Out-Law News | 21 May 2012 | 9:17 am | 5 min. read
David Smith said he could not guarantee that website practices that are deemed compliant with new consent requirements to cookies in one EU country would also be found to comply with laws in the other EU member states.
He also told Out-Law.com that website operators do not necessarily need to obtain personal details from visitors to their sites in order for there to be "implied consent" for those individuals which would allow the serving of cookies, whilst Smith's colleague also hinted at what website operators using Google Analytics tools to monitor traffic and usage of their sites can do to avoid enforcement action.
Cookies are small text files that record internet users' online activity. Websites store the information on a user's computer, but new EU laws say users should be given the choice whether they consent to websites tracking their behaviour.
Although the new laws were implemented in the UK by amendments to the Privacy and Electronic Communications Regulations (PECR) last year, the ICO placed a year's hiatus on enforcement action in order to enable organisations time to comply with them. That deadline expires next week, with the ICO set to begin its enforcement regime from 26 May.
At a press briefing on how the ICO will approach enforcement following the end of the deadline, the deputy Information Commissioner said that the ICO was working with privacy watchdogs across the EU, including the Article 29 Working Party, on the issue of cookies regulation. However, he said the different bodies may develop separate standards on enforcement.
"We can't say that there will be a unified approach across Europe to enforcement, because enforcement bodies have different powers," Smith said. "What I would hope we have is a shared view of what is compliance and what is non-compliance."
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that international businesses would not welcome having to conform to different rules on cookies within the EU.
"A non-unified approach to compliance will make it very difficult for businesses that run websites in different jurisdictions, such as the UK and Germany, if enforcement measures will be very different," Scanlon said.
In 2009 the EU's Privacy and Electronic Communications (e-Privacy) Directive was changed to demand that storing and accessing information on users' computers was only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
David Smith said that people should not expect the end of the ICO's moratorium deadline "to launch a torrent of enforcement action." He indicated that firms that have at least begun a cookie audit will not immediately face enforcement action. Some companies that use thousands of cookies have taken "most of this year to work out what cookies they have," Smith added.
"The greater the risk to privacy, the more we are likely to use our enforcement powers," Smith said. "Where we have seen people with sensible timescales we are perfectly happy to work along with those," David Evans, the ICO's strategic liaison group manager for business and industry, added.
The ICO will be keen to talk to companies that do not comply with the consent requirements for serving cookies to find out more about their practices before any infringement notices are served, Smith said. He added that companies would get a chance to respond to such notices before the ICO would make any later decision on whether to fine those firms over the activity.
Under PECR website operators are able to serve visitors to their sites with cookies if those individuals have implied their consent to the activity. Smith said the ICO would issue new guidance on what 'implied consent' means, but confirmed that such consent can be said to have been gleaned from internet users even if those individuals have not "directly" submitted personally identifying details to the site.
"This gives a green light to 'click consent' rather than requiring website owners to obtain individual users' names," Luke Scanlon of Pinsent Masons said. "This is a practical approach because even though you can never know who is sitting in front of a computer unless they give personal information, it avoids placing a cumbersome burden upon business of requiring usernames for consent that even in itself may not be effective in guaranteeing that the person who is using the computer has given their consent."
Consent can also be gleaned from preferences that users choose when visiting a website. Website features, such as videos, that remember how users personalise their interaction can also determine user consent. The ICO has said it is up to individual operators to establish which mechanism for obtaining user consent to cookies is appropriate for their websites.
David Evans also told Out-Law.com how website operators can generally avoid enforcement action when serving cookies stemming from the use of Google Analytics.
"It is technically a first-party cookie if you are using Google Analytics," Evans said. "If you explain your cookies and say 'here's the tool Google's got and where to find it' that is unlikely to prick our ears up in enforcement."
Scanlon said that Evans' comments provide useful guidance to businesses.
"It is really difficult for website owners to know or understand what Google is doing with its analytics tools but what the ICO is asking for at this stage, it appears, is that websites display information explaining that Google has those tools and inform users where to find information on Google's own pages about them," he said. "If you do that it is unlikely that the ICO will take enforcement action against you."
David Smith said that the ICO is set to write to 50 organisations to ask them what they have been doing to obtain consent to cookies on their websites. Those bodies include Government departments and major businesses, he said.
Smith added that the ICO views the development of new mechanisms for obtaining users' consent to cookies within browser settings as a long term technical solution which would not be affective for this generation of browsers.
The ICO's own website does comply with the new laws on cookies, but should not be held out as a model that other organisations necessarily have to follow, he said.