The Information Commissioner re-issued his guidance on cookies on 13 December. Highlights of the new, longer (27 pages) guidance are confirmations that:
- Browser settings will not be effective to show consent, at least at present; and
- That cookies used for website analytics are still subject to the rule on consent. Publishers using cookies for this purpose should provide information about this and explain how visitors can make an informed choice about cookies. If an organisation has done this, the guidance suggests that the Commissioner is unlikely to make enforcement a priority in relation to this type of cookie.
The guidance also confirms:
- The rules do not just apply to cookies
- They apply whenever information is stored on user equipment and retrieved from user equipment. They also cover flash cookies, web beacons and web bugs/clear gifs
- Techniques such as device finger-printing may not be subject to the rules, but would still be subject to broader data protection obligations
- The cookie rules apply even if no personal data is processed
- However, cookies that store personal data may be more intrusive than others, so there may be more need to focus on these cookies. The provisions of the Data Protection Act would also apply to them
- Publishers should provide clear notice to visitors about cookies
- Ideally, this should be accessible prominently from the home page – so for example, privacy policies could be renamed 'privacy and cookies'
- This will help with arguments that visitors have given implied consent to cookies
- Wherever possible, prior consent should be obtained before cookies are set
- It is difficult to rely on implied consent - there is not a sufficiently high level of awareness of cookies
- Consent can be 'bundled' with consent to terms and conditions – as long as users actively affirm their consent. This may be an option for sites where all visitors are registered users, or for sites that can require visitors to accept new terms
- Unilateral changes to privacy policies or terms and conditions, which are not actively accepted, would not be sufficient
- Cookies which are strictly necessary will not need consent
- ICO continues to interpret this narrowly – limited to what is 'essential' to provide the requested service
- Examples would include add to basket or checkout functionality
- Use for resource or capacity planning, advertising, marketing, remembering preferences or analytics would not be covered by this
- The person setting the cookie is responsible for obtaining consent
- Where third party cookies are set, responsibility is shared with the publisher
- It is not clear if ICO considers the publisher has a legal responsibility to obtain consent, or whether ICO is reflecting the fact that, in practice, the third party will need to rely on the publisher to do this – ideally obliging the publisher to do this by contract
- Subscribers may be able to give consent on behalf of users
- The UK Regulations provide that consent can be given by subscriber or user and that consent may be inferred where the subscriber amends or sets controls on the Internet browser
- Based on this, ICO suggests that the subscriber's wishes may take priority over the user's (ie that the wishes of the person who contracts for the internet service should take precedence).
- Cookies used for this will need consent – and this is an area regarded as more intrusive by ICO
- Third party cookies are particularly problematic
- The ICO guidance does not directly comment on the EASA Best Practice Recommendation for Online Behavioural Advertising, although it obliquely refers to a number of industry initiatives which may 'adapt to achieve compliance'.
For more information contact: