Deferred Cookie Law

You may recall I felt the impending new legislation was onerous on website owners, and said I would be watching developments.  Since publishing that article, I am happy to report that the UK Government has realised implementation of the law is practically unworkable.  See Cookie law deferred for one year.

The latest development is that the UK Government has formed a working group to see if a browser-based solution can be found to address the usage of cookies.  This would push the opt-out required back to the end user, instigating this action via their browser.

The Information Commissioner’s Office (ICO) is now giving website owners another 12 months to familiarise themselves with the law, and in the interim is unlikely to pursue anyone.  However, you must nevertheless be able to demonstrate that your business is working towards compliance, and that you have a relevant action plan.

My previous article outlined a general business compliance plan, but if you need individual guidance please contact me.

I will provide further updates on this subject as and when there is pertinent news.  In the meantime, here are my recommended points of reference for enlightenment.

Could cookies make your website illegal?

Media_httpfarm1static_lnjtc
The law applying to the use of cookies changes on 26 May 2011.  UK law is changing to implement the revised EU Privacy and Electronic Communications Directive, otherwise known as the Cookie Directive.

Cookies are small text files.  You may not deploy them on your own business website, but when you visit someone else’s site a cookie can be downloaded onto your computer to collate information on your browsing activity.

Previously, the use of cookies was often mentioned in a website’s privacy policy, sometimes with an “opt out” facility.  The new rules now put the onus on cookie users to obtain permission before using them to track anyone’s site visit.

The new legislation has its critics, including me, for being burdensome.  Guidance from the Information Commissioner’s Office, the UK’s independent authority upholding information rights, is available here.  Interestingly, the ICO recognises cookies perform a number of legitimate functions and that gaining consent to use them may be challenging.

It seems to me the legislation is targeted at tracking software such as Google Analytics.  Indeed, this is specifically mentioned in the ICO guidance, which also covers exceptions to the new rules.  Basically, these cover cookies essential for a requested service, or a website’s operation.   Prime examples here are e-commerce sites managing shopping carts, or secure user areas.

A recommended step for compliance with the new legislation is to check what type of cookies you use, and how they are used.  Do this through a comprehensive website audit, which can be done for you by an internet specialist company such as AGUK Solutions Limited.  If your cookies create a detailed profile of an individual’s browsing activity this could be considered intrusive, and the priority then is to get meaningful consent.

As a minimum, my advice to all website owners is to: (a) have a visible privacy policy and (b) ensure it includes reference to cookies, and how they are used.  To this end I highly recommend using this policy sample from Business Link. This pushes the emphasis on website visitors to accept, or deny, the use of cookies within their browser settings.

I intend to keep a close watch on this legislation, and will provide further information as things develop.  In the meantime, I welcome your views whether good, bad or indifferent.

Image credit: scubadive67