Are you complying with the cookies law? Charlotte Black of specialist law firm TravLaw says businesses need to act now to comply with regulations now in force if they have not done so already
Many of us may think of a cookie as a rather delicious biscuit, but it is also a small file downloaded to a person’s computer when he or she visits a website.
It is these cookies which allow a website to recognise a user’s computer and do things such as save passwords, log in details and user preferences and collect statistical information about the use of the website. Most of us operate websites which download cookies on to users’ computers.
The law in relation to use of cookies changed on May 26 last year as a result of an update to the Privacy and Electronic Communications Regulations 2003.
Website owners were given a year’s grace to implement the changes required under the new law – and that grace period just ran out.
Yet on the eve of this happening it was anticipated that more than 80% of the industry was not yet prepared for the new rules. These require that cookies only be downloaded on to a computer where the user or subscriber has given their express consent.
The regulation states that cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment is: (a) provided with clear and comprehensive information about the purposes of the storage of, or access to, that information. AND (b) has given his or her consent.
One of the main challenges is to obtain this consent without affecting the user’s experience of your website.Critics of the rules envisage internet bookers being bombarded with consent pop-up boxes, with a potential impact on sales.
The new law also poses particular difficulties for websites which allow third parties to download cookies on to a user’s computer or device. This is a challenging area for websites which display content from third parties, for example through online advertising.
Businesses are now expected to have made the necessary changes to comply. The fine for non-compliance could be up to £500,000, although penalties will start much lower than this at up to £5,000 per breach in a Magistrates Court.
The changes have been described by the industry as vague and poorly drafted. However, the new law is here to stay, and the Information Commissioner’s Office (ICO) has warned that from May 26 this year there will be enforcement.
Here is just one example of the potential difficulties. Suppose James and Derek share a PC. James accepts the use of cookies on a particular website. Later, Derek visits the same website on the PC. The site has no way of knowing this isn’t James and so Derek’s activities are tracked by the cookie James set.
There is a real lack of guidance on this issue. The letter of the law appears to have been broken in this example, but whether this would be considered a breach boils down to how the law is interpreted.
Unless the ICO provides guidance, only time will tell how the it chooses to enforce this rule.
At TravLaw we suggest the following:
1. Review the use of cookies on your website and consider a strategy.
2. Monitor the ICO website, and follow its guidance. Consider what your peers in the industry are doing in respect of the Cookies Directive? You don’t want to be the only one non-compliant.
3. Is your privacy policy up to date? Is it clear how you use cookies? Does the policy outline clearly the reasons for their use? If not, we recommend it is re-drafted by lawyers to make it as clear as possible. Remember, this Directive is about protecting the consumer.
4. Speak to your website technology provider. Can they build into your website opt-in cookie boxes which are clear and simple for the user and don’t affect use of your website?
5. Don’t bury your head in the sand. If you require further information contact either Charlotte or Farina at Travlaw.
Charlotte Black is head of the employment department at TravLaw