On 9 May 2011, the Information Commissioner’s Office published initial guidance on the practical steps UK businesses need to take in order to comply with the new Privacy and Electronic Communications Regulations. The Regulations govern the use of cookies or the placing or accessing of any information stored on a user’s device. With so many businesses now using cookies to identify and track visitors across their websites we thought it important to highlight these new regulations.
When do the Regulations come into force?
The Regulations come into force on 26 May 2011. This legislation, derived from an amendment to the EU’s Privacy and Electronic Communications Directive, will require all organisations operating websites, as well as advertisers and ad networks, to obtain informed consent from their visitors when storing or accessing cookies (or other information) on their computers and mobile devices. The only exception to this rule is if the cookie is ‘strictly necessary’ for a service requested by the user. An example of this would be remembering the items an individual may have placed in their virtual baskets when purchasing items online. In such circumstances, no consent will be required.
What does the guidance say?
The guidance is intended to assist businesses in considering what type of cookie their websites use, the purpose of each cookie, how intrusive their use is, and offers some suggestions as to some recommended methods for obtaining consent from users. The purpose of the guidance is not to provide a definitive compliance guide but rather to act as a starting point for those businesses who are considering how to comply with the new legislation when it comes into force.
What do I need to do now?
Under the new Regulations, businesses should perform a comprehensive audit of their websites, filter out unnecessary cookies and identify any ‘strictly necessary’ ones that would not require consent because they fall under the exception. This guidance also encourages businesses to evaluate the intrusiveness of each cookie, and consider changing how the most intrusive of these cookies are used (e.g. asking whether it is necessary to use flash cookies which can be tricky to block).
Why should I bother?
The new Regulations grant other new powers to the ICO, including the power to serve monetary penalties of up to £500,000 to organisations that commit serious breaches of the Regulations, including making unwanted marketing phone calls or sending spam email. Individuals and businesses will also have a right to bring a claim for breaches of the Regulations. The ICO will issue separate guidance on how they intend to enforce the new Regulations.
It is also good business. Telling people what you are leaving or accessing on their computer or mobile helps build trust. Being transparent wins loyalty and engaging with customers by means of notice, choice and education empowers people and helps them manage their own privacy. It also protects your brand by avoiding being seen to be covert.
Some pointers
Whilst the ICO’s guidance is welcomed, businesses will need to be creative and consider, on a case-by-case basis, how they can best achieve compliance, without disrupting user experience. This will involve (amongst other things):
- Reviewing their privacy policy.
- Adopting a ‘layered’ approach to inform users about how your site works to gain valid consent.
- Reviewing contracts with ad networks to apportion responsibility.
- Conducting an audit of your digital estate and cookie functionality.
- Ensuring websites are compatible with next generation browsers.
This article was written by Pitmans. For further details, please contact Philip James on 0207 634 4655 or email pjames@pitmans.com.