What is a Cookie?
- freely given;
- specific; and
The more specific the consent is the less likely it is that you will be in breach. For example if you obtain consent before a cookie is set you will have obtained specific consent. If you rely on implied consent you need to show that the user has taken some positive action to imply consent.
The International Chamber of Commerce UK office (ICC) provides some suggested wording that can be used to obtain consent via websites.
There is an exception to the need for consent, but only if the cookie is strictly necessary for the delivery of the service, for example the cookie takes the user from a product page to a payment page.
You must provide users with clear and comprehensive information about:
- the type of cookies being set; and
- the purposes for which the information is collected.
The ICC suggests categorising cookies into 4 groups – strictly necessary, performance, functionality and targeting/ or advertising cookies. The reason for collecting each type of cookie applicable should then be explained.
Who do the Rules Apply to?
The Regulations do not define who is responsible for complying with the rules, but this is probably the person/company setting the cookie. Where third party cookies are used both parties will be responsible for ensuring that users are clearly informed about cookies and obtaining consent.
How to Comply with the New Rules
The ICO has issued non-binding guidance suggesting ways in which consent to the setting of cookies can be obtained and the ICC guidance suggests various methods for complying with the notice requirements which include:
- Terms and Conditions;
- Settings /Features;
- Banners /Footers;
How to Avoid Fines
You also need to consider how and when you will obtain consent to any cookies you use. Will the consent be implied or specific. Also do not forget to provide information about any third party cookies that are placed and provide links to information about these that the third parties may provide.
Enforcement by the ICO
By the 26th May 2012 you must comply with the new rules as the ICO will start taking formal action. The ICO has stated that they will be selective. For example they have clearly indicated that they are unlikely to prosecute companies who only use analytic cookies and will concentrate on websites where no steps have been taken towards collecting consent or where particularly intrusive cookies are used.