Earlier this year the UK government tried to implement Privacy and Electronic Communications Regulations after an EU Directive. The regulations were to have taken effect on the 25th may 2011 but after a series of lobbies and petitions the regulations were put back to the 26th May 2012.
As part of the process the Information Commissioner implemented a 12 month lead-in process and 6 months into the process has released a statement.
“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules.
But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”
“Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?
“Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running websites are far better placed to know what will work for them and their customers.”
Key points set out in the amended cookies advice include:
- More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
- The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
- However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
- Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
- The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.
ICO claims he wants:
- We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.
- We will further reduce the burden on those trying to comply by ensuring that our response to complaints recognises ongoing work
- We will give realistic and practical advice to those who ask for it
- We will be clear about how this work fits in with our strategy on regulatory action
- We will apply the rules consistently
What the ICO expects from website owner
There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take. Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.
Two general questions that might help in this regard might be, “is my website doing anything that my users don’t know about?” and “am I confident that I am giving them appropriate options?” Your confidence might stem from the fact that you have switched all your cookies off until users tell you to switch them on again. It might stem from the fact that many of your users are registered with you and as part of the registration process they have indicated to you that they are happy for your site to work in a certain way. Or it might stem from the fact that your users will know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.
The first option is the safest one. The second is just as safe provided that you are honest and upfront with registered users and that you can rely on the fact that they have made an informed decision to click that “Agree” button. It also, of course, only applies to some of your users – how will you ensure that the one-off or casual user is not left with a browser full of persistent and unwanted cookies?
The third option relies on a lot of factors that might be out of your control such as the general level of user awareness. You can and should, though, do whatever you can to demonstrate your compliance. Three things will help: following the ICO advice, looking for and implementing the ‘quick wins’ and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can’t you?”