Cookie consent: It's not optional - it's the law, warns ICO

Advertisers and websites "in denial" about new privacy law...
Written by Natasha Lomas, Contributor

Advertisers and websites "in denial" about new privacy law...


The new cookie law requires companies to gain consent before collecting user data onlinePhoto: Shutterstock

Website owners and online advertisers are putting their head in the sand when it comes to compliance with the new law on consent for cookies and the collection of user data, the Information Commissioner's Office (ICO) has warned.

Amendments to the UK's Privacy and Electronic Communications Regulations (PECR) came into force back in May - aligning UK law with changes to the EU Privacy and Electronic Communications Directive.

The changes require companies to gain consent before collecting user data or storing tracking programs such as cookies on users' computers. However, at the time, the Information Commissioner Christopher Graham said he would give UK businesses a year's grace to comply with the new law.

But speaking at a Westminster eForum on digital marketing in London last week, Graham voiced concerns the industry is sleepwalking towards non-compliance - warning delegates that almost half the grace period has now elapsed and not enough is being done by websites and advertisers to prepare.

"We've had five of the 12 months. We will shortly be producing the Commissioner's half-term report... it will be couched very much in those familiar terms of 'could do better, must try harder'," Graham said.

The UK government is currently in discussions with browser makers to look at how privacy settings and 'do not track' options could be built in to browsers to help compliance with the new law. But Graham warned that a browser-based solution will be "no silver bullet".

"Changes to the way users can make choices in browsers will allow most websites to reasonably infer consent - but the devil will be in the detail," he noted.

"I still think there are a fair number of people in the advertising business and the website business who are in denial about this," he added. "However much you don't like it... consent for cookies is the law... Compliance is going to be difficult enough but if we're all in denial it becomes more or less impossible."

"I can't ignore the law indefinitely," he noted. "You need to get a move on."

Hazel Grant, a partner at law firm Bristows, also speaking at the event, said the new law does not just pertain to cookies - but covers data collected from users in a much more broad sense.

"The legislation... does not simply refer to cookies and does not simply refer to personal data - it's actually information collected from a user's terminal equipment so it does cover mobile devices. It will also cover different types of information - such as digital rights management [DRM] information," she said.

The ICO's Graham said he was surprised the UK government had not decided to incorporate a run-in period before the law came into effect - and he conceded that the new legislation presents a "challenging problem" for the digital industry of "how to deliver consent online without completely wrecking the user experience".

In seeking to comply with the new law since May, the ICO's own website analytics have become a "casualty" of the transition to the new web order, he revealed. "I don't know at the moment who's accessing our website," he said. "We're working on a solution. That's part of the transition."

Graham said the ICO's approach to compliance complaints will be to consider whether the consumer is being misled. "Is the website so tricksy that you couldn't possibly say the consumer had given consent," he said, giving an example of the questions it is likely to ask itself. "Are the personal data elements landing up in the hands of people the consumer couldn't possibly have expected to have them?

"You couldn't say that was consent."

The ICO will also look at...

...whether "sensitive personal data items" are included in user profiles. And will take into consideration whether non-compliance with PECR is "symptomatic of a cavalier approach to advertising and to privacy in general".

Graham continued: "The brands that treat consumers as grown-ups will be winners. The brands who behave in a tricksy way will be abandoned by consumers. That's a lesson we all need to understand... If you do that then you won't have a problem complying with this directive."

Nigel Hickson, head of EU and international ICT policy at the Department for Media, Culture and Sport, who was also at the event, added that discussions are ongoing with browser manufacturers. "It's not a simple exercise - and it's not for the UK alone," he said, adding that Ed Vaizey, communications minister, will also be having discussions in the US.

The new law has two clear principles, according to Bristows' Grant: transparency and consent. "Transparency has to be achieved before a cookie is placed - and how do you do that in a privacy policy when you've already got on to a website and at that point the cookie has already been placed on the PC?" she noted.

"We now know that consent has to be real consent - we cannot assume consent from inaction. The fact the browser settings are just used by a website visitor without thinking to go and check what the setting is - that is seen as inaction, not active consent."

Cookie guidance

Graham said the ICO will be updating the guidance that it has published so far to include examples of good practice. It will also be giving more details about where it expects the regulatory focus to be, come the end of May 2012 when the grace period elapses.

The UK internet advertising trade association the Internet Advertising Bureau (IAB), along with European counterparts, has developed a set of self-regulatory Good Practice Principles for advertisers to apply to online behavioural advertising. While Graham welcomed this as "progress" towards raising awareness and improving consumer controls, he added that the principles themselves are not sufficient to comply with the law.

Bristows' Grant detailed some of the compliance advice the firm is currently giving its clients - including conducting a cookie audit.

"For organisations that are in the UK, it's necessary to carry out an audit of the cookies that are being used on their website, ditch the cookies that are useless, work out what information is being collected and document that audit so that there is an insurance policy for those organisations should they be found wanting in an investigation by the ICO," said Grant.

Organisations should also review the data protection and privacy policy on their website, she advised.

However, a high level of compliance complexity kicks in for organisations operating in different European countries - which may have different rules for compliance. "That's where the real complexity starts," said Grant. "We're seeing legislation in other countries such as Holland which is requiring opt-in consent, so we're having a conflicting position in different countries.

"Enforcement will generally be on a country-by-country basis, so it is extremely complicated," she added.

Grant added that, contrary to the ICO's Graham's advice for organisations to get a move on, she is currently advising clients to "wait to see whether there is a technical solution that will solve this".

"It cannot be right, to me it seems, that we have millions of websites and all of these websites will have to do something when we have only a handful of browsers. We must have a pragmatic solution that is reflective of the whole industry," she added.

The debate also touched on the importance of educating consumers about online privacy. "We can all live in this bubble talking about e-privacy and cookies and assume that people know what we're talking about - the vast majority of consumers don't know what they are," noted William Blomefield, regulatory affairs manager at the Advertising Association.

"Part of the education of consumers is companies being straight and explaining in plain English what they're doing," added the ICO's Graham.

Editorial standards