EU cookie_nw banner 920x430px

eu cookie regulations: are you ready?

On 26 May 2012 the Information Commissioner’s Office (ICO) will start to gather evidence that companies are taking steps to comply with the new Privacy and Electronic Communications Regulations that came into force on 26 May 2011. There is a lot of discussion about the so called EU Cookie Law and what steps website owners must take to be compliant. We have summarised the key information that website owners need to ensure that they stay on the right side of the ICO.

What are cookies?

Cookies are simply small text files placed on your computer or mobile device during your visit to a website or web page. Cookies help website owners remember your username, preferences, analyse website performance and ultimately to provide relevant content. For more information see this article from Wikipediahttp://en.wikipedia.org/wiki/HTTP_cookie.

What are the new regulations for?

The regulations are intended to protect individuals from intrusive access to their personal information and covert surveillance of their online activity. The vast majority of legitimate website owners take their customers’ privacy seriously and these new regulations might seem unnecessarily onerous. However, there will always be a less courteous minority that carelessly or maliciously misuses personal information about visitors and the regulations are in place to protect the public from these rogues.

What do website owners need to do in order to comply with the regulations?

The ICO provides detailed information on the regulations and advice on how to comply with them in this article:
Privacy and electronic communications: Cookies.

The crux of the regulation is that website owners must not use cookies or similar devices unless the visitor (or owner of the equipment):

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

There are some exemptions and differing opinion on what constitutes consent, these issues are discussed in numerous publications, including these available from E-consultancy and Out-Law.com:

EU Cookie law: three approaches to compliance

The EU Cookie Law: A guide to compliance

Cookie laws

AboutCookies.org

Opt-in or consent?

This is a very important question. If you can demonstrate on your website that information about all cookie use is easy to access and easy to understand for your customers, then even if you don’t take any action to get explicit consent through a check box you may be able to demonstrate that you are compliant with the law because you have implied consent. Colin O’Malley in this article explains the difference between “opt in” and “consent” in more detail: The difference between consent and opt-in

When should I start?

You should have started already. The ICO will start to gather evidence that companies are taking steps to comply with the new regulations next Saturday (May 26th). All website owners must provide clear information to their users about the type of cookies used and current policies in place to obtain consent. Here you can find some examples of organisations taking steps to comply with the regulations:

neoworks privacy policy: http://www.neoworks.com/legal/privacy/

ICO privacy notice: http://www.ico.gov.uk/Global/privacy_statement.aspx

The Mirror’s Cookie policy: http://www.mirror.co.uk/cookie-policy/

What is absolutely essential for the 26th May?

Update your privacy policy to state which cookies are in use on your website, this should include cookies used for login, preferences and analytics for example. Information about the purpose of each type of cookie should be provided along with a statement about how collected data is treated. It is also a good idea to include information about how your customers can manage the acceptance of cookies in their browser if they wish to do so.

The update to your privacy policy should be clearly advertised to your visitors. This may be achieved in a variety of ways, popular approaches are banner overlays and ribbon banners as these are obvious to visitors without being overly obtrusive. Finally, a privacy policy should encourage trust between you and your customers, so it needs to be written for general easy understanding and not in legal jargon.