Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.
The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:
- tell people that the cookies are there,
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.
The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.
As a start point for compliance, the ICO guidance recommends a three-step approach:
- Check what type of cookies you use and how you use them.
- Decide how to obtain consent from users.
I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.
However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.
Opportunities for consent
The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.
Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.
Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.
Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.
Third party and advertising cookies
Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.
The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.
It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.