Cookie compliance - where you need to be

The one year’s grace period the Information Commissioner’s Office (ICO) gave organisations before it began hard enforcement of the new rules on cookies expired on Saturday 26 May 2012. For those of you that didn’t manage to meet the deadline, you’ll be happy to hear that you’re not alone.

The majority of the UK Government’s own websites failed to comply with the new rules by the deadline, a BBC report has revealed. However the Cabinet Office said that the Government was “working to achieve compliance at the earliest possible date”. The Cabinet Office spokesman told the BBC that “as in the private sector, where it is estimated that very few websites will be compliant by the deadline, so it is true of the government estate”.

Here, I look at the various stages of compliance your organisation might be in and what you need to be doing now.

Your organisation met the deadline
Congratulations! However, you will still need to make sure your website remains compliant by continuing to audit any new cookies which are placed on your website and ensuring your cookies policy reflects any changes. The ICO has been hearing about a lot of good work in the run-up to the deadline, but has not seen much evidence of actual implementation.

You may want to think about letting the ICO know about what your organisation has done to achieve compliance. You will also need to keep the paper record of what you did to achieve compliance so that if there is a consumer complaint to the ICO which the ICO follows up you can show it what you have done. See the DMA’s 10 steps to managing cookie compliance and the comments below.

If your organisation is responsible for a website which provides essential public services to UK citizens, such as a government, local authority or NHS body then you must ensure that any solution has been properly tested to avoid denying access to users. The ICO reminded such organisations not to rush into compliance without such testing last week.

The ICO understands that implementing these new rules requires considerable work in the short term. You need to audit your use of cookies, resolve problems with reliance on cookies built into existing systems and websites, and make sure that information provided to users about your use of cookies and the consent mechanism you are using is clear.

Your organisation didn’t meet the deadline
Hopefully, you are at least on your way towards achieving full compliance. This is all the more important given that the ICO is writing to 50 top UK websites to find out what actions they’ve taken to comply. The ICO will draw a distinction between organisations trying to comply with the new rules and those who are unwilling. It plans to take unwilling organisations to task using the full range of enforcement options in its regulatory toolkit.

Organisations trying to comply with the new rules will get help from the ICO. Again, make sure that you have documented the decision-making progress. The ICO may look sympathetically on you if you have just missed the deadline because you were waiting for an IT fix which will be completed quickly. It may be worthwhile having another look at the DMA’s 10 steps to managing cookie compliance.

What will the ICO do now the deadline has passed?
The ICO issued revised Guidance on the rules on use of cookies and similar technologies on the 25 May, just one day before the 12- month grace period expired.

The revised guidance emphasises that there is a real problem with compliance with the new rules for website operators and owners at the moment, because there is low consumer understanding of what cookies are, what cookies are used for and how consumers can manage the setting of cookies on their devices. Website owners and operators must bear in mind the nature of the intended target audience of the site, the way in which users of their website expect to receive information from and on the site, the language used in the cookie and privacy policy in determining how consent for the use of cookies should be obtained.

The guidance stresses that whatever method of consent is used, both the website user and the operator must understand that a particular action (such as visiting a website, moving from one website page to another or clicking on a button on the website) is the consent mechanism for the use and storage of cookies.

The ICO has also issued advice for members of the public which gives information on what are cookies, what do the new rules mean, how the new rules will impact on use of the internet, how cookies can be controlled. It has also introduced a new complaints procedure for cookies, Cookie concerns similar to the current reporting mechanism for unsolicited emails and SMS texts. It will use the numbers of consumer complaints about specific websites which are breaching the new cookie rules to determine whether or not to take enforcement action. The ICO may also use information about complaints about specific cookies in determining what enforcement action to take.

Education is key to the new cookie rules
Website users need to know exactly how cookies work in practice. A recent Econsultancy survey found that 33% of consumers believe cookies could be used for viruses and Trojans. Sadly because of budget cuts neither the Department for Culture Media and Sport (DCMS), the government department with the responsibility for the new cookie rules, nor the ICO have the money for such a campaign.

The more users become accustomed to good practice, the easier it will be for all organisations to get consent for the use of cookies. The ICO recognises this in the latest version of its guidance. So my last piece of advice is to make sure that your organisation is making an effort to comply with the new rules, as it will help educate website users.

For more cookie-related articles, click here.

Contact James Milligan, 020 7291 3360.