Cookie compliance: your 5 day emergency action plan Claire Walker.
-
Upload
lucas-jennings -
Category
Documents
-
view
215 -
download
2
Transcript of Cookie compliance: your 5 day emergency action plan Claire Walker.
Cookie compliance: your 5 day emergency action planClaire Walker
www.olswang.com2
What you need to know…
If your company is one of the 95% UK organisations not yet obtaining consent to website cookies
• 5 working days until end of UK enforcement amnesty (26 May)
• 4 main types of cookie
• 3 practical steps to comply
• 2 key sources of guidance
• 1 example of creative good practice
www.olswang.com3
Consent rule adopted at EU level
UK transposes
rule - on time!
ICO guidance V1
ICO guidance
V2
ICC practical guidance
May2009
25 May 2011
May2011
April2012
UK “amnesty”
ends
“95% of UK companies not ready” (KPMG)
March2012
Cookie consent countdown
Dec2011
26 May2012
“Collusion” project
UK “amnesty”
www.olswang.com4
What is a cookie?
“information stored in the terminal equipment of a subscriber or user”
Regulation 6 Privacy and Electronic Communications Regulations 2003
www.olswang.com5
4 main types of cookie – Icons courtesy of BT
www.olswang.com6
Cookie consent: the new rule
Cookies or similar devices must not be used unless the subscriber oruser of the relevant terminal equipment:
a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
b) has given his or her consent.
Regulation 6 PECR 2003, as amended
(NB: pre 2011 requirement was information + opportunity to opt out)
www.olswang.com7
3 compliance steps: Step 1
www.olswang.com8
Audit
www.olswang.com9
Audit (continued)
www.olswang.com10
…or be audited!
www.olswang.com11
Step 2: provide information
ICO guidance
• “sufficiently full and intelligible to allow individuals to understand the practical consequences”
• Greater effort required now, as user understanding is likely to be low
Make sure users can see the information:
• Position – eg top of the page not the bottom (e.g. IAB)
• Formatting – eg font size or icon – make it stand out
• Description – eg “cookie policy” or “ how our site works” rather than “privacy”
• Blog post or new headline to draw attention [e.g. “updated” in red]
• NB: notice does not = consent – but it helps!
www.olswang.com12
Step 2: information
www.olswang.com13
Step 3: obtain consent
But what’s valid “consent” to a cookie?
Key points from the current ICO guidance (Dec 2011 version)
• Must involve some form of communication…
• …where user knowingly indicates their acceptance
• User must fully understand that by the action they are giving consent
• Ideally consent needs to be “prior”…
• …websites must “do as much as possible” to minimise time lag between setting cookie and giving users the choice
• …so cookie info must be “readily available”
• Avoid setting persistent cookies if visitors may be one -offs
www.olswang.com14
What could “consent” look like? (BT)
www.olswang.com15
What could “consent” look like? (BT again)
www.olswang.com16
Step 3: methods of consent
The ICO guidance suggests the following potential consent mechanisms –depending on the intrusiveness or otherwise of the cookies used:
• Pop ups (not all pop ups are bad!)
• Splash pages
• Footer bar with accept button
• Via online ts & cs which user accepts (but not by slipping in new terms post acceptance)
• Settings led (e.g. language of site, location for weather report, etc)
• Feature led
• What about browser settings? ICO view is that at present browser settings alone do not satisfy consent requirement
www.olswang.com17
Can “implied consent” work?
• Implied consent normally invalid in a DP context – see criteria listed earlier
• Level of consent required in given scenario depends on user’s understanding and awareness
• “reliance on implied consent…must be based on a definite shared understanding of what is going to happen”, i.e.
• that cookies will be set
• what the cookies do
• signifies agreement
So, shared understanding/ implied consent
• may be viable as consumer awareness grows over time
• Also depends on prominence of cookie information on the site
www.olswang.com18
Less creative solutions…
www.olswang.com19
What to do about Analytics
• Analytics cookies ARE covered by the consent rules
• Low enforcement risk - ICO has a pragmatic stance
• If analytics are the only cookies you use - what should you do?
• Provide information
• Seek “consent” via a notice route?
• Suggested wording: This site uses Google Analytics cookies to collect information about how visitors use this site. Click here [link to relevant section of privacy policy] for more details. By using this site you agree that we can place these cookies on your device."
www.olswang.com20
• ICO guidance – December 2011 – to be updated shortly
• International Chambers of Commerce UK Cookie Guide – April 2012
• Categorisation of cookies
• How to describe them to users; use of icons (e.g. BT)
• Consent mechanisms to use
• Endorsed as good practice by the ICO
• Will other websites follow suit?
2 essential sources for lawyers
www.olswang.com21
Third party cookies: who’s responsible?
• ICO’s view: website owner and third parties are both responsible
• In practice, website owner likely to receive any complaints about 3rd party cookies on site
• Website owner has direct interface with end user – therefore easier for it to provide information and obtain consent
• Tip: ensure your cookie audit covers 3rd party cookies
www.olswang.com22
Bottom line: UK enforcement risks?
What does the ICO expect of website owners by 26 May 2012?
• Audit cookies used
• Take “sensible measured action to move to compliance”
• Have a realistic action plan for compliance: timescales + specific actions
Will/ when will the ICO take enforcement action over cookies?
• ICO’s approach “practical and proportionate”
• Organisation refuses to comply…
• Use of particularly intrusive cookies with no information and no consent
• Who will be made an example of?
www.olswang.com23
Will the ICO issue fines?
• ICO's own guidance will be updated again before 26 May - watch this space
• ICO "does not anticipate a wave of enforcement action after the lead in period ends" ...
• but does expect organisations "to have used this time productively and ensured that they are working towards becoming fully compliant."
In what circumstances will the ICO impose monetary penalties?
• Serious contravention +
• Deliberate or reckless +
• Likely to cause substantial damage or substantial distress
• Reckless = knowledge of risk; failure to take “reasonable steps”
Cookie compliance: your 5 day emergency action plan
For more informationplease contact:
Claire Walker
+44 (0) 207 067 [email protected]