Last week, the Information Commissioner’s Office (ICO) issued guidance on new laws that will affect tens of thousands of business owners.
The rules, which apply to all EU websites, require website owners to get “explicit consent” from users before cookies are saved on their computers. In practice, this makes thousands of websites illegal under European law.
But what are cookies? How do the new rules affect your business? And what do you need to do to comply?
What are cookies?
Cookies are small files that are used by websites to retain information, for example about a user’s preferences. They are saved on the user’s computer, and are often used to remember things like the contents of a shopping basket. Cookies are very widely used; indeed, without cookies many websites would no longer become operative.
What are the new rules?
In an effort to address privacy concerns and increase user choice, EU member states have determined that cookies must be operated on an ‘opt-in’ basis. That is, users must give their consent before cookies are stored on their computer.
This is in contrast with the previous system, under which website operators were required to give information about the cookies that were to be stored, but were not required to gather explicit permission.
The only exception to the rule occurs in instances where the cookie is deemed necessary for the completion of a task that the user has expressly requested. The ICO has said this might, for example, occur in online shops in which cookies are required to enable the site to remember the contents of a shopping basket between the browsing and checkout stages.
Does this affect my website?
It is also important to understand that the law applies to all technology similar to cookies. You can’t get round the law by using another technique that stores information but is not generally known as a cookie.
How can I comply?
There has been some confusion about the way in which businesses are expected to comply with the new rules. Many businesses have adopted a ‘worry about it later’ approach - and indeed, the ICO has said it will not begin enforcing the rules for another 12 months. But this approach will not last for long – and the necessary changes to your website could be time consuming.
The ICO has recommended that businesses consider a three-stage process:
1. Investigate which cookies you are already using.
2. Consider how intrusive these cookies are. Are they strictly necessary within the terms explained earlier?
3. Work out how you will obtain consent.
Clearly, the third stage here is the most complicated. There is not yet a consensus regarding the best way to obtain consent, and your chosen method is likely to depend on the nature of your website. However, some businesses are investigating pop-ups, while others are considering placing a single Terms & Conditions document at the user’s point of entry, which the user is required to accept before continuing.
Some commentators have suggested that browser settings might also be a way of determining whether or not consent has been given. Currently, though, browsers are not sophisticated enough to do this – and particularly not to differentiate between different cookie types. Browser settings are therefore not an acceptable solution at the minute.
The law has already changed, with the new rules having come into force on 26 May. But the ICO recognises that businesses are not currently in a position to change their practices. As such, firms are being given 12 months to comply.
The ICO has issued guidance on compliance, and has made clear that it may issue further information in the future. What is clear, though, is that the policing of cookies is changing – and if your website uses this technology, you almost certainly need to change your practices.