New rules on the use of cookies and apps

The UK Information Commissioner’s Office (ICO) has published some much-needed guidance for website operators on compliance with recently published amendments to the e-privacy regulations governing the use of cookies and apps.

Cookies are commonly used to help websites deliver a better user experience, for example by identifying the user and therefore providing a more personalised experience, for example by remembering the user’s settings, avoiding the need to log-in to a website, remembering the contents of a shopping basket, or providing more intuitive results in search engines. However, by their very nature, cookies invariably involve the collection of data from and about the user.

In November 2009, a new EC directive was passed, requiring member states to implement a number of new rules in relation to telecoms and privacy. The rules, which the directive requires be implemented by 25 May 2011, include new rules in relation to seeking consent from users in relation to the use cookies and similar technologies that store or allow access to information stored on a user’s device, for example apps installed on smartphones and other mobile devices that circumvent the need for a conventional web browser.

Following a period of consultation, the UK government finally published the amending regulations in late April, which will come into effect on 26 May 2011.

What do the new regulations say?
Under the old, 2003, regulations, website operators were simply required to provide users with information about the use of cookies and give the user the opportunity to “refuse the storage of or access to that information.” Under the 2009 directive, as implemented, this has changed. The law now requires that a user:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information [ie the cookie]; and
(b) has given his or her consent.

The effect of new limb (b) is that users now need to give prior consent to the use of cookies.

Ok, so what does that mean?
Historically, website operators have generally sought to comply with the 2003 regulations by putting information on cookies in their privacy policies and allowing users to use browser controls to opt out.

Whilst new regulation 3A expressly contemplates that the consent may be capable of being signified “by a [user] who amends or sets controls on the internet browser”, the UK government’s opinion that current cookie controls in web browsers are not sufficient to meet the new test for limb (b) above as they do not have the necessary level of sophistication to distinguish between different types of cookies. The UK government is working with browser manufacturers, presumably as part of a pan-European approach, to to discuss how cookie controls can be modified.

In order to help website operators comply with the new rules, the UK ICO has recently published a guidance note.

Here are the key points.

Exceptions to the rule
Consent is not required when a cookie is “strictly necessary for the provision of an information society service requested by the subscriber or user” – the ICO gives this a narrow interpretation (the example given is for an online shopping basket), that specifically excludes cookies that simply make a website more attractive or easier to use. It’s not clear how this might apply to apps.

Audit and review
The ICO recommends a three stage approach:

  • audit whether cookies are needed, and how they are currently used
  • assess how intrusive its use is; and
  • decide on the best solution for obtaining consent.

Methods of obtaining consent
Acknowledging that current browser controls are not sufficient, the ICO suggests a number of methods for satisfying the consent test:

  • using a pop-up window or similar technique when the user first logs on to a website or installs an app;
  • using terms and conditions by obtaining, positive, up front acceptance from the user to terms and conditions that clearly set out how cookies are used before the cookie is deployed;
  • settings-led consent for cookies that remember a user’s settings;
  • feature-led consent by asking for consent at the point at which a feature/function is first utilised by the user
  • functional uses (for analytic cookies) by displaying a prominent/highlighted message notifying the user and providing a link to more information and how to make a choice (although its not clear how the ICO invisages that the user rejects this particulr type of cookie)
  • third party cookies – although the ICO rather unhelpfully says here that it is complex and “everyone has a part to play” in working out a solution here.

Further details on each of these approaches are discussed in more detail in the ICO’s guidance note.

So how long do I have to comply with the new rules?
As noted above, the new regulations come into force on 26 May, but the ICO acknowledges that there needs to be a phased approach to implementation, and therefore that in the event of a complaint the important thing is that the organisation can show that it is taking steps to comply with the new rules. However, it is not clear for how long this grace period will apply.

The ICO has said that it will issue further guidance in due course, so watch this space or follow @ICOnews on Twitter.

Updated 25/05/11 – the ICO has today announced that website operators will have a period of one year to make the necessary changes to their websites.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

May 2011
« Apr   Jun »

%d bloggers like this: