What Does the New "Cookie" Legislation Require us to do? (15 December 2011)

(Updated 28/05/2012) - Please now read the updated Jisc Legal article "Cookies - Implied Consent A Valid Form of Consent".

The law has changed that applies to how institutions must use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device. The changes implement revisions to the European Directive on which the UK legislation is based.  Essentially the regulations require that as a website operator your institution needs to provide information about cookies and obtain consent before a cookie is set for the first time. 

Table of Contents

  1. The Law
  2. Consent
  3. Analytical Cookies
  4. Third Party Cookies and Google Analytics
  5. Cookies and Personal Data
  6. Compliance
  7. Do I need consent to use all cookies?
  8. What do I need to do now?
  9. What will happen if I don’t do anything?
  10. Browser Settings and Consent to Cookies
  11. The Legislation
  12. Sources

The Law

Under the revised regulations the requirement is not just to provide clear information about the cookies but also to obtain consent from users or subscribers to store a cookie on their device.

Those setting cookies must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

Provided you get consent at that point they do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future.  The more directly the setting of a cookie relates to the user’s personal information, the more care has to exercised in getting consent. 

The person setting the cookie is primarily responsible for compliance with the requirements of the law.  Where 'third party' cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

The guidance also states that it would be highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. 

Consent

It is clear that obtaining consent requires some form of communication where the user knowingly indicates their acceptance and the user must fully understand that by the action in question they are giving consent.

Which method will be appropriate to get consent for cookies will depend in the first instance on what the cookies you use are doing and to some extent on the relationship you have with users. 

You must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance.  Consent may be signified by a user who amends or sets controls on their internet browser or by using another application or programme to signify consent.  However it is the Information Commissioner’s view that at present, most browser settings are not sophisticated enough to allow an assumption to be made that the user has given their consent to a cookie being set.

It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up.  Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service.  There is no reason why consent for the cookies cannot be gained in the same way. 

More examples of acceptable methods of  obtaining consent are available in the ICO guidance document - Guidance on the rules on use of cookies and similar technologies.

Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.

‘Prior’ Consent

Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems.  Where possible the setting of cookies should be delayed until a user has had the opportunity to understand what cookies are being used and make their choice.  The Information Commissioner does however recognise that many websites set cookies as soon as a user accesses the site.  Where it is not possible to obtain prior consent websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options.

Implied Consent - A Valid Form of Consent

The Information Commissioner’s Office has updated its advice (May 2012) and now states that implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.  If relying on implied consent it is necessary to be satisfied that users understand that their actions will result in cookies being set.  A reliance on implied consent in this context must be based on a definite shared understanding of what is going to happen.  In this situation this means that a user has

  • a full understanding of the fact cookies will be set,
  • is clear about what cookies do and
  • signifies their agreement.

Institutions will need to decide on the best way to provide clear information about cookies and to give people using their websites the right choices.  The key point is that you should be upfront with users about how your website operates.  A shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print.

You can also read the updated Jisc Legal article "Cookies - Implied Consent A Valid Form of Consent". 

Analytical Cookies

Helpfully although the December 2011 guidance did state that cookies used for analytical purposes to count the number of unique visits to a website were caught by the requirement to obtain prior consent, it also stated that provided clear information was given about their activities the ICO was highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

For colleges and universities (and JISC Services) that don’t use cookies to target users in a commercial sense by selling the information generated by their online behaviour to advertising companies it means that getting consent in advance for cookies used only for analytical purposes need not be a priority.  This comes with the condition that full information is provided to users up front on the website's use of cookies. 

Third Party Cookies

Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie.  First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window.  Third party cookies are cookies that are set by a domain other than the one being visited by the user.  If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

Google Analytics 

Google Analytics uses only first-party cookies.  This means that all cookies set by Google Analytics for a domain send data only to the servers for that domain.  This effectively makes Google Analytics cookies the personal property of the website domain which sets the cookie, and the data cannot be altered or retrieved by any service on another domain. 

Further information on how Google Analytics uses cookies is available here - http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies.  

This leaves some ambiguity, with the use of Google Analytics without prior explicit consent likely to be non-compliant, but not the focus of enforcement.  As a priority, you should ensure that information about the use of website cookies at your college or university is clear and prominent.

Cookies and Personal Data

Where the use of a cookie involves the processing of personal data, you will need to make sure they comply with the additional requirements of the Data Protection Act 1998.  This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive.  Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously.  This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website. 

Compliance

The legal requirement is to provide clear information about your use of cookies and also to obtain consent from users or subscribers to store a cookie on their device.  The ICO indicates that it does not intend to issue prescriptive lists on how to comply.  When using analytical cookies, for example, the choice remains with the website operator whether to seek prior consent for each cookie used to count the number of unique visits and in doing so perhaps put users off using the website or fully inform users by having detailed and clear information on their cookie use published prominently and risk at some stage further down the line a ticking off by the ICO.

As stated above examples of acceptable methods of obtaining consent are available in the ICO guidance document - Guidance on the rules on use of cookies and similar technologies.

The guidance restates what website operators should be doing now - 

  1. Check what type of cookies and similar technologies are being used and how they are used.
  2. Assess how intrusive the use of the cookie is.
  3. When consent is needed – you should decide what the best way to obtain consent is in each particular circumstance of cookie use.

 

JISC Legal will be keeping track of any further guidance and information coming out of the ICO and the Department for Culture, Media and Sport in the run up to the extended implementation deadline.  This webpage will be updated with institutional best practices where they are identified as well as recommendations for institutions on how to achieve and maintain compliance with the new consent requirements. 

Do I need consent to use all cookies?

The only exception is if what you are doing is ‘strictly necessary’ for a service requested by the user.

For this exception to apply use of the cookie must be related to the service requested by the user.  For example, you would not need to get consent for a cookie which is used to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page.

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

What do I need to do now?

You should examine how you currently explain your approach to your use of cookies to users and make that information more prominent.  It is critical that the information you provide is clear and comprehensive and also readily available to those using your website.

You must also give people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow. 

It is advised that you take the following steps:

  1. Check what type of cookies and similar technologies you use and how you use them. This might be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your web pages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.
  2. Assess how intrusive your use of cookies is.  It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
  3. Decide what solution to obtain consent will be best in your circumstances. Essentially the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent. Providing information to users on the use of cookies is key as is the ability to demonstrate you are reviewing the use of cookies and are developing a plan for compliance.

What will happen if I don’t do anything?

The UK Government has made it clear that enforcement action will not be taken until appropriate technical solutions are available.  Helpfully although the guidance states that cookies used for analytical purposes to count the number of unique visits to a website are caught by the requirement to obtain prior consent, it also states that provided clear information is given about their activities the ICO is highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.  The ICO has also indicated that monetary penalties will be reserved for the most serious of breaches of the regulations.

What that is likely to mean in practice is that enforcement will focus on ensuring the compliance of those who are using cookies to track a user across multiple sites and/or recognise a user when they return to a website.

A structured approach following the three steps suggested above will help demonstrate that you are taking steps to change current practice to bring about compliance with the new laws.

Browser Settings and Consent to Cookies.

The suggestion is that the user’s browser settings are a possible means to get consent.  It is the Information Commissioner’s view that at present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.  The government is currently working with the major browser manufacturers to establish which browser level solutions will be available and when. Once appropriate technical solutions have been developed the Information Commissioner may issue further guidance.

Legislation Reference

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) came into force on the 26 May 2011 and the main aim of the legislation is to address issues of consent and privacy.  The amending UK legislation is available online here - http://www.legislation.gov.uk/uksi/2011/1208/made.

Sources Used and Further Information

Posted on 15/12/2011