Last week, the UK Information Commissioner’s Office announced changes to UK rules governing the use of “cookies” in websites, as the UK seeks to implement amendments to the EU’s Privacy and Electronic Communications Directive.
Here’s some important information about the change and how it could affect you.
What are cookies?
Cookies are small files that websites install automatically on the user’s computer or device when the website is loaded. They are used almost universally by website developers, and they serve multiple purposes, from enabling shopping cart functionality to work, to relieving the user of the need to log in each time they visit a favourite website, to tracking a user’s behaviour whilst using the website.
Why are cookies controversial?
Cookies work by identifying the user to the website, or to a third party service that is installed in the website. Cookies don’t identify the user by name, but they are nevertheless controversial in particular for their ability to permit advertisers on third party sites to target advertising at users based on their previous web usage behaviour.
What do the new rules call for?
It seems likely that the mechanism that achieves best compliance will be some form of “pop-up” that interrupts the user and prevents them from continuing without deliberately accepting or declining cookies.
Are all cookies within the scope of the new rules?
The ICO acknowledges that there are certain types of cookies that are “strictly necessary” for the website to deliver services that have been explicitly requested by the user. The example they have given is the type of cookie used to record users’ shopping basket selections on e-commerce stores until they check out. Website owners will not be required to seek the user’s permission to install a cookie which can be shown to be “strictly necessary.”
When does it take effect?
The change to UK law is scheduled to take effect on Thursday 26 May 2011.
The ICO has announced that there will be a grace period whilst website owners adapt to the changes, during which prosecutions will not be brought in response to complaints, as long as the website owner can demonstrate a plan of action to move towards compliance. The length of the grace period has not yet been defined.
Does it affect my website?
If you have a website, and you are a business or person in the UK, or are targeting UK web users, then you need to pay attention to the new rules and potentially make changes to the way your website works.
I’m located outside the UK’s jurisdiction. Does it still affect me?
The ICO’s guidance is not explicit on this, but, while your location might buy you a little more time to comply, it’s safest to assume that privacy-related complaints from UK consumers about any website they use will still be investigated by the ICO. Although they might not be able to apply UK law directly to you, the publication of criticism of your website in this area might be something you want to avoid.
I’m located in the UK but my website’s hosted outside the UK. Does it still affect me?
As is the case for your own physical location, the ICO’s guidance is not explicit on this. Our view is that the same logic applies - whether or not the ICO are apply UK law directly to you, you should think carefully about the risks of having your website publicly criticised in the context of new privacy standards that consumers will come to accept as the norm.
What happens if my website isn’t compliant on 26 May?
Don’t worry - you’ll be in good company. The implementation by the ICO of a grace period reflects the short period between the announcement of the planned changes and the effective date. The ICO does not expect the web industry to be able to move to full compliance in time, for numerous reasons.
Firstly, there will be a huge diversity of technology options and obstacles to consider across the very wide range of different websites affected.
Secondly, the use of “pop-ups” or other mechanisms that interrupt the user’s experience of a website presents very serious usability, search engine indexing and commercial challenges to website owners. Businesses especially will be looking very carefully at how they can comply without losing competitive advantage.
Thirdly, it’s unclear at this stage how the new rules will treat cookies that are installed by third party software embedded in a website. The example in most widespread use is Google Analytics, the industry standard traffic and behaviour measurement tool, that installs cookies on behalf of the website being monitored.
What are the penalties for non-compliance?
The new rules give the ICO power to impose fines of up to £500,000 for serious breaches of the Privacy and Electronic Communications Directive. Fines at this level will be very rare.
What do I need to do now?
If you own a website, you need to:
- Make an inventory of the cookies in use on your website
- Establish which of them fall within the scope of the new rules and which are “strictly necessary”
- Talk to your website developer about options for compliance.
We recommend that you take the steps described above, but take full advantage of the grace period. Don’t rush into implementing any changes on your website until you’ve spent some time observing what high profile websites in your category do after the effective date of Thursday 26 May.
> Information Law Group’s excellent blog post describing the change and its impact in full detail
> An irreverent look at the ICO’s enforcement plans from the Editor of Computers & Law magazine.