COOKIES – A SIMPLE GUIDE TO WHAT YOU NEED TO DO
ACTION: FOLLOW THESE STEPS BEFORE 26 MAY 2012
What To Do How To Do It
Step One Work out whether your website(s)
use cookies
(i) Download & install Google Chrome. In Chrome, go to your website address, then press “Ctrl+Shift+I”, click the ‘Resources’ tab, and then on ‘Cookies’ (see Diagram 1 below).
or
(ii) Speak to your web developers/IT team.
Step Two Audit: Review what the cookies do
(i) Look at the ICO’s privacy policy & Google Analytics to understand what your cookies do. Most websites use these Google Analytics cookies: _utma, _utmc, _utmb, _utmz and these are covered by the legislation therefore consent is required.
and
(ii) Speak to your web developers/IT team and ask them what the remaining cookies do. and
(iii) Make a note on how intrusive the cookies are to the user, categorise them as low, medium or high. A cookie will be highly intrusive if it collects personal data or is persistent (i.e. lasts for a long time and not just for the user’s browsing session) compared with one that collects only anonymous data or one that expires when the user leaves the site.
What To Do How To Do It
Remember to keep a written record of the information gathered at Steps 1 & 2 for compliance purposes
Step Three
You are required to “provide clear and comprehensive information” =
Update your Privacy Policy
(i) Update your privacy policy with information relating to cookies. There are lots of examples on the web to help you or ask us for some wording.
and/or
(ii) Consider whether you will have a separate page/hyperlink explaining cookies on the site to increase user awareness.
Step Four
“Consent must be obtained before the cookies are dropped through an affirmative step on the part of the user.”
=
Decide how to obtain consent
See ‘Current Options to raise awareness and obtain consent’ and also our ‘Top Tips’ below
Option Disadvantages Risk Profile Information
1. Pop-Up Window or Splash Page
Disrupts browsing experience.
Low
2. Static Information Barriers
Figures from the ICO website show a drastic drop in users accepting cookies.
Low
Complete compliance with legislation
This is how the ICO has chosen to implement the legislation (see below).
The drop may be related to the method of consent or users choosing not to accept cookies (see our Top Tips).
3. Terms & Conditions / Privacy Policy
Risk of non-compliance. Medium
This is not regarded as express consent, unless the user is required to sign a tick box to agree (a step that potentially takes us back to options 1 & 2) as express consent must involve some form of communication where the user knowingly indicates their acceptance
You could still face enforcement action for high to medium intrusive cookies.
At present, the majority of the websites that have addressed the legislation are taking this approach.
The ICO has said whilst it cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action will be given to focusing on cookies where there is a low level of intrusiveness and risk of harm to individuals, for example analytic cookies that collect anonymous data.
There is a sliding scale of intrusiveness of cookies, the more intrusive (high/medium), the more important it is to gain express consent and if you don’t the more likely enforcement action being taken against you.
4. Settings / Feature Led Consent
Disrupts browsing
experience unless as part of a user account process.
Low Useful if you have user accounts on your website (i.e. members’
areas). Most simple websites may not.
TOP TIPS (IT IS ABOUT THE SALES PSYCHOLOGY)
You do not need to ask for consent to use cookies that are strictly necessary before they are used by your website. This is an extremely narrow exemption but does mean that the use of critical cookies does not have to be mentioned to the user. An example would be a cookie to remember a user’s shopping basket.
When dealing with the consent it is not sensible to throw all your marketing skills out of the window. When looking to gain consent, the question needs to be honest but positive. The ICO’s question was:
“The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.”
This was too brutal in our view and should be much more engaging (and we are sure you can do better):
“Please may we have your consent to use a couple of / a few/ 3 cookies. They are the minimum we need to make the site work and to improve it. They do not identify you or carry any of your information. We give the full details in our privacy policy”.
It would be sensible to break the consent for cookies into those that are anonymous and those that are not and sell the benefits to the User.
Instead of dropping all cookies at once and asking for consent to everything at the start, drop cookies where appropriate and ask for consent when the user registers or otherwise uses the relevant part of the site so there is a buy in at that stage. The ICO has since changed its wording.
GOOGLE ANALYTICS
The ICO has confirmed that Google Analytics cookies (and other similar analytical cookies) do not fall within the strictly necessary exemption. In practice the ICO has said that clear information should be provided regarding analytical cookies and websites should take ‘what steps you can’ to gain consent. It is understood that the ICO will be providing further guidance soon on the applicability of implied consent for these cookies shortly. The current position is that you need consent, and if not, you run the risk (albeit we believe small) of enforcement action.
IS IMPLIED CONSENT ENOUGH?
Many websites are looking to each other to see who moves first. The main examples of compliance are BT and the ICO. It is clear that BT has invested a significant amount of time and effort into developing its pop-up option. It does however take a different approach to the ICO’s website, which you would expect to be the prime example of compliance. The ICO asks a user to expressly consent to the use of cookies. BT makes the default setting to allow all cookies if the user continues without changing this, they consent to cookies. Two very different approaches but which is right? At this stage it is hard to say. BT’s is more commercially orientated and has less business impact for those users who are simply not concerned about cookies or abstain from the process. The ICO’s method is probably likely to be the technically correct approach. To support BT’s case they have brought user’s attention to the setting (via the pop-up) and provided information and options to opt out, but it may not be sufficient to constitute true express consent. At this stage we don’t know whether it is enough, everyone is waiting for guidance from the ICO. Given the thought and effort put in by BT, it would be highly unlikely that if the ICO were to take enforcement action it would be more than a request for the consent to be positive, and the default position to be no cookies. At this stage, if your cookies are low intrusive, you have followed steps 1 to 3 and can accept the potential risk of enforcement, implied consent following the BT model will probably be enough.
SUMMARY
This is a changing area, and whatever your view on the legislation it is with us very shortly. All eyes are on the ICO to see what further guidance he will provide and how he intends to enforce the legislation. Don’t forget about cookies after 26 May, as this may have only just begun.
OTHER OPTIONS
Option Comment
Don’t use cookies! There are alternative methods for analytics that don’t use cookies. These are relatively new and you would need to ensure that any method does not breach Google Analytics terms of service (if using the service) and still comply with the Data Protection Act. Use third party providers (like Wolf
Software) to help with compliance
Web Designers/Developers are trying to develop cleaner, user friendly experiences to help website owners to gain consent.
Do nothing We do not recommend this.
Call us for help & guidance Edmund Probert 01392 685325 or James Goodwin 01392 685212
