[Disclaimer: This blog post isn't in any way based on expert knowledge of website law but aims to clarify my own understanding. Errors will be rectified.]
I’ve just taken part in a Lasa webinar on the new cookie law, hosted by data protection guru Paul Ticher.
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came in to effect last year but because of the complexity organisations were given a year to implement the changes.
So this year, on 26 May, website owners will be expected to have made reasonable steps towards complying with that law.
The main focus of the law says that you must not store information on someone else’s computer (cookie) unless they understand the purpose of it and have given their consent.
According to the law you don’t need to get consent for cookies that are ‘strictly necessary’ for the functioning of a website. One example of this could be if you run a commerce site, you could argue that it’s ‘strictly necessary’ to use cookies to keep track of what items people have put into their virtual shopping basket.
So what should organisations be doing now? Well hopefully you’ve been working up to this for the last year and have already made changes but if you’ve only found out about it or were hoping it would go away then there are still things you can do in the next six weeks or so to ensure you don’t get chased by the IC:
- Review all of the cookies that you have set up on your website.
- Evaluate each one to see how intrusive they are and if they are absolutely necessary. (Cookies that indicate choice are felt to be less intrusive, such as ‘remember me on this computer’. You should still let people know you’re using them)
- Update your privacy statement to state where cookies are used on your site and what they’re for, even if you’ve classed them as ‘strictly necessary’.
That’s not the end of it, to be fully compliant you need to give people the opportunity to agree to cookies when they’re using your site. A sign in page can be good for this if you have one.
The Information Commissioner (IC) has said that cookies used in analytics packages are covered by the law but not a priority. (Reference for this statement to follow).
Even though the IC has said that tracking cookies aren’t a priority for them they’re still covered by the law and need to be considered. One issue for users was felt to be that even though the terms of using Google Analytics say you can’t use it to track personal info (section 7), the same terms (section 6) say that Google themselves can use any info captured. There’s no clarity in there about what they might do with this information.
Some examples of cookies statements:
- http://www.ico.gov.uk/
- http://www.deliaonline.com/ (pop up)
- http://www.south-ayrshire.gov.uk
- http://allthingsd.com/
One thing that came up during the webinar and didn’t get answered is if/ how this law impacts on sites like Facebook that many organisations are using for their business and which track users across sites. Does anyone have thoughts on this issue?
Paul has written up a handy guide to the new cookie law at http://ictknowledgebase.org.uk/cookielaw.
There’s also an interesting blog post from E Consultancy http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance.
The Citizenship Foundation are running an event on 4th May in Birmingham http://citizensheep.com/blog/2012/04/17/charities-and-the-cookie-law-birmingham-event/.
Tagged: cookies, EU, law, websites
