Monday 25 June 2012

COOKIES: Steps Towards Achieving Compliancy

PRE-SET-UP STEPS

Unless you can avoid using cookies altogether or unless you fall in to the exceptions from the new law requirements to (1) provide clear and comprehensive information about any cookies you are using; and, (2) obtain consent (the “Requirements”) (see page 12 of the ICO Guidance Download) (the “Guidance”), it is advisable that to take the following pre-set-up steps:

1. Check what type of cookies you use and how you use them;

2. Assess how intrusive your cookie usage is for each cookie;

3. Decide what solution to obtain consent;

4. Ensure you have an online Privacy Policy which makes reference to cookies; 

5. Ensure you have an online Cookie Policy (Note that if you merely mention cookies in your Privacy Policy, you are not doing enough. The Guidance insists on an unwavering adherence to the Requirements); and,

6. Take legal advice.

CONSENT

In view of practical and technological constraints to instigating sophisticated consent mechanisms, the Guidance acknowledges that attaining implied consent is maybe more practical than the explicit opt-in model , however, it also states how “explicit consent might allow for regulatory certainty”. It is clear that the more effort put in to satisfying Requirement (1), the more likely implied consent shall suffice for opt-in consent.

EXAMPLES

An example of explicit consent via an opt-in can be found at www.fasthosts.co.uk. Sites like www.barclays.co.uk have taken one step back but a giant step forward by not providing an immediate opt-in mechanism but by instead providing a disablement mechanism via pop-up window. A site relying solely on inferred consent currently is www.ipo.gov.uk. An almost hybrid dual option site allowing for explicit or inferred consent is www.website-express.co.uk. It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up. There are other ways that have been bandied about such as reliance on the user’s pre-set browser settings or settings-led consent and browser-led consent all of which are beyond the scope of this article. 

It is evident that there are varying degrees of compliancy being adopted for the time being. The key point is that a website owner needs to be upfront with users and obtain consent by giving the user specific information about what they are agreeing to and provide them with a way to show their clear acceptance. Cookie warning messages can be displayed by way of message headers or footers or pop-up windows on the website of varying size and prominence and best practice is that they contain a link direct to the Cookie Policy. Therefore, it is understood that those setting cookies must:

1. Tell people that the cookies are there;

2. Explain what the cookies are doing;

3. Obtain consent to store a cookie on a user’s device; and,

4. Provide information in your Cookie Policy on the management and removal of cookies (or go a step further and provide a mechanism to instantly disable cookies).

COOKIE INFO IN COOKIE POLICY

Whichever method you choose to satisfy Requirement (2), in order to meet compliancy, it is advisable that you also provide a Privacy Policy wherein you reference cookies and a Cookie Policy itself wherein you can insert the Requirement (1) information, preferably presented in a table. You can find out more about what information can be used in Article 2 of 3 published by Hanne& Co under the paragraph headed “A Cookie Audit”.

CONCLUSION

Businesses need to consider the best way forward for their particular website to inform users about their use of cookies in detail and to obtain the requisite consent. The grace period expired on 26May 2012 and the law cannot be ignored! Given that the implementation of the new law is still experiencing teething problems, transparency should be the guiding principle of any business in its online activities.

Hanne & Co can help to provide you with the following:

(1) Suggested wording for a cookie warning message to be placed on your site;

(2) A Cookie Policy (and a Privacy Policy if you don’t have one);

(3) Advice and guidance on how best you can utilise these to meet the current legal obligations on a website owner; and,

(4) Undertake a review of any existing contracts you have with third party providers (or update company template precedent agreements) to ensure that you secure their commitment and agreement to be compliant with the law on cookies thereby reducing your risk.
Posted by at No comments:

COOKIES: Why Does the Law Care About Cookies and What Are They?

WHAT IS A COOKIE? 

A cookie is a small file, typically of letters and/ or numbers which is placed/ downloaded on to a user’s device or browser when a user visits a website. It can store and transmit information to the server of websites (re)visited from that browser/ device. 

WHY ARE THEY USED?

Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the website. Cookies do lots of different and useful jobs like letting a user navigate between pages efficiently, remembering a user’s preferences and generally improving a user’s browsing experience. Cookies can also be used to customise areas of online content to be more tailored to a user’s interests. When a user(re)visits a website that uses the same cookies, those cookies and the browsing device, are recognised.

A COOKIE AUDIT?

One of the two strict requirements under the Regs (see earlier article) other than (1) requiring user consent, is that for each cookie used, the website owner must(2) have “provided clear and comprehensive information about the purposes of the storage of, or access to, that information” to a user (the “Requirement/s”). This means ensuring that you include accurate and clear information about each cookie in your Privacy Policy or preferably, provide a separate Cookie Policy. Complying with this Requirement is likely to require a so-called cookie audit which might involve confirming:

1. which cookies are operating on or through your website(Name of Cookie);

2. the purpose(s) of each of these cookies(Specific Purpose);

3. what data each cookie holds(Typical Content);

4. whether it is a first or third party cookie(First party/ Third party);

5. the cookie category(Cookie Category);

6. the type of cookie i.e. session or persistent (Session/ Persistent);

7. the lifespan of any persistent cookies (Lifespan);

Together, these can be referred to as (“Cookie Identifiers”)

There are many ways to comply with this Requirement in practice. One such way is to provide a table and insert in a number of columns inserting two or more of the Cookie Identifiers listed above in bold.

TYPES OF COOKIES

Session Cookies allow a site to link the actions of a visitor during a single browser session. They expire after a browser session and are considered “less privacy intrusive” than persistent cookies.
Persistent Cookies allow one or several sites to remember details about the visitor and remain on the user’s device between sessions. They may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. 

First Party Cookies are set by the specific website visited by the user i.e. the website displayed in the URL window.

Third Party Cookies are issued by a different server to that of the domain being visited. It could be used to trigger a banner advert of a third party provider based on the visitor’s viewing habits.

COOKIE CATEGORIES

Based on the International Chamber of Commerce guide to cookie categories ICC UK cookie guide – the type of cookie used can be put into 1 of 4 categories:

1. Strictly Necessary Cookies are essential. They enable a user to move around a website and use its features, such as accessing secure areas. Without these, the requested services cannot be provided. 
These cookies don’t gather information about a user that could be used for marketing or remembering where a user has been online.

2. Performance Cookies collect information about how a user uses a website, for example which pages a user goes to most often. These cookies are only used to improve how a website works and collect anonymous information only. 

3. Functionality & Profile Cookies allow a website to remember choices that a user makes (e.g. a user’s name) and can tailor the website to provide enhanced features and online marketing content. They can remember log-in details and allow a user to watch videos. The information these cookies collect may be anonymous and they cannot track browser activity on other websites. 

4. Targeting Cookies gather information about browsing habits. They remember what websites a user has visited and share this information with other organisations to enable them to conduct behavioural advertising. Although they track visits to other websites, they don’t usually know whoa user is.
Cookies in category 1 represent the limited exception to having to comply with the Requirements and these cannot be restricted or blocked. The cookies in categories 2, 3 and 4 can be restricted or blocked.

If you would like further cookie advice or if you require a Privacy Policy and/ or a Cookie Policy tailored to your website, please contact Hanne & Co on 020 7228 0017 or at info@hanne.co.uk and ask to be referred to one of our commercial team. 

Further general information about cookies can be found at:
- http://www.allaboutcookies.org
- Internet Advertising Bureau: Guide to online advertising and privacy
- International Chamber of Commerce United Kingdom: ICC UK cookie guide
- Directgov article: Internet Browser cookies – what they are and how to manage them
- ICO cookie guidance: Download the ICO guidance on Cookies
Posted by at No comments:

COOKIES: Why Has the Law Changed and How Can Hanne & Co Help?

WHY?

The 2002 European Directive upon which the 2003 UK Privacy and Electronic Communications Regulations were based has been revised by a 2009 EU Directive. This required the UK to implement such revisions in to its own law which it introduced on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regs”). The UK Information Commissioner’s Office (ICO) announced a one-year grace period thereby delaying enforcement of the Regs which expired on 26 May of 2012.

The Regs are designed to protect the privacy of information (whether the information is personally identifiable or not) and personal data which is stored or made accessible in a user’s device. The aim of the law is to prevent information being stored on devices and used to recognise the user of that device without the owner’s knowledge and consent. 

HOW?

Both the older 2003 regulations and the Regs require websites to provide visitors with clear and comprehensive information about how and why cookies are being used on a website. However, with regards to the second requirement, the 2003 regulations required websites to give users the ability to ‘opt-out’ of cookies being stored on their devices, whereas, the Regs now include a requirement to obtain consent for cookies and similar technologies. This means that cookies can no longer be stored on a user’s device unless the user specifically consents in advance. See Article 3 of 3 for more on consent.

EXCEPTIONS TO THE RULE

There are exceptions to the rule, for example, unless a website solely uses cookies that fall in to the “strictly necessary” category in accordance with the 4 categories, based on the ICC UK cookie guide , a website is legally bound to abide by the new requirements. For example, using cookies to remember items in an online shopping basket for the purposes of security in online banking or to help load web pages faster is regarded as “strictly necessary” and therefore does not require consent. All other common cookie usage falls in to the other three categories which all require consent of Performance; Functionality; and, Profile and Targeting). See Article 2 of 3 for further discussion on “Cookie Categories”.

As is the case with any implementation of a new rule of law enforcement that unveils a restrictive-type practice on a person’s free will, the law has been regarded by some as controversial and frustrating with practical and technological constraints being cited for the most part. Others are confident that the UK law stands a good chance of becoming easily accepted within the fabric of UK websites thereby bringing about a degree of certainty. This could be said to be largely due to the somewhat pragmatic and relaxed approach adopted by the ICO in the UK. The problem may lie more with the lack of harmonisation throughout other EU countries where a website is accessible, wherein implementation of the new rules may not be as lenient. See the ICO guidance on the new cookies regulations. 

ICO BREACHES AND SANCTIONS

It is unclear how the ICO will treat breaches of the law and how exactly it will go about enforcing compliance but it is likely that only serious breaches will lead to hefty fines of up to £500,000. However, it wouldn’t be unheard of for a regulatory authority to treat persistent breaches in a similar way. The ICO does have the power to commit an organisation to take steps towards compliance and to compel compliance (failure to do so would be a criminal offence).

THE LAW CAN CATCH YOU ANYWAY!

Regardless of the implementation of the Regs, there are existing powers in current legislation to deal with unfair trade practices under the Consumer Protection from Unfair Trading Regulations 2008 (“CPUTRs”) which is a set of UK regulations to protect consumers from unfair, misleading or aggressive marketing practices. Being technology neutral, they are not specific to the digital and online world, however, any practice used online which is deemed unfair, misleading or aggressive will fall foul of the CPUTRs which give the duty to regulators to act when a consumer is deceived about the presence of cookies, even when the information they have been given is correct. In theory, the Office of Fair Trading (OFT) has the duty to enforce the CPUTRs and individuals (not just businesses) who breach the law can be punished by up to two years in prison or a hefty fine.

Hanne & Co can help you to respond immediately to the Regulations by:

(1) Assisting you with updating your other online terms such as your Terms of Trade or Purchase Policy as well as your Privacy Policy;

(2) Providing you with suggested wording for a cookie warning message to be placed on your site as well as a Cookie Policy;

(3) Providing you with further advice as required by you.

Watch this space as the law on “Personal Data” which is also covered by separate data protection laws across Europe is also in the process of revision.

Contact us on 020 7228 0017 or at info@hanne.co.uk and ask to speak to one of our Commercial Team
Posted by at No comments:
Subscribe to: Posts (Atom)