Moving towards compliance
What are cookies?
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser. Cookies were designed to be a reliable mechanism for websites to remember things that a browser had done there in the past, which can include having clicked particular buttons, logging in, or having read pages on that site months or even years ago.
Although cookies cannot carry viruses, and cannot install viruses on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as a way to compile long-term records of individuals’ browsing histories — a major privacy concern, not only in the UK, but worldwide.
Other kinds of cookies perform essential functions in the modern Web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under. Without such a mechanism, the site would not know whether to send a page full of sensitive information, or a message saying “sorry, you need to log in”. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser. If not implemented correctly, a cookie’s data can be intercepted by a hacker to gain unapproved access to the user’s data and possibly to the originating website.
To facilitate this move towards compliance, the ICO confirmed last year that it was allow a lead-in period of 12 months for organisations to develop ways of meeting the cookie-related requirements of the revised Regulations. At the end of May 2012 , the ICO will move towards the approach set out in its general Data Protection Regulatory Action Policy and it will then consider using its enforcement powers to compel compliance in appropriate cases.
What do I need to know?
- Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed; and
- Has given his or her consent.
The available guidance reiterates the ICO’s initial recommendation that website owners should carry out a cookie audit to do a number of things, including:
- Identify the cookies operating on or through their website and confirm their purposes;
- Confirm how privacy-intrusive each cookie used is likely to be (for example, because it links to personal information the website owner holds about an individual or because it allows the website owner to build up a detailed profile of an individual’s online behaviour);
- Confirm the type of cookies used, distinguishing, in particular between session and persistent cookies and first party and third party cookies; and
- Confirm that the website provides accurate and clear information about each cookie.
Meaning of consent
The guidance includes considerably more detailed information on the meaning of consent, and the limited exceptions that apply to the consent requirement. In particular, it explains which types of cookies can be considered “strictly necessary” and which may therefore be set without restrictions.
Among other things, the ICO’s updated guidance explains that:
- Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking on an icon, sending an e-mail or subscribing to a service;
- As a general rule, consent should be obtained before the cookie is set. However, the guidance does acknowledge that this may often be difficult in practice. It therefore encourages website owners to do as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options.
- Any reliance on “implied consent” must be based on the shared understanding between the website owner and the user of what is going to happen when the user visits the website.
It is important, and with the new developments, essential, to ensure compliance with the new regime, particularly where your business website is an integral tool to your day to day operations.
If you need further guidance as to what you can practically do to ensure your compliance with the new regime, feel free to contact me for assistance:
Tel – 0117 9453 042