Cookies - *now* it's time to wake up

The Information Commissioner has published his guidance on complying with new European cookie law, and the news is less good than had been hoped. Although the simplest way for a website to obtain users’ consent to installing cookies would be to rely on them having set appropriate cookie preferences in their browsers – indeed the European Directive specifically mentions this possibility – the view now seems to be that browser preference controls will remain inadequate for some time. This, and the need to support users of older browsers, means that websites will need to obtain some sort of consent themselves. The ICO is, at least, resisting the temptation to unleash a user-unfriendly flood of pop-ups: this leads him (reluctantly, I suspect) to suggest that a user who knows what cookies a site uses and continues to use it has, indeed, given their consent. How much value can be placed on such consent if the user has no choice but to use the site is not clear to me!

The guidance provides a helpful categorisation of cookies, with suggestions of how information about them might be provided:

• Cookies that are strictly necessary to provide services explicitly requested by the user (e.g. shopping carts): For these there is no change in law. However this class is narrowly interpreted so, for example, shopping cart cookies are included but those to remember user preferences or analyse website usage are not (see below for these).
• Cookies that are not strictly necessary for a user-requested service: Some websites will be able to gather information about all cookies they use and place it on the page where users sign up to the website (for example as part of the Terms and Conditions). However this means that any subsequent change to cookie use will need to be reflected in changed Terms and Conditions, and the Information Commissioner’s view is that websites would then be required obtain positive acknowledgement from all users of the change: merely changing the on-line version of the Terms would not be sufficient.

Of course, not all websites have a sign-up page. The others (and even those that do, if they consider the process for updating Terms and Conditions to be too onerous) are likely to have to deal with each type of cookie in a different way:

• Cookies storing a setting requested by the user (e.g. personalisation): for these the user can be informed about the cookie on the page where they select a particular setting.
• Cookies implementing a feature requested by the user (e.g. remember my details): for these the user can be informed about the cookie on the page where they request the feature.
• Cookies implementing a background function (e.g. analytics): if there is no sign-up page that all users have to see (as above), then the advice is that information about these should be made more prominent, for example by “some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device”. This can direct the user to further information about the cookie(s), for example on the website’s privacy page. This might include a list of cookies and their function.
• Third-Party Cookies (e.g. advertising): the advice regards these as the most challenging, because of the involvement of multiple parties. The website operator must ensure that users are informed that their information will be passed to third parties and that they can obtain the necessary information about how it will be used; all parties should follow industry standards (presumably including the proposed IAB Code and AdChoices system) as these develop to comply with the new law.

The Guidance notes that different cookies represent different levels of intrusion into privacy: a cookie selecting a preferred language for a website would be considered less intrusive than one that gathered an individual’s entire browsing history. As with other data protection requirements, more information needs to be provided the more intrusive a cookie is.

Finally, although the law is still expected to come into force on May 26th (at the time of writing it doesn't seem to be on the draft legislation website), the Government is planning a “phased implementation” of the changes. This seems to mean that there will be a period when the Information Commissioner will not use his full enforcement powers against organisations that can demonstrate that they are working towards compliance. The ICO’s recommended course of action is therefore:

1. Check what type of cookies and similar technologies you use and how you use them (possibly including “cleaning-up” any unnecessary cookies);
2. Assess how intrusive your use of cookies is;
3. Decide what solution to obtain consent will be best in your circumstances (starting with the most intrusive cookies)

[UPDATE: it turns out that the Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 had been published - they just didn't pass through the 'draft' stage that I was monitoring. Regulation 6 contains the expected amendments to the original Privacy and Electronic Communications Regulations 2003]