and Legal functions in order to gain maximum breadth of experience and expertise.
The cookies law team aims to promote awareness of this change in the law throughout the business by providing regular updates on the work it has been involved in, by attending meetings of relevant managers to provide input where appropriate, and by providing a ‘Cookies Law Tracker’ intranet site which can be accessed by web site managers.
The site details the team’s activities, and is updated regularly to set out how Experian are moving the business towards compliance. Experian also use it as a mechanism to notify the business of what its next steps will be, and to explain the amended law and what it means in practical terms.
The cookies audit
As is now well-known, the first step towards achieving compliance with the amended law should be an audit to understand what cookies you use and how you use them. The cookies audit was the cookies law team’s first task.
Experian has four business divisions and many business units within each division. It has more than 70 web sites in the UK, which account for most of its cookie-usage. This made the audit process an extensive and time-consuming exercise.
The company maintains most of its own web sites itself and so has a lot of internal knowledge about how those web sites work and how they use cookies. For this reason, the cookies law team decided to use Experian’s internal knowledge and resources to perform the audit. Of course, this approach may not be suitable for all businesses; some may wish to take up the audit services on offer from various internet consultants and law firms.
A standard audit form was created and distributed to all web site managers, together with a reminder about the ICO’s definition of cookies. The cookies law team worked with web site managers to get the forms completed, then used cookies detection tools to double-check and validate the audit information received.
Analysing cookies
Whilst all this data was being gathered, the cookies law team began analysing the incoming audit information in order to ensure that the project maintained momentum and to manage the work load.
The team set up a database within a Sharepoint intranet site to store and analyse the cookies information received.
Compared with storing the information in an Excel spreadsheet or Access database, this depository had the advantage of being a permanent, central, single repository of cookies information, whilst also offering equivalent analytical and reporting functionality.
Having all cookies information stored on a central, easily filtered, database also offered another means to quality-check audit information. The team found that some cookies were used by a large number of web sites, meaning that discrepancies in audit information about a particular cookie could be readily identified, queried and addressed.
In analysing the cookies, the cookies law team discussed these discrepancies and other issues with web site managers. One of the benefits of this was that web site managers were able to spot cookies being placed by functionality that was obsolete or simply unnecessary. This led to many such cookies being disabled.
Categorising cookies
The cookies law team also began categorising the cookies by reference to the purpose they were being used for and whether they were first party (placed by Experian itself) or third party (placed by a third party on behalf of Experian).
There is no completely standard way of categorising cookies, so the business took a decision on categorisation based upon an analysis of the various purposes specific cookies were being used for. It is important to recognise that some cookies may have more than one purpose, and it is important that all purposes are accurately captured when categorising cookies; some cookies will therefore fall into more than one category.
Formulating an internal cookies policy
Having all of the above information is incredibly useful, but cannot be put into practice unless your business has decided on how it will comply with the amended law.
When the ICO issued its updated, more detailed, Guidance in December 2011, Experian began the process of formulating an internal policy on cookies.
The purpose of this policy was to send a strong internal message that Experian takes the new law seriously, and to act as a practical direction to web site managers as to the changes that they were expected to make to their web sites.
The content of the policy will differ from organisation to organisation, but will largely be driven by the types of cookies your web sites use, and your approach to obtaining consent from users. The results of the cookies audit will therefore help determine the type of internal cookies policy your organisation will need.
It may be useful to reproduce within this internal policy some of the information that you would be expected to include within an external cookies policy (ie the one on the web site itself for web users) and to refer back to the ICO guidance. This will help set the scene by explaining what cookies are and outlining the amended law and what it means for those operating web sites and using cookies.
It should also act as a practical briefing note to web site managers on how they should deal with cookies. Once the policy is in place, web site managers can get to work in implementing the policy in practice.
In formulating Experian’s internal policy the cookies law team sought to avoid being overly influenced by the various online opinions about the cookies law, and the various commercial ‘solutions’ to cookie control being currently marketed, and instead, to focus on the ICO Guidance itself.
The team plans to regularly review its policy in order to ensure that it keeps pace with the rapid developments in cookie control technology, industry standards, and any further updates to the ICO guidance.
Formulating and publicising the policy internally has, as you would expect, resulted in a great deal of follow-up work for the cookies law team; in particular, working closely with web site managers as they implement the internal policy. This is essential in order to ensure that the policy is accurately understood and is implemented consistently throughout the business.
The team has also had to address various other practicalities:
· creating a template cookies information page for its web site
· creating standard, plain-English, descriptions of each type of cookie used
· considering how to implement its cookies policy with third party IT suppliers.
Practical considerations
Conducting the audit process, formulating an appropriate policy and implementing that policy will, of course, give rise to many additional practical considerations that will need to be addressed.
By way of example, web site operators will need to consider how they can best communicate all relevant information to users in order to ensure that an adequate level of consent is obtained. This will involve considering the type of users the web site is directed at, as this will ultimately determine the type of language that should be used and the level of detail required.
In addition, careful consideration will need to be given to how the web site operates and how you can ensure that the requisite information is communicated to users at an appropriate time and regardless of the specific location on the web site where access is obtained.
Organisations engaging web developers or third-party marketers should also ensure compliance with the new law is built into and adequately covered off in any contract entered into with such third parties.
All of these factors will, of course, need to be balanced against the need to ensure that the usability and effectiveness of your web site is not compromised, and the impact this change has on your business is kept to a minimum.
Web site operators should also consider how they are going to ensure that their web sites continue to comply with the new law. To enable you to do so, you should consider conducting regular audits to check whether or not the cookies used on the web site have changed. Third-party cookies could be placed without you knowing, so you should check regularly to ensure that the information contained on your web site is kept up-to-date, and accurately reflects the cookies being used.
Scope
The directive only applies to Member States within the European Economic Area (EEA), but one cannot help wonder if, as awareness grows, the use of cookies will also become more heavily regulated in other jurisdictions. The ICO Guidance already states that web sites hosted outside of the EEA, but which are directed at web users within it, should comply with these requirements as users within the EEA will expect them to. Therefore, even if your web site is not directed at users in the EEA and not caught by these changes now, you should watch this space as you may become subject to tighter regulation in the future.
Alex Newson is a Solicitor at Experian and deals with IP, disputes and technology projects.
Aisling Duffy is an Associate in Shoosmiths’ Commercial and Technology Unit. She advises clients in relation to a broad range of commercial law matters and specialises in data protection, IT contracts and e-commerce.
Holly Cheng is a Trainee Solicitor at Shoosmiths and is on secondment at Experian.
