Cookies: act now over changes in the law that affect your company’s website

Cookies: act now over changes in the law that affect your company’s website

Article Type: Corporate law outlook From: Strategic Direction, Volume 28, Issue 7

Cookies are small files that allow websites to recognise users. They are automatically downloaded onto devices when websites are accessed and sent back, allowing users’ activities to be monitored.

Cookies are commonplace, but regulated. Websites have always had to provide clear information about cookies and allow users to opt out. The majority of users are unaware of them and their choice to opt out. Personal data, where information received from cookies could be linked to names, was protected under the Data Protection Act 1998.

Last year regulations affecting all businesses operating from, or with web presences in, the UK were adopted, increasing the protection of privacy where users cannot be personally identified. Websites must now provide clear information about the cookies they use and ensure they have the users’ consent to store them on their devices. This applies to all cookies except those that are “strictly necessary” for functioning and services provided by the websites (such as remembering what customers have ordered in online purchasing).

The effect of this is that compliance requires more attention from businesses. As user awareness increases, obtaining consent may become easier but more users may elect to opt out and businesses will need to be geared up to cope with this.

The Information Commissioner’s Office (ICO) has given businesses a year to make these changes. After May 2012 it has the power to fine, audit and prosecute, and will be looking to make examples of businesses yet to take any steps. Detailed guidance on the ICO’s powers can be found at: www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_regulatory_action_policy.pdf

You need to get informed consent from users to use all non-essential cookies, which inevitably means making changes to your website and privacy policy. If you are acquiring a business, you will need to ensure the target company is compliant and include these checks as part of your due diligence. You will also have to be up to date if you are considering selling your business.

It is no longer enough to expect users to set their own settings to opt out, and consent cannot be implied while awareness remains low. If you get left behind with these changes, your business will be open to penalties and bad publicity if the ICO decides to take action against you.

If you have not already done so, you should use the remaining lead-in time to create a strategy for compliance. You need to be making changes before the end of May and the earlier you begin reviewing your cookie use, the better.

The ICO has provided guidance on how to conduct a cookie audit, which you should follow even if you think that you will not be breaking the regulations:

• •

  Identify which cookies are operating on or through your website.

• •

  Confirm the purpose(s) of each of these cookies.

• •

  Confirm whether you link cookies to other information held about users, such as usernames.

• •

  Identify what data each cookie holds.

• •

  Confirm the type of cookie – are they session cookies, which will expire when the users close the windows, or persistent cookies, which are stored on the devices?

• •

  If they are persistent cookies, how long is their lifespan? Can it be reduced?

• •

  Are they first or third party cookies? If third party, who is setting them and are they compliant?

Once you have this information, you should order the cookies, starting with the most intrusive and begin at the top to achieve meaningful consent to their use. You should also double check that your privacy policy explains what cookies and their consequences are, and that it includes accurate and clear information about each one you use.

There are different ways in which you can work towards gaining meaningful user consent. These range from redesigning your web pages, to make the links to information about cookies more prominent, to creating a new clickable image or icon. More examples of these, including screenshots, can be found on the “ICO guidance on the rules on use of cookies and similar technologies” at www.ico.gov.uk/∼/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

Your users should be able to read information about your cookies and then click to accept them. For multiple uses by the same user of a website, it may be possible to relay their previous acceptance of the cookie. In the future, once the use of cookies is more broadly understood and accepted by users, it may also be possible to rely on consent implied by use of the website alone.

In summary, the law has changed and your business is now subject to tightened privacy regulation. It is likely that the ICO will issue more information and guidance before May but you should start reviewing your position now. You should also consider taking independent legal advice.

If you wish to discuss the points raised in this article, or any issues around cookies, please contact Samantha Bell, trainee in Gordons’ corporate team on 01274 202 131 or e-mail: samantha.bell@gordonsllp.com

Samantha BellTrainee in the corporate team, Yorkshire law firm Gordons.

Acknowledgements

© Gordons LLPIssued on behalf of Gordons LLP by Brand8 PR. For further information please contact Rob Smith on Tel: 0113 394 4580, Mobile: 07840 677534, E-mail: rob.smith@brand8pr.com