Cookie compliance: your 5 day emergency action plan Claire Walker

What you need to know… If your company is one of the 95% UK organisations not yet obtaining consent to website cookies 5 working days until end of UK enforcement amnesty (26 May) 4 main types of cookie 3 practical steps to comply 2 key sources of guidance 1 example of creative good practice

Consent rule adopted at EU level UK transposes rule - on time! ICO guidance V1 ICO guidance V2 ICC practical guidance May May 2011 May 2011 April 2012 UK “amnesty” ends “95% of UK companies not ready” (KPMG) March 2012 Cookie consent countdown Dec May 2012 “Collusion” project UK “amnesty”

What is a cookie? “information stored in the terminal equipment of a subscriber or user ” Regulation 6 Privacy and Electronic Communications Regulations 2003

4 main types of cookie – Icons courtesy of BT

Cookie consent: the new rule Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment: a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b)has given his or her consent. Regulation 6 PECR 2003, as amended (NB: pre 2011 requirement was information + opportunity to opt out)

3 compliance steps: Step 1

Audit

Audit (continued)

…or be audited!

Step 2: provide information ICO guidance “sufficiently full and intelligible to allow individuals to understand the practical consequences” Greater effort required now, as user understanding is likely to be low Make sure users can see the information: Position – eg top of the page not the bottom (e.g. IAB) Formatting – eg font size or icon – make it stand out Description – eg “cookie policy” or “ how our site works” rather than “privacy” Blog post or new headline to draw attention [e.g. “updated” in red] NB: notice does not = consent – but it helps!

Step 2: information

Step 3: obtain consent But what’s valid “consent” to a cookie? Key points from the current ICO guidance (Dec 2011 version) Must involve some form of communication… …where user knowingly indicates their acceptance User must fully understand that by the action they are giving consent Ideally consent needs to be “prior”… …websites must “do as much as possible” to minimise time lag between setting cookie and giving users the choice …so cookie info must be “readily available” Avoid setting persistent cookies if visitors may be one -offs

What could “consent” look like? (BT)

What could “consent” look like? (BT again)

Step 3: methods of consent The ICO guidance suggests the following potential consent mechanisms – depending on the intrusiveness or otherwise of the cookies used: Pop ups (not all pop ups are bad!) Splash pages Footer bar with accept button Via online ts & cs which user accepts (but not by slipping in new terms post acceptance) Settings led (e.g. language of site, location for weather report, etc) Feature led What about browser settings? ICO view is that at present browser settings alone do not satisfy consent requirement

Can “implied consent” work? Implied consent normally invalid in a DP context – see criteria listed earlier Level of consent required in given scenario depends on user’s understanding and awareness “reliance on implied consent…must be based on a definite shared understanding of what is going to happen”, i.e. that cookies will be set what the cookies do signifies agreement So, shared understanding/ implied consent may be viable as consumer awareness grows over time Also depends on prominence of cookie information on the site

Less creative solutions…

What to do about Analytics Analytics cookies ARE covered by the consent rules Low enforcement risk - ICO has a pragmatic stance If analytics are the only cookies you use - what should you do? Provide information Seek “consent” via a notice route? Suggested wording: This site uses Google Analytics cookies to collect information about how visitors use this site. Click here [link to relevant section of privacy policy] for more details. By using this site you agree that we can place these cookies on your device."

ICO guidance – December 2011 – to be updated shortly International Chambers of Commerce UK Cookie Guide – April 2012 Categorisation of cookies How to describe them to users; use of icons (e.g. BT) Consent mechanisms to use Endorsed as good practice by the ICO Will other websites follow suit? 2 essential sources for lawyers

Third party cookies: who’s responsible? ICO’s view: website owner and third parties are both responsible In practice, website owner likely to receive any complaints about 3rd party cookies on site Website owner has direct interface with end user – therefore easier for it to provide information and obtain consent Tip: ensure your cookie audit covers 3 rd party cookies

Bottom line: UK enforcement risks? What does the ICO expect of website owners by 26 May 2012? Audit cookies used Take “sensible measured action to move to compliance” Have a realistic action plan for compliance: timescales + specific actions Will/ when will the ICO take enforcement action over cookies? ICO’s approach “practical and proportionate” Organisation refuses to comply… Use of particularly intrusive cookies with no information and no consent Who will be made an example of?

Will the ICO issue fines? ICO's own guidance will be updated again before 26 May - watch this space ICO "does not anticipate a wave of enforcement action after the lead in period ends"... but does expect organisations "to have used this time productively and ensured that they are working towards becoming fully compliant." In what circumstances will the ICO impose monetary penalties? Serious contravention + Deliberate or reckless + Likely to cause substantial damage or substantial distress Reckless = knowledge of risk; failure to take “reasonable steps”

Cookie compliance: your 5 day emergency action plan For more information please contact: Claire Walker +44 (0)