The Information Commissioner's Office (ICO) issued new guidance in December 2011, following its earlier guidance note published in May 2011. The initial guidance was issued following the coming into force of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (PECR 2011) in May 2011. The PECR 2011 introduced a restriction on the use of cookies (small files placed on a user's computer so that it can remember a user's preferences, log in details and personalisation), unless the user has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed, and given his or her consent.
How did the ICO initially advise on PECR 2011 compliance mechanisms?
The ICO initially advised that businesses should audit their websites and assess what cookies, if any, are being used. The next step would be to identify those that are "strictly necessary", as "strictly necessary" cookies (to be interpreted very narrowly) would be exempt from the requirement for consent. The earlier guidance note also advised that website operators assess the level of intrusiveness of each cookie and provided examples of how consent could be obtained in a manner that was compliant with the PECR 2011, ranging from pop-up boxes to personalisation settings-led consent. The guidance note made it clear that using browser settings to indicate consent would not be an option for compliance with the PECR 2011. It was also particularly silent on how to deal with third party cookies and how to obtain consent for cookies that tracked a user across sites.
Despite some level of practical compliance advice in the first guidance note issued by the ICO, there was much confusion regarding the requirements, particularly as the Article 29 Working Party had also issued a number of opinion papers on how to comply with the new requirements which was not completely in line with the ICO guidance note. The Department for Culture, Media and Sport also put their opinion forward in an open letter suggesting that retrospective consent would be considered a valid consent since the legislation did not expressly state "prior consent", which appeared to conflict with the Article 29 Working Party opinion papers on this point.
How does the ICO's latest guidance note clarify the position?
The recent guidance issued in December 2011 builds on the previous guidance and suggests carrying out an analysis of the cookies being used (as per the earlier guidance note) but suggests website operators assess this in more detail, in particular they should distinguish between session and persistent cookies, and first and third party cookies. Helpfully, the ICO has provided examples of types of cookies that are likely to be considered "strictly necessary". The recent guidance re-iterates the earlier advice in relation to auditing and assessing cookies used, and suggests checking whether appropriate information has been provided and whether a proper mechanism is in place for obtaining consent.
1. Information Provided to Users
The ICO has helpfully provided guidance as to the information that should be provided to users and suggests the type of wording that may be used, as well as example lists of cookies and their uses, and an alternative table format. There are a number of suggestions provided as to how this information can be incorporated into the website and how to bring this information to the attention of the website user, such as links to cookies, "mouse-over" functionality, etc. The guidance note also states that putting such information into a privacy policy may not be sufficient, particularly where the privacy policy is not prominently positioned or linked.
2. Consent
The ICO has also clarified that consent is unlikely to be considered valid if it is retrospective and should involve some action on the user's part. The guidance also provides practical examples of how valid consent may be obtained for different purposes, and adds details to the initial suggestions for compliance mechanisms, by providing diagrams and "screenshot" examples of how the solution would look on a website. It sets out that users must be informed of how to change or withdraw their consent, the impact of withdrawing consent, and how to remove cookies that have already been set. The issue of third party cookies (cookies placed on a website by a third party such as an advertising network) does not appear to have been addressed, and there is no clarity as to which party would be responsible for obtaining consent. The ICO suggests that the main issue is that consent has been obtained, not who has obtained it.
Although the latest ICO guidance has certainly provided the much needed practical guidance organisations were waiting for, there are still some areas in which additional guidance would be helpful, particularly in light of the fact that organisations now only have five months to put in place a solution. Information Commissioner Christopher Graham did provide some words of comfort for organisations that may now be rushing to put in place one of the many practical solutions suggested in the recent ICO guidance, by confirming that "…when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there."