New ICO Cookies Guidance

The Information Commissioner’s Office has published an updated Cookies Guidance Document today, together with a press release criticising the performance of website operators on compliance.

So, what’s in it?

Well, it doubts the idea that consent can be obtained after a cookie has been dropped, because ICO sees consent as meaning prior consent. However, the guidance goes on to imply that ICO will take a sympathetic line with websites where the time period between the dropping of the cookie and the obtaining of consent is short:

“It is difficult to see that a good argument could be made that agreement to an action could be obtained after the activity the agreement is needed for has already occurred. This is not the generally accepted way in which consent works in other areas, and is not what users will expect. Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes obtaining consent before the cookie is set difficult. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.”

The Guidance also seems to set up the “implied consent” route to compliance, although ICO cautions that we will need to educate our users before we can be confident that implied consent works. ICO suggests that the entire community of website operators can contribute to this cause – which makes sense – but I do not read the guidance as precluding the implied consent route immediately:

“The level of consent required for any activity has to take into account the degree of understanding and awareness the person being asked to agree has about what they are consenting to. A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact cookies will be set, is clear about what cookies do and signifies their agreement. At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent. As consumer awareness increases over the next few years it may well be easier for organisations to rely on that shared understanding to a greater degree. This shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print.”

There is also a notable piece about obtaining consent from subscribers and users, which addresses the situation where a computer has multiple users. Basically, it seems that ICO will treat the website as being compliant where consent is obtained just for the subscriber:

“In a domestic context there will usually be a subscriber (the person in the household paying the bill) and potentially several other users. If a user complained that a website they visited was setting cookies without their consent the website could demonstrate they had complied with the Regulations if they could show that consent had previously been obtained from the subscriber.”

As far as strictly necessary cookies are concerned, which do not need consent, the guidance confirms that cookies dropped for security purposes will fall within this group. So are cookies that help the website controller comply with other legal obligations:

“The term ‘strictly necessary’ means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the person using the cookie might be subject to, for example, the security requirements of the seventh data protection principle.”

Regarding third party cookies, ICO places the compliance burden on the person who drops the cookie, but there are situations where the person dropping the cookie may work to another’s direction, such as under a contract. Thus, the guidance envisages a cooperative approach to be taken by those involved:

“The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.”

The importance of contractual safeguards in the third party cookie situation is highlighted in this part:

“Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.”

The guidance continues with some ideas about achieving compliance, such as carrying out a cookie audit and assessing intrusiveness, but it’s in the section on pop-ups where things become really interesting, because under “Figure 2″ it seems to be confirmed that achieving consent does need a person to tick a box or click an accept button. Rather, the guidance seems to accept the enhanced notice and transparency approach, where consent is obtained from a person who users a website after being properly warned about cookies:

“Using this technique you could ensure you are compliant by not switching on any cookies unless the person clicks I agree. Some users might not click on either of the options available and go straight through to another part of the site. If they do, you might decide that you could set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option you might want the reassurance of a notice appearing elsewhere on the site which reminds users that you are setting cookies.”

The terms and conditions approach is also endorsed:

“It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up. Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service. There is no reason why consent for the cookies cannot be gained in the same way.”

On tracking cookies, the guidance seems to imply that first party ones may be relatively non-intrusive, but the most interesting point is that there seems to be re-affirmation of the enhanced notice and transparency approach:

“It is likely to be more difficult to obtain consent for this type of cookie where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible, measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies.”

The idea of the central permissions centre is also alluded to, where the user goes to one place to confirm their preferences for different websites:

“An organisation with several connected websites could in theory obtain consent for cookies set on each site in one place, for example when the user logged in on one site. In order for this consent to be valid it would have to be absolutely clear which websites the cookies in question were set on, what those cookies were used for and exactly what the user was agreeing to.”

There is also recognition that consent can be obtained on a per category basis, as opposed to a per cookie basis:

“Consent does not have to be gained separately for each individual cookie, provided you have explained the purpose of the cookies clearly a user could provide consent to cookies performing a set of functions.”

Finally, there’s a remind not to forget the general data protection issues. So if the cookies leads to personal data processing, there is an added compliance layer:

“Where the setting of a cookie does involve the processing of personal data, those using them will need to make sure they comply with the additional requirements of the DPA.”

So, these are my first impressions of the guidance: I have not addressed all of the content here, but what I have seen is very reassuring for compliance. It looks like ICO has taken a pragmatic approach to the issues and it has accepted the key compliance mechanisms that many of us are arguing for, such as implied consent, enhanced notice and transparency, the contractual approach and the intrusiveness approach. If ICO adheres to this approach, then a good balance will be struck between the interests of all the key stakeholders. This is a jolly good piece of work.