Out-Law News 7 min. read

ICO publishes advice on how websites can comply with new 'cookie law'

Websites should not rely on browser settings as indicating whether a user consents to having their online activity tracked, the Information Commission's Office (ICO) has advised.

Websites should obtain user consent using other methods in order to comply with new regulations which will come into effect on 26 May, the ICO said in a guide (10-page / 126KB PDF).

The ICO is a data protection regulator which is tasked by the Government to enforce the new laws.

The new regulations will force websites to obtain user consent before tracking the user's online activity through cookies – small text files that remember what a user has visited on the internet. 

"In future many websites may well be able to rely on the user’s browser settings to demonstrate that they had the user’s agreement to set all sorts of cookies. We are aware that the government is working with the major browser manufacturers to establish which browser level solutions will be available and when. For now, though, you will need to consider other methods of getting user consent," the ICO advised in its guidance.

"What is appropriate for you will depend on what you are doing. You should also consider the fact that not all of your website visitors will have the most up-to-date browser with these enhanced privacy settings. You would still need to gain consent for those users," the advice said.
"You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future," the advice said.

The Government is working with Mozilla, Apple, Microsoft, Google, Yahoo, Adobe and the Internet Advertising Bureau to deliver an efficient technological solution to obtaining user consent, the Department for Culture, Media and Sport told OUT-LAW.

The ICO urged websites to find other ways to obtain user consent to cookies until browser setting technology is further developed.

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way," the ICO guidance said.

Online businesses could activate prompts to appear on a user's screen asking whether they consent to cookies, the ICO advice said.

"This might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent - but it’s also one which might well spoil the experience of using a website if you use several cookies. However, you might still consider gaining consent in this way if you think it will make the position absolutely clear for you and your users," the ICO said.

Websites could obtain consent by asking users to sign up to terms and conditions that detail the use of cookie tracking, the ICO advice suggested. Preferences that users choose when visiting a site could also be used to obtain consent, the ICO said in its guidance.

"Some cookies are deployed when a user makes a choice about how the site works for them. In these cases, consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work," the ICO advice said.

"For example, some websites ‘remember’ which version a user wants to access such as version of a site in a particular language. If this feature is enabled by the storage of a cookie, then you could explain this to the user and that it will mean you won’t ask them every time they visit the site. You can explain to them that by allowing you to remember their choice they are giving you consent to set the cookie," it said.

"This would apply to any feature where you tell the user that you can remember certain settings they have chosen. It might be the size of the text they want to have displayed, the colour scheme they like or even the ‘personalised greeting’ they see each time they visit the site," it said.

Website features, such as videos, that remember how users personalise their interaction, can also determine user consent, the ICO said.

"Presuming that the user is taking some action to tell the webpage what they want to happen – either opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then you can ask for their consent to set a cookie at this point," the ICO advice said.

"Provided you make it clear to the user that by choosing to take a particular action then certain things will happen you may interpret this as their consent. The more complex or intrusive the activity the more information you will have to provide," the advice said.

"Where the feature is provided by a third party you may need to make users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice," it said.

Websites should also be more transparent about what information they store about users, the ICO said. The ICO suggests that websites could place text at the top or bottom of a page to inform users that they want to store information about them.

"This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them," the ICO guidance said.

"If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors. You may be able to alter the settings of your account to limit the sharing of your visitor information. Similarly, any options the user has should be prominently displayed and not hidden away," the ICO said.

The ICO advised websites to tell users where information it stores about them through cookies is passed on to other businesses, such as behavioural advertisers.

"We would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device," the ICO said.

"This may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers," it said.

The new law allows websites to store cookies that are 'strictly necessary' to complete its business. This includes saving information such as what a consumer has stored in their online shopping basket in order to complete a transaction.

The Government plans a phased approach to the implementation of the new law, but the ICO advises that it is essential that organisations can demonstrate that they have a realistic plan to achieve compliance.

Website owners should review the type of cookies their websites store and how it uses the information, the ICO advice said.

"This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved," the ICO said.

Websites should also determine how intrusive their use of cookies is and find a solutution to obtaining consent that best suits their circumstance and adhere to the new regulations, the ICO said.

"Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity.

If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent," the ICO guidance said.

"It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale," the ICO said.

The ICO said it would be issuing separate guidance on how it intends to enforce the new regulations.

The guidance is helpful in that it gives practical advice on steps businesses can take to stay on the right side of the law, but it is not definitive, which could leave businesses exposed later," Claire McCracken, OUT-LAW lawyer at Pinsent Masons, the law firm behind OUT-LAW, said. 

"The guidance leaves it up to organisations to decide how to get users’ permission for cookie usage, which means different companies will use different methods. Only once enforcement action starts will we really know which of these methods the ICO thinks are within the law and which are not.

The guidance does list possible methods though, which will help companies, and may be updated when browser-based technical ways of giving permission emerge," McCracken said.

The regulations will be introduced on 26 May to comply with the EU's Privacy and Electronic Communications Directive.

Free OUT-LAW Breakfast Seminars: The EU's new cookie law and online ads, should website owners worry? May / June 2011: Manchester, Leeds, London, Birmingham, Edinburgh and Glasgow.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.