Categories
Articles

Cookies: More information, and a demonstration

With a new law on obtaining consent for cookies coming into force today, the Information Commissioner has published details of how the ICO’s own site has been updated to comply. There appear to be three main changes:

  • A lot more information on the privacy statement about the names and purposes of each cookie, and how access to the site will be affected if they are not accepted;
  • Notice of the session cookie that appears to be essential for the site to perform its function (and which will have already been installed by the time the user reads the notice);
  • A checkbox at the top of every page allowing the user to consent to the use of cookies. It appears that unless consent is granted, the site will not present the Google Analytics cookies that it and many other sites use.

While the first two of these should be relatively simple for others to follow, the checkbox looks tricky to implement for any site that does not use a single Content Management System. However it is not clear from the ICO’s information whether difficulty of implementation is something that organisations are allowed to consider in determining how to comply with the law, or what other approaches to obtaining consent for analytics and similar cookies will be acceptable.

An open letter from the Department for Culture, Media and Sport explaining its approach to transposing the Directive into UK law does suggest that difficulty of implementation might be a relevant factor by recognising that “in certain circumstances it is impracticable to obtain consent prior to processing”. However the proposed solution to this problem seems certain to cause legal confusion, since it requires the word “consent” to have different meanings in different articles of the Directive! In Regulation 6, dealing with cookies, the word is used without qualification, leading the Government to conclude that here “consent may be given after or during processing” even though “in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken”. The Government therefore argue that the “consent” required for cookies (which may be obtained during or after the event) is different to the “prior consent” that the same Directive and Regulations require before personal data may be processed for marketing or value added services (Regulation 7). [For those struggling, like me, to have both the original legislation and the amendments open on the same screen, Jon Warbrick has a marked up version of Regulation 6 on his blog]

The letter also appears to contain a puzzle over when a web site will be able to rely on cookie settings in users’ browsers. It agrees with others that “current browser default settings [are not] enough to constitute consent”, but confirms that the text of the law does “allow for the subscriber not to amend settings and still signify consent”. In other words, at some point in future, websites will be able to rely on browser settings as an indication of the user’s wishes. But it’s not at all clear to me how we get from one situation to the other, unless the Department is planning to announce one day that henceforth unchanged browser settings can be relied upon to indicate consent, or to grant particular browser versions a “consent-approved” status? In the meantime it seems that both browsers and websites will have to develop systems for obtaining consent that will inevitably duplicate (and possibly conflict with) each other.

Fortunately the Information Commissioner has also declared a grace period of a year before full enforcement measures will be taken against those who have not implemented the new law. However the actions taken by sites in those twelve months may be taken into account in any subsequent enforcement action, so this definitely isn’t an excuse to do nothing. It’s to be hoped that in a year’s time the balance between the duties of sites and browsers is a lot clearer than it seems now.

[UPDATE Brian Kelly has comments on the new law from a web manager’s perspective]

[UPDATE The European Commissioner has also offered a year’s grace period for sites to comply with the regulations, but threatened to “employ all available means” against those who do not]

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *