The Information Commissioner’s Office has today published updated guidance on how organisations should comply with the new rules on cookies that came into force earlier this year.
As regular Techblog readers will remember, the new rules came into force without any clear guidance on how organisations should technically comply with them – even the ICO itself appeared to be unclear as to what was required. In recognition of this, the ICO announced a year long grace period for achieving compliance.
What does the updated guidance say?
The updated guidance builds on previous guidance issued by the ICO by giving a number of examples of how compliance can be achieved. Which of these is appropriate will depend upon what the cookie is used for (and the ICO generally leaves it to the organisation to work this out).
There are a couple of points to highlight:
- Consent needs to be informed – users need to understand the potential consequences of allowing each specific cookie to be used
- There is still no browser based solution to getting consent.
- Implied consent is unlikely to be sufficient – implied consent must be based on a “definite shared understanding of what is going to happen.” The ICO’s view is that consumers do not yet have this level of awareness, but that may change over time as consumter awareness increases.
- Wherever possible cookies should be delayed until users have had a chance to understand how they are used – they should not be set as soon as the user visits the site.
- There are no exceptions for analytical cookies – the ICO’s view is that analytical cookies do not fall into the “strictly necessary” category.
- However, cookies for online shopping baskets and those that are necessary to ensure security (for example, on online banking websites) are likely to fall within the exception.
- If cookies are used on more than one website (for example, for third party behavioural advertising purposes), then in order for consent to be valid it has to be “absolutely clear” which websites the cookies will be used on, what they are used for, and exactly what the user is agreeing to.
- You can copy what the ICO does on its website, but the ICO is giving no guarantees that this approach complies with the law.
This last point is particularly disappointing. The worked examples in the new guidance will be welcomed by organisations grappling with how best to comply with the new rules (in the absence of an acceptable browser-based solution), but the reluctance of the ICO to stand behind its own approach, gives organisations little comfort that the suggested approaches in the guidance will be compliant.
The ICO makes clear that the lack of clarity over how the law is supposed to apply will not be accepted as an excuse for non-compliance, and that it is not acceptable for organisations to simply sit back and wait for a browser-based solution.
We’re now six months in to the 12 month transitional period for compliance, after which the ICO will start investigating complaints. The ICO states that organisations now need to be able to show that they have carried out initial assessments over cookie use, and that “sensible, measured action to move to compliance” is being undertaken.
On December 13, 2011