(Updated 28/05/2012) - Please now read the updated Jisc Legal article "Cookies - Implied Consent A Valid Form of Consent".
Table of Contents
- The Law
- Analytical Cookies
- Third Party Cookies and Google Analytics
- Cookies and Personal Data
- Do I need consent to use all cookies?
- What do I need to do now?
- What will happen if I don’t do anything?
- Browser Settings and Consent to Cookies
- The Legislation
Under the revised regulations the requirement is not just to provide clear information about the cookies but also to obtain consent from users or subscribers to store a cookie on their device.
Those setting cookies must:
- tell people that the cookies are there,
- explain what the cookies are doing, and
- obtain their consent to store a cookie on their device.
Provided you get consent at that point they do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future. The more directly the setting of a cookie relates to the user’s personal information, the more care has to exercised in getting consent.
The person setting the cookie is primarily responsible for compliance with the requirements of the law. Where 'third party' cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
The guidance also states that it would be highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
It is clear that obtaining consent requires some form of communication where the user knowingly indicates their acceptance and the user must fully understand that by the action in question they are giving consent.
Which method will be appropriate to get consent for cookies will depend in the first instance on what the cookies you use are doing and to some extent on the relationship you have with users.
You must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance. Consent may be signified by a user who amends or sets controls on their internet browser or by using another application or programme to signify consent. However it is the Information Commissioner’s view that at present, most browser settings are not sophisticated enough to allow an assumption to be made that the user has given their consent to a cookie being set.
Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.
Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. Where possible the setting of cookies should be delayed until a user has had the opportunity to understand what cookies are being used and make their choice. The Information Commissioner does however recognise that many websites set cookies as soon as a user accesses the site. Where it is not possible to obtain prior consent websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options.
Implied Consent - A Valid Form of Consent
The Information Commissioner’s Office has updated its advice (May 2012) and now states that implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If relying on implied consent it is necessary to be satisfied that users understand that their actions will result in cookies being set. A reliance on implied consent in this context must be based on a definite shared understanding of what is going to happen. In this situation this means that a user has
- a full understanding of the fact cookies will be set,
- is clear about what cookies do and
- signifies their agreement.
You can also read the updated Jisc Legal article "Cookies - Implied Consent A Valid Form of Consent".
Helpfully although the December 2011 guidance did state that cookies used for analytical purposes to count the number of unique visits to a website were caught by the requirement to obtain prior consent, it also stated that provided clear information was given about their activities the ICO was highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
Third Party Cookies
Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.
Google Analytics uses only first-party cookies. This means that all cookies set by Google Analytics for a domain send data only to the servers for that domain. This effectively makes Google Analytics cookies the personal property of the website domain which sets the cookie, and the data cannot be altered or retrieved by any service on another domain.
This leaves some ambiguity, with the use of Google Analytics without prior explicit consent likely to be non-compliant, but not the focus of enforcement. As a priority, you should ensure that information about the use of website cookies at your college or university is clear and prominent.
Where the use of a cookie involves the processing of personal data, you will need to make sure they comply with the additional requirements of the Data Protection Act 1998. This includes the requirements of the third data protection principle which states that data controllers must not process personal data that is excessive. Where personal data is collected, the data controller should consider the extent to which that data can be effectively processed anonymously. This is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website.
The guidance restates what website operators should be doing now -
- Check what type of cookies and similar technologies are being used and how they are used.
- Assess how intrusive the use of the cookie is.
- When consent is needed – you should decide what the best way to obtain consent is in each particular circumstance of cookie use.
JISC Legal will be keeping track of any further guidance and information coming out of the ICO and the Department for Culture, Media and Sport in the run up to the extended implementation deadline. This webpage will be updated with institutional best practices where they are identified as well as recommendations for institutions on how to achieve and maintain compliance with the new consent requirements.
The only exception is if what you are doing is ‘strictly necessary’ for a service requested by the user.
For this exception to apply use of the cookie must be related to the service requested by the user. For example, you would not need to get consent for a cookie which is used to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page.
The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.
You must also give people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.
It is advised that you take the following steps:
- Check what type of cookies and similar technologies you use and how you use them. This might be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your web pages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.
The UK Government has made it clear that enforcement action will not be taken until appropriate technical solutions are available. Helpfully although the guidance states that cookies used for analytical purposes to count the number of unique visits to a website are caught by the requirement to obtain prior consent, it also states that provided clear information is given about their activities the ICO is highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO has also indicated that monetary penalties will be reserved for the most serious of breaches of the regulations.
What that is likely to mean in practice is that enforcement will focus on ensuring the compliance of those who are using cookies to track a user across multiple sites and/or recognise a user when they return to a website.
A structured approach following the three steps suggested above will help demonstrate that you are taking steps to change current practice to bring about compliance with the new laws.
The suggestion is that the user’s browser settings are a possible means to get consent. It is the Information Commissioner’s view that at present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. The government is currently working with the major browser manufacturers to establish which browser level solutions will be available and when. Once appropriate technical solutions have been developed the Information Commissioner may issue further guidance.
The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) came into force on the 26 May 2011 and the main aim of the legislation is to address issues of consent and privacy. The amending UK legislation is available online here - http://www.legislation.gov.uk/uksi/2011/1208/made.
Sources Used and Further Information