Websites won’t risk a fine by failing to meet new cookie rules, the Information Commissioner’s Office has said.
The rules – the result of an EU Directive – technically came into force last May, but the ICO gave UK sites a year before taking enforcement action.
That grace period ends next week, but the ICO has assured website owners it won’t be issuing any fines. “Please don’t read that as suddenly the ICO is going to launch a torrent of enforcement action,” said deputy commissioner Dave Smith, at a media briefing.
Sites will generally only be investigated by the ICO after users report them via a yet-to-launch tool on the watchdog’s site. Only the most intrusive cookies will lead to the ICO using its “enforcement powers”, Smith said, which includes fines up to $500,000 or notices requiring companies to take action to fix data protection flaws.
Smith said fines were unlikely for cookies, as they wouldn’t meet the requirements for being “substantially distressing” to individuals. “We do not rule that out but it’s most unlikely that breaches of cookie requirements meet the requirement for monetary penalty,” he said. “In the area of cookies, it’s quite hard to satisfy the test for a fine.”
A briefing document from the ICO put it more clearly: “In reality the placement of a cookie on an individual’s device will not meet the necessary criteria to be considered for a CMP [civil monetary penalty].”
The watchdog stressed that sites that have taken some steps to reach compliance were unlikely to face any action. “We recognise that some people have web development cycles that don’t just start when the ICO says,” added Dave Evans, strategic liaison manager at the ICO.
Leading by example
Smith said people have asked if the ICO’s own site should be looked to as a model for how to address the new rules. “We don’t put it up as a wonderful inventive solution… but above all, it’s legally compliant,” he said, adding there are “probably much better ways of getting consent”.
However, the ICO had few examples to point to for businesses to get ideas, saying it didn’t want to hold up specific sites as models of compliance as every site will require a different approach and use different technologies – adding apps could also be covered by the regulations.
Smith said the ICO was about to send letters to 50 top websites, asking what they’re doing to meet the rules. Earlier this week, the Cabinet Office admitted the majority of Government sites wouldn’t reach full compliance by next week. The ICO said that didn’t give a free pass to other sites. “Don’t take Government websites as an excuse,” Evans said.
The Cookie law: clarity at last (but not from the ICO)
Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 – “the Cookie law” to most of us – became part of UK law in May last year, the Information Commissioner’s Office (ICO) immediately invoked a one year moratorium on enforcement. Some might interpret that as tacit acknowledgement that the regulations were unenforceable. Little seemed to have changed as the end of the moratorium approached and website owners waited, in vain, for specific guidance from the ICO on how, exactly, to make their sites compliant.
Finally, something resembling advice has appeared, but it’s not come from the ICO but from business organisation the International Chambers of Commerce (ICC). Despite the inevitable disclaimer on page 2 that it “does not constitute legal advice”, it’s by far the most practical guide to the cookie regulations I’ve seen so far and is the result of research carried out by an organisation looking at this from a practical point of view rather than the compliance-based approach of the ICO.
Indeed, David Evans, group manager for business and industry at the ICO, said at the launch of the guide: “Today’s ICC UK guidance provides organisations with a good starting point from which they can work towards full compliance.” Which is about as close to a ringing endorsement as we’re ever likely to get from the 21st Century equivalent of the Circumlocution Office.
It’s not that the guide says anything new per se, but because of its business focus it bridges the gap between the legalistic coverage of the regulations produced by the ICO and the pleas of website owners to “JUST TELL ME WHAT TO DO!”
My advice is to download and digest the guide – it’s not long and it’s a model of clarity. In summary, the ICC’s guide places cookies into four categories and then explains its thinking about how each should be dealt with. The first category is Strictly Necessary. To fit this category, the cookie must be “related to a service provided on the website that has been explicitly requested by the user”. Aside from obvious cases such as shopping cart cookies and access to protected areas, the ICC suggests that remembering previously entered text so it’s not lost if the page refreshes falls into this category. No user consent is required for category 1 cookies.
The second ICC category is Performance Cookies. And here it gets interesting because the ICC includes analytics, advertising and Pay Per Click cookies in this category – provided they only store anonymous data and cannot therefore be used for behavioural targeting of ads. This was my biggest single concern with the regulations – I could see no way they could realistically be applied if it denied European website owners access to essential analytics information that would be available to owners elsewhere. Consent for cookies in this category, according to the ICC, can be obtained by placing appropriate wording in the site Terms and Conditions (most professional sites will have this already). So, no opt-in required.
The ICC’s third category is Functionality Cookies – cookies that remember user choices so that they have a more personalised experience. This might include detecting if the user has already seen a popup so that it isn’t shown again, submitting comments and remembering colours, text size etc. As with Performance Cookies, the ICC suggests you can comply with the regulations by inserting text into your terms and conditions rather than forcing users to choose explicitly.
This leaves the final category, the “bad boys” that the regulations were originally aimed at: Targeting/Advertising Cookies. We’ve all experienced the slightly creepy way ads follow us around the internet – they do this by collecting information about our browsing habits which is then used to serve up targeted ads. Even in this pretty clear-cut case, it’s possible to argue that the onus is on the ad serving network to request consent but, to be on the safe side, the ICC advises website owners to get clear, explicit consent from users if their site employs such technology.
For most website owners, then, it seems minimal changes are necessary – at least according to the ICC’s interpretation of the regulations. It’s a pity it’s taken a third party to produce such clear guidance rather than the body responsible for implementing the law but at least it’s arrived, in the nick of time. Good on the ICC.
If you would like to take part in the FSB Forum please click on the link below