This page contains a Flash digital edition of a book.
BUSINESS MATTERS


Taming the legal cookie monsters


Martine Nathan


Here, Martine Nathan, Partner at Teacher Stern Solicitors, warns us about the new Cookie Monster created by changes to the law on web browsing cookies, and provides guidance on how to tame the beast.


O


n 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment)


Regulations (SI 2011/1208)) came into force in the UK (the Regulations). The main change is that website operators are now required to obtain an end user’s consent if they want to store a cookie on the end user’s device or gain access to information stored on an end user’s computer or mobile phone.


What is a cookie?


A ‘cookie’ is a small text file that is placed on a user’s computer hard drive by a website. It allows the website to store certain information about the user’s use of the website and to recognise the user when he or she returns to the website in the future. While cookies cannot individually identify an individual, the information they provide could be combined with further information held about such individual making it possible to identify that user. There are several types of cookies and the most common are often referred to as ‘session’ cookies. These are used to keep track of information needed by a user as they travel from page to page within a website. Cookies therefore remember user’s browser habits.


Other types of cookies can be used to track Internet activity after the user has left a website. These are usually sponsored by organisations external to the website being visited and are generally known as ‘third party’ cookies. This type of cookie may well be being used by you today. Especially as a tool for enabling


targeted advertising. Pretty much all ecommerce and many other websites will commonly use cookies in order to service an end user’s requirements and expectations, ie, to enable an end user to personalise their account.


The Regulation now requires an active ‘opt in’ to the use of cookies. Before 26 May 2011 it was sufficient for website operators to inform users how the cookies are being used and that the users could opt out if they objected. Contrast this with the new opt-in approach. Now, any users of your website must provide some active consent to the use of any cookies on your website. The ongoing use of browser settings as a form of consent will not be consistent with the revised opt- in wording in the Regulations.


Options to obtain consent The biggest challenge for you as website operators will be to ensure that consent is obtained in a way which will not ruin the end user’s browsing experience. Some of the options include: • Pop ups: I’m sure we all agree these can prove very frustrating and may decrease an end user’s willingness to access a certain website. • Terms and conditions: This option can be used when a user first signs up. However, if the user has previously consented then a further opt-in will be needed for such pre existing end users. • Settings led consents: Many websites remember which version of the website a user wants to see (in terms of language, personalised greeting, font size and other


settings). Website operators could insert a suitable wording on the settings page to explain that by allowing the website to remember user’s choice, a user is giving its consent to set the cookie. • Feature led consent: If a user chooses a particular feature (such as watching video clips) only enabled on the website by opening a link or clicking a button, website operators may use this as an opportunity to make it clear to the user that by continuing this will be interpreted as his/her consent to the use of cookies. • Notices and Privacy Policies: Changing website notices and privacy policies that a user must actively accept.


Exceptions


Under the Regulations no consent is needed where the cookie is ‘strictly necessary’ to allow the website to provide services (eg, adding items to online shopping baskets or using online banking services). The exceptions to the rule will though be interpreted very narrowly and it is more likely as a general guidance that positive action must be taken by website operators.


Enforcement


The Regulations will be overseen by the Information Commissioner’s Office (ICO). In its guidance, the ICO has adopted a ‘phased approach’ to implementation of changes. During the months until May 2012, the ICO will not be taking enforcement action against websites that are working on browser solutions to the problem. The ICO does not state how long the ‘grace period’


The Comms National Awards yet? Visit www.cnawards.com


Have you entered www.comms-dealer.com


Sponsors the Service Provider Category COMMS DEALER JULY 2011 55


will be. If a complaint is received within such period, the website operator will be expected to produce a plan that demonstrates it has: • Checked what type of cookies and similar technologies it uses and how it uses them (ie, considered which cookies are strictly necessary and which will require consent). • Assessed how intrusive that use is (ie, some cookies simply allow website operators to improve their website based on gathering information on which links are most frequently used etc). • Decided what solution to obtain consent is best in its circumstances.


Christopher Graham, the Information Commissioner, has said that he is ‘taking a commonsense approach’. However, ‘those who choose to do nothing will have their lack of action taken into account’ when the ICO begins formal enforcement of the rules.


Action now There are a number of steps that you can start undertaking now: • Amend your online terms and conditions/privacy policy to detail clearly your use of cookies and what consumers are agreeing to in this regard. • Assess your use of cookies (delete those no longer used). • Establish the best way to obtain adequate consent from users. • Prepare a policy on how you will deal with the new law (rights for end users to unsubscribe, a complaints policy and document all attempted compliance).


m.nathan@teacherstern.com


n


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68