PRE-SET-UP STEPS
Unless you can avoid using cookies altogether or unless you fall in
to the exceptions from the new law requirements to (1) provide clear and
comprehensive information about any cookies you are using; and, (2)
obtain consent (the “Requirements”) (see page 12 of the ICO Guidance
Download) (the “Guidance”), it is advisable that to take the following
pre-set-up steps:
1. Check what type of cookies you use and how you use them;
2. Assess how intrusive your cookie usage is for each cookie;
3. Decide what solution to obtain consent;
4. Ensure you have an online Privacy Policy which makes reference to cookies;
5. Ensure you have an online Cookie Policy (Note that if you
merely mention cookies in your Privacy Policy, you are not doing enough.
The Guidance insists on an unwavering adherence to the Requirements);
and,
6. Take legal advice.
CONSENT
In view of practical and technological constraints to instigating
sophisticated consent mechanisms, the Guidance acknowledges that
attaining implied consent is maybe more practical than the explicit
opt-in model , however, it also states how “explicit consent might allow
for regulatory certainty”. It is clear that the more effort put in to
satisfying Requirement (1), the more likely implied consent shall
suffice for opt-in consent.
EXAMPLES
An example of explicit consent via an opt-in can be found at
www.fasthosts.co.uk. Sites like www.barclays.co.uk have taken one step
back but a giant step forward by not providing an immediate opt-in
mechanism but by instead providing a disablement mechanism via pop-up
window. A site relying solely on inferred consent currently is
www.ipo.gov.uk. An almost hybrid dual option site allowing for explicit
or inferred consent is www.website-express.co.uk. It is not uncommon for
consent to be gained online using the terms of use or terms and
conditions to which the user agrees when they register or sign up. There
are other ways that have been bandied about such as reliance on the
user’s pre-set browser settings or settings-led consent and browser-led
consent all of which are beyond the scope of this article.
It is evident that there are varying degrees of compliancy being
adopted for the time being. The key point is that a website owner needs
to be upfront with users and obtain consent by giving the user specific
information about what they are agreeing to and provide them with a way
to show their clear acceptance. Cookie warning messages can be displayed
by way of message headers or footers or pop-up windows on the website
of varying size and prominence and best practice is that they contain a
link direct to the Cookie Policy. Therefore, it is understood that those
setting cookies must:
1. Tell people that the cookies are there;
2. Explain what the cookies are doing;
3. Obtain consent to store a cookie on a user’s device; and,
4. Provide information in your Cookie Policy on the management and
removal of cookies (or go a step further and provide a mechanism to
instantly disable cookies).
COOKIE INFO IN COOKIE POLICY
Whichever method you choose to satisfy Requirement (2), in order to
meet compliancy, it is advisable that you also provide a Privacy Policy
wherein you reference cookies and a Cookie Policy itself wherein you can
insert the Requirement (1) information, preferably presented in a
table. You can find out more about what information can be used in
Article 2 of 3 published by Hanne& Co under the paragraph headed “A
Cookie Audit”.
CONCLUSION
Businesses need to consider the best way forward for their particular
website to inform users about their use of cookies in detail and to
obtain the requisite consent. The grace period expired on 26May 2012 and
the law cannot be ignored! Given that the implementation of the new law
is still experiencing teething problems, transparency should be the
guiding principle of any business in its online activities.
Hanne & Co can help to provide you with the following:
(1) Suggested wording for a cookie warning message to be placed on your site;
(2) A Cookie Policy (and a Privacy Policy if you don’t have one);
(3) Advice and guidance on how best you can utilise these to meet the current legal obligations on a website owner; and,
(4) Undertake a review of any existing contracts you have with third
party providers (or update company template precedent agreements) to
ensure that you secure their commitment and agreement to be compliant
with the law on cookies thereby reducing your risk.