The End of the UK Cookies Law


From Saturday, May 26, 2012, the UK’s amnesty period for compliance with the "Cookies Law" will be at an end. Although any organization that hasn’t taken steps to comply with the new requirements shouldn’t panic, they do need to take action now to ensure they are not subject to enforcement proceedings by the UK Information Commissioner’s Office (ICO).

How does this affect U.S. businesses

U.S. businesses might think that the Cookies Law does not apply to them, but as cookies are delivered through electronic communications networks in the UK and placed on the electronic device (e.g., computer, smart phone or tablet) of individuals based in the UK the Cookie Law is applicable. If you have a permanent establishment in the UK, that can also make you subject to UK privacy rules.

What is the Cookies Law?

Originating from Article 5.3 of the European Union E-Privacy Directive 2002/58/EC (as amended by the Citizen’s Rights Directive 2009/136/EC) and having been implemented in the UK through Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (as amended in 2011), the law requires the obtaining of informed consent before storing or accessing information on a user’s computer or other electronic device.

The law’s major impact will be on the use of cookies on websites and in essence requires that organizations:

  • Tell users about the cookies used on their website(s);
  • Explain what the cookies are doing; and
  • Obtain consent to store cookies on a user’s device.

It is important to note that the law applies to all cookies regardless of the impact on a person’s privacy (although privacy impact can be relevant to the approach taken to gain consent).

There is an exception from the requirements where the use of a cookie is strictly necessary for the provision of a web service requested by the user. However, the exception is considered narrow in scope and will only apply to a small number of cookies such as those used to remember a user’s items he or she wishes to purchase rather than analytical or accessibility type cookies.

Although commonly referred to as the "Cookies Law" because of the law’s significant impact on cookie use, it is also wide enough to cover other technologies that access and store information on a user’s electronic devices, for example, local shared objects, mobile apps and emails. Organizations should therefore not focus solely on "cookies."

How do you comply?

Cookie Audit

The first stage is to check what type of cookies you use and how you use them. Any cookie audit should seek to identify:

  • The cookies used, in particular, distinguishing between first and third party and persistent and session cookies;
  • When the cookies are set whether on first visiting the site or at registration or some other point in time;
  • Establish the purpose(s) of each cookie. An assessment will need to be made as to whether it performs an essential function or non-essential functions and the impact on the user’s privacy. Cookies that profile users have a greater impact on privacy as opposed to analytics based cookies;
  • Any cookies that are no longer needed that can be purged from the site.

Provision of information – Cookie Policy

Following any audit, a cookie policy must be developed to explain the cookies used and the purposes. This will need to expand on the type of information in your current privacy policy. Earlier adopters of the new requirements appear to be trending towards indentifying specific cookies in their cookies policy. An effective audit should provide the information required to do this.

Given the obligations to obtain consent and to provide clear and comprehensive information, the information about cookies must be more readily available and prominent. As a general rule, the cookie policy should be identified separately from the privacy policy and given a greater degree of prominence. As a minimum, the privacy policy should be renamed "cookie and privacy policy."

Information should be provided about how consent can be withdrawn and how cookies that have already been set can be removed in the policy. Any consequences of withdrawing consent, such as loss of functionality, should be explained.

Obtaining consent

Consent should be gained from users before the cookie is set and through an affirmative step on the part of the user.

In the UK the ICO has recognized that this can be challenging in practice, and there is an acknowledgement that the approach you need to take in respect of consent will depend on the cookies you use and the impact on an individual’s privacy. The more intrusive the more you will need to do to get "meaningful" consent.

Potential ways in which consent may be obtained are as follows:

  • Pop-up windows or splash pages or static information banners, although these are generally considered to adversely affect user experience;
  • Feature and user settings—giving users control of a site’s use of cookies through settings; or
  • Browsers settings—although it is generally considered by the ICO that current browser settings are not sophisticated enough for websites to assume that consent has been given. However, a user’s browser settings may be a factor in contributing to a situation in which consent can be implied.

Other technologies

Steps should be taken to assess what other technologies are used by organizations that require access and storage of information on a user’s electronic device. A similar approach to cookies should then be taken which includes an assessment of an appropriate mechanism to provide the user with notice about the storage and access and how an indication of his/her consent can be received.

Approach to enforcement

The Cookies Law came into force in May last year with a 12-month amnesty period for organisations to become compliant. However, even though that period is now at an end, the ICO has stated that it will take a practical and proportionate approach to enforcing the rules on cookies.

The ICO has suggested that where users have been provided with clear information about the use of cookies that do not really impact on privacy, the ICO is highly unlikely to take any enforcement action even though the strict requirements relating to consent may not have been complied with.

Further, any action (usually in response to a complaint) will involve businesses being asked to provide an explanation as to what steps are being taken to comply with the new rules rather than being subject to immediate enforcement action. Although this approach will not stop the ICO taking action if it isn’t satisfied with what it is then told.

The message from the ICO is clear, if organizations haven’t developed their compliance strategy yet, the process must definitely be started now. However, U.S.-based businesses should consider the likelihood/practicality of enforcement action against non-UK based operations, with privacy-intrusive cookie use or websites heavily used by or targeted at UK citizens more likely to receive attention. In any event, U.S. businesses can demonstrate alignment with steps 3-6 of the “quick wins” described below will reduce the likelihood of enforcement.

Quick wins for Cookies Law compliance

For organizations to avail themselves of the ICO’s pragmatic approach, they must be able to demonstrate that they are not just ignoring the law. This could involve implementing some relatively quick steps that do not immediately involve large technical change, including:

  • Create a time-lined project plan of compliance activities;
  • Audit website cookies;
  • Remove cookies that are not needed;
  • Amend/add a cookie policy;
  • Make the cookie policy prominent on the website;
  • Include instructions in the cookie policy about how the user can disable cookies for him/herself.

In the longer term organisations can then move to deciding on an appropriate method for gaining consent and implementing any necessary changes to their websites.

Implementation in Europe

Stemming from the E-Privacy Directive, the 27 Member States of the European Union are all under an obligation to implement their own version of the Cookies Law. However, to date implementation has been patchwork and of those countries that have implemented the law, although the requirements in respect of notice about cookie use tend to be broadly similar, consent requirements can differ. For example, Germany is yet to formally enact its legislation, in France prior consent may not always be necessary for analytic type cookies and in Spain it may be possible to rely on implied consent.

Overall, as with other privacy-related legislation in Europe, developing a “one size fits all” approach across the Member States will continue to be challenging. However, a prominent, informative and well-drafted cookie policy with instructions on how individuals can opt out of cookie use manually is an advisable starting point for compliance in every country.