Data Protection - Cookies

Background

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Regulations”) implemented the provisions of Directive 2002/58/EC (also known as the “e-privacy Directive”) concerning the processing of personal data and the protection of privacy in the electronic communications sector.

The Regulations have been amended several times since their introduction in 2003. The respective amendments have spanned various areas of the Regulations including the rules on marketing calls, cookies, emergency text alerts and enforcement of breaches. This note focuses on the application of the Regulations to the use of cookies on websites.

What is a “cookie”?
A cookie is a small, often encrypted text file downloaded onto a device by an online provider when a user accesses certain websites. Cookies collect information about the internet user which is transmitted back to the originating website on each subsequent visit. They can be useful in assisting the effective navigation of webpages.

The law
On 26 May 2011 the Privacy and Electronic Communication (EC Directive) Amendment Regulations 2011 (“2011 Amendments”) came into force and amended regulation 6 of the Regulations. Regulation 6 now provides that a person must not store or gain access to information stored in terminal equipment (computer or mobile phone) of a subscriber or user unless the subscriber or user
(a) is provided with clear and comprehensive information about the purpose of the storage or access; and
(b) has given consent.

Practical position
As a result of the 2011 Amendment to the Regulations any website which uses cookies must (i) provide website users or subscribers with clear and comprehensive information about the cookies used on the website (ii) their purpose and (iii) obtain consent to the use of the cookies unless one of the exceptions applies. This is a change from the original 2003 position of the Regulations, whereby users had to be told about cookies but only had to be given an opportunity to “opt out” of the use of cookies.

Enforcement
The Information Commissioners Office (“the ICO”) is responsible for enforcing the Regulations. 

The ICO can require organisations to provide specific information via information notices or issue enforcement notices requiring specific action to be taken.  Failure to comply with the Regulations can lead to criminal prosecution, non-criminal enforcement and audit. The ICO can also serve a monetary penalty notice imposing a fine of up to £500,000 for serious contravention.

Third party cookies
If third party cookies are set up through the website, both the owner and the third party who set up the cookie may be responsible under the Regulations.  In practice however, complaints are likely to be made against the website owner.  Therefore, website owners should consider
putting contractual restrictions on third parties not to set third party cookies without the website owner’s consent and should also consider imposing contractual obligations with regard to the information and consent provisions.

“Strictly necessary” exception
There is an exception to Regulation 6 if the technical storage of or access to information is used:
(a) for the sole purpose of carrying out transmission of a communication over a communications network; or
(b)  where such storage or access is strictly necessary for the provision of an information society service requested by a subscriber or user.

The strictly necessary exception is met, for example, when buying a product, a cookie is used to retain the information needed to proceed to checkout from the basket.  The exception is unlikely to apply to analytical cookies, advertising cookies or cookies used to recognise a returning user to a website to give a personalised greeting.

What does this mean for organisations?
In order to achieve compliance, the ICO recommends organisations should consider taking the following steps:

Step 1 - audit cookies
First, undertake a web site audit to find out which cookies or similar technologies (if any) are used:

  • Identify which cookies are operating on or through your website
  • Confirm the purpose(s) of each of these cookies
  • Confirm whether you can link cookies to other information held about users - such as user names
  • Identify what data each cookie holds
  • Confirm the type of cookie - session or persistent
  • If it is a persistent cookie, how long is its lifespan?
  • Is it a first or third party cookie?  If it is a third party cookie, who is setting it?
  • Double check that your policy provides accurate and clear information about each cookie

Step 2 - prioritise cookies
Once the organisation is aware of which cookies it is using, these can be prioritised.

  • Analyse any which are strictly necessary
  • Delete and clean up any not used or hardly used (non-essential)
  • Can any non-essential cookies be disabled immediately?
  • Grade cookies on a sliding scale from most intrusive to privacy neutral and focus first on the most intrusive
  • Locate the most intrusive cookies which the website uses and consider if any cookies should be disabled pending consent
  • The International Chamber of Commerce UK (“ICC UK”) has provided categorisations of cookies as set out in step 3 below

Some examples of cookie types are:

  • Session/transient (which expire after the browser is closed and are short term)
  • Persistent/permanent or stored  (stored longer for terms i.e. between browser sessions)
  • Flash Cookies/local shared objects
  • First party cookies (sent by the actual website being visited)
  • Third party cookies (sent by a third party website other than the one being used by the user).

Whether a cookie is “intrusive” is in effect a judgment call.  If the cookie has no impact and merely keeps the users’ information safe, this could be graded as low.  An analytical tool that shows which pages are visited frequently or which links are used may be less intrusive if the information collected cannot be linked back to an identifiable individual.  However, a cookie which creates profiles of an individual’s browsing habits is likely to be seen as more intrusive, as is a cookie which collects personal data.  Also, cookies used as marketing tools as opposed to those used for enjoyment of the site, may be seen as more intrusive.  Those which last longer may also be considered as more intrusive.

Step 3 - inform users of the cookies
Give the website user clear and comprehensive information about:

The ICC UK has also helpfully divided cookies into 4 categories; strictly necessary, performance, functionality and targeting/advertising cookies. For each type of cookie, the ICC UK suggests a description to be used to explain the cookies and also provides suggested consent wording.  In addition the information about cookies should be clear, comprehensive and prominent.  It must also be easily accessible to the user.  You should, therefore, consider if it is appropriate to place the details of cookies in the privacy policy or a separate cookie policy.  You should also consider providing details at the point of consent or ensure the cookies are identified or highlighted separately in another way. 

Step 4 - enable users to signify consent

In practical terms, it is this aspect of the Regulations which require the greatest amount of thought.  The ICO does not specify exactly how consent should be obtained. Guidance on the meaning of consent can be taken from the ICO guidance on the Regulations and the EU Directive 95/46/EC (which deals with Data Protection).  The latter requires that consent is freely given, specific and an informed indication of wishes signifying the agreement.  The ICO in its guidance suggests consent must involve some form of communication where the individual knowingly indicates acceptance.

Consent must also be signified ideally before the cookie is activated. This may cause practical issues where websites contain cookies which are activated as soon as the users access the site.  The ICO’s advice on this point is that, where this is unavoidable, the website owner should at least reduce the amount of time between the cookie being activated and consent being given. This would mean making the information about cookies very prominent and easily accessible to the website user (e.g. by means of a pop up or a banner).

Methods for consent can include banners, tick box, clicking on an icon, sending an email or registering for a service, opt-ins,  or consent via subscription (if subscribing to a service). 

Simply notifying users about cookies via a privacy policy which is not drawn to the user’s attention is unlikely to be sufficient to establish consent.

It may be possible to argue in the case of non-intrusive cookies (such as performance, and those which deal with functionality) that, if the user is informed (e.g. by pop up) that by proceeding with the website’s use they consent to such cookies, the users have knowingly indicated consent by proceeding.

The ICO has also indicated in its guidance that in the case of certain non-intrusive cookies using analytics, in practice it is unlikely to prioritise formal action where there is a low level of intrusiveness and risk of harm to individuals.

Use of a browser setting to signify consent
In the future, it may become possible to rely on a browser, or equivalent functionality, to obtain consent.  At present, the ICO takes the view that the current browser technologies are unlikely to meet the requirements of the Regulations.  Commerce and the Government are working together to try and push this forwards.

Withdrawing consent or changes to use of cookies
Provision should also be made for withdrawal of consent by users and the website should provide information on the consequences of this.  The website will also need to provide information on changes to use of cookies and whether consent to such changes is needed.

Summary
The objective of the cookies Regulations is to encourage organisations to be transparent about the information being collected from website users and how this information is being used.  It also aims to educate users so they become more aware of where and how cookies are used so their privacy is respected.

For further information please contact Beverley Flynn on 01483 302264 or Beverley Whittaker on 01483 734281.

 

This information is necessarily brief and is not intended to be an exhaustive statement of the law.  It is essential that professional advice is sought before any decision is taken.

© Stevens & Bolton LLP January 2016

Contact our experts for further advice

Beverley Whittaker, Beverley Flynn

Search our site