ICO gives businesses a year to comply with new cookies law

As an update to my post on the new cookies law, the ICO has now published guidance on their approach to enforcement of the new law (PDF). The guidance itself can be found here (PDF).

The key point is that the ICO is giving businesses a year to comply with the new law. Full compliance will only be expected from May 2012. However, this doesn’t mean that organisations can sit on their hands in the meantime. As the ICO guidance puts it:

The Commissioner does not though condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers.

If the ICO receive complaints about non-compliant cookies during this period, they will ask website owners to explain what steps they are taking to ensure compliance by May 2012.

There is still a great deal of confusion in the marketplace about what the new law means in practice and how businesses can comply. Some are suggesting that websites offering aggregated opt-outs to multiple standard cookies will be enough to comply with the law. However, the law is clear: it is not enough to offer an opt-out, however well publicised and coordinated. Users must give prior informed consent before cookies can be used by a particular website.

Hopefully over the next few months it will become clearer what approaches are seen as most effective in practice. The ICO has implemented a header on its website asking people to consent to cookies, but even they acknowledge this cumbersome and intrusive approach is not going to be appropriate for most other organisations.

Of more practical use for most businesses is the ICO’s example, in its own privacy policy, of how to set out information about what cookies are used. The table used by the ICO strikes me as a very clear and user-friendly way of informing website users about what cookies are being used and for what purpose.

Death of the domain name?

Interesting article on plans for forthcoming releases of the Google Chrome and Mozilla Firefox browsers to “deemphasise” the address bar, so that the URL of the page you’re viewing is not visible in normal browsing.

As the report puts it:

Google’s motivation to reduce your dependence on the URL bar is clear, since the company would rather that you think of using the web the same way you use your iPhone or Android device.

As Google sees it, the Web isn’t a collection of sites such as nytimes.com, mail.google.com or Facebook.com. Instead these are all software applications called The New York Times, Gmail, and Facebook that happen to live online instead of on the desktop.

From an online safety point of view, this has pros and cons. Critics will argue that hiding the URL will make life easier for scammers to direct people to phony sites. Against that, the linked report suggests that removing human error (typing the wrong address) will reduce some opportunities for scam sites.

I remember suggesting at an event some years ago that search would ultimately displace URLs/domain names as the main means by which people navigated the web. It’s taken longer than I thought, but it does now seem to be happening: I’ve noticed a number of offline advertisements in recent months (such as billboards and magazine ads) that invite people to search for a keyword rather than giving the advertiser’s website address.

Add to that this new trend to treat websites as apps, and it may well be that the URL is on its way towards becoming a purely technical feature working in the background.

Cookies: the new regime

Back in March, I discussed the proposed changes to the law on cookies, to require prior, informed consent before most cookies are placed on users’ computers.

The new regulations have now been published by the UK government. Regulation 6 of the snappily-titled Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amends the previous rules so that most cookies will now only be permitted if the website user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • has given his or her consent.

In addition, however, the revised regulation also states that:

…consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

What does all this mean in practice? To help businesses understand what is required of them, the Information Commissioner’s Office has produced a guidance note on the new regulations (PDF). While this leaves a number of questions still unanswered (as we’ll see below), it does clarify a number of points that had been debated since the new law was first proposed last year.

1. Is your cookie “strictly necessary”?

The revised regulations retain the existing exceptions for cookies:

  • whose “sole purpose” is “carrying out the transmission of a communication over an electronic communications network”; or
  • which are “strictly necessary for the provision of an information society service requested by the subscriber or user”.

The second of these is the more important for most websites. It has been suggested that this could be interpreted quite widely, to include analytics cookies that track how people use the site: which pages they visit, how long they remain on the site, which search terms brought them there in the first place, and so on. The argument is that this enables sites to allocate resources as necessary to provide their services.

However, the guidance argues that the exception needs to be interpreted narrowly, and the cookie must relate to services “explicitly requested” by the user – not just the general functioning of the site. So a cookie to enable a shopping basket and checkout system to work would be fine. However:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

2. Can browser settings be used?

The reference to a website user “who amends or sets controls on [their] internet browser” has been read by some as allowing existing browser controls on cookies to be used to obtain consent. However, the ICO’s view is that:

most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

In addition, people may be accessing using mobile devices that do not enable them to exercise even the crude levels of control (“cookies ON” / “cookies OFF”) found in current desktop browsers.

In the longer term, more sophisticated browser settings may be developed that enable websites to obtain consent in this way. However, for now it has to be assumed that some other means of obtaining consent is necessary.

3. How can we obtain consent?

The ICO’s guidance is not prescriptive, and discusses a number of ways in which websites can obtain consent.

One option is to use pop-ups as a means of informing users about your use of cookies and to obtain their consent, but the ICO recognises that this is “potentially frustrating” for users. Other means include:

  • Terms and conditions: sites that obtain users’ agreement to their terms and conditions (e.g. upon registering with the site or making a purchase) have a golden opportunity to obtain users’ consent. However, existing users should be made aware of the changes and asked to give their consent to the new terms.
  • Settings-led consent: where a cookie is necessary in order to enable a particular website feature, then users can be told at the point they enable that feature that a cookie will be used for this purpose.
  • Highlighted text: the website’s header or footer could include text that is highlighted when the site wishes to place a cookie, so that users can then agree to this.
  • Third-party cookies: these are widely used by advertising networks, and unfortunately the ICO guidance does little more than acknowledge that this “may be the most challenging area in which to achieve compliance with the new rules”. Clearly, though, finding techniques for describing the use of third-party cookies in such a way that users are inclined to agree to them will become something of an art form in the near future.

4. So what do I need to do?

While the new legislation comes into force on 26 May 2011, the ICO recognises that there will need to be a “phased approach” to enforcement, to give websites time to comply. The ICO’s key expectation at this stage is that organisations are at least giving serious thought to how to comply.

In particular, the guidance advises website owners to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

“The key point”, they add, “is that you cannot ignore these rules.”

Over the next few months I will revisit this issue to see how websites are going about achieving compliance in practice, and what technical measures are being developed to facilitate this.