EU Cookie Law Regulations
Also, the EU is now proposing changes to the regulations to allow sites to read the general cookie preferences set in the user's browser. This is to avoid having to agree to accept cookies by clicking on tick boxes on every site visited.
Our opinion is that this has been a significant waste of time and resources for websites attempting to comply, and threatened the provision of free information and services on the internet - most of which rely on advertising revenue to pay for the free services.
Please note that our own Cookies Policy complies with the latest guidelines from the ICO.
In the UK the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implements European Directive 2009/136/EC. This is more commonly known as the new cookie law and will come into force on 26th May 2012.
What are cookies?
Cookies are small files containing a short string of numbers and letters placed automatically by a website into the cookie folder in your browser. Cookies are primarily used to make use of a website easier and faster. The cookie recognises that a device is or has accessed the website and acts accordingly, (depending on what the cookie is designed to do.) Mostly cookies perform mundane, but necessary tasks, such as:
- Remembering you as a registered user, if you signup to a website.
- Monitoring a website to ensure it loads correctly and efficiently.
- Allowing customers to add items to a shopping basket and pay.
- Serving ads that are more relevant to you.
- Analysing how visitors use a website to spot ways to improve it.
The new cookie law was drafted to combat those websites that over-use or abuse the cookie process. Only a small percentage of sites do this, and most are located outside the UK or EU anyway – and so are not covered by the regulations.
Shopping basket exception
Cookies used during the shopping basket/checkout process on e-commerce websites do not require any consent as such. This is because the visitor has specifically requested a service from a website - to buy something. Cookies are used to ensure what is added by the customer to their basket remains in their basket throughout the checkout and payment process – to ensure the customer receives the item.
The Information Commissioner’s Office
From our discussions with the Information Commissioner’s Office (ICO), we have obtained the following broad guidance.
1. The law is designed to stop websites using intrusive cookies that track visitors on a website, and in some cases continue to track visitors when they subsequently visit other sites. These cookies are purposefully designed to obtain as much data about visitors as possible. This data is not required to provide a service to the visitor on the website; it is obtained to create a data profile of the visitor.
The use of such cookies are clearly to the detriment of visitors – this is a key point of the regulations – are the cookies used detrimental to the visitor?
2. The ICO has stated that if a website can show it has taken reasonable steps to comply with the law that website will be less likely to have broken the law.
Enforcement and Penalties
The ICO has stated they will look at any website reported to them to see if a breach has been committed. As stated above, action is less likely to be taken where the website can show that it has attempted to comply with the regulations.
The ICO has the following enforcement and penalty options under the regulations, (taken directly from the ICO’s guidance):
Information notice: this requires organisations to provide the Information Commissioner with detailed information within a specified period.
Undertaking: this commits an organisation to a particular course of action to improve its compliance.
Enforcement notice: this compels an organisation to take action specified in the notice to bring about compliance with the regulations. For example, a notice may be served to compel an organisation to display a clear Cookies Policy. Failure to comply with an enforcement notice can be a criminal offence.
Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met if any person has seriously contravened the regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. Also, the contravention must either have been deliberate, or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
Even though these powers may seem draconian, a website would need to be in serious breach to receive a monetary penalty notice. The level of breach would be more akin to installing spyware on a visitor’s computer or mobile device.
Attempting to comply
Useful Links & News