The way the cookie crumbles …
What are cookies?
In their basic form, cookies are strings of data which are downloaded onto a device when it accesses the internet. Therefore, they allow the online behaviour of a device (and its user) to be monitored. There are four main categories of cookies:
- Targeting or advertising cookies: these constitute the basis for third party advertising, and include recording visits to particular websites which demonstrate interest ‘segments’ of the computer user. Information is shared with third parties who can tailor adverts according to online behaviour.
- Functionality cookies: these recognise users who return to a website, enabling eg personalised greetings, language, region or other personalised settings and displaying tailored updates or news feeds.
- Performance cookies: these may be used by websites to monitor the number of visitors there are on a website and most popular pages.
- ‘Strictly necessary’ cookies: these include cookies which enable entry into secure areas of websites, use of online shopping carts and e-billing services. They are generally exempt from the consent and notice requirements in the regulations. These are only broad categories and cookies may perform multiple functions.
The regulations require website users to be informed that cookies are being used and their consent to be sought (other than for ‘strictly necessary’ cookies). Fines of up to £500,000 can be imposed for noncompliance and the Information Commissioner will be responsible for enforcement.
The user’s/subscriber’s consent must be informed and cannot be inferred or deemed from, say, a lack of response. Though no specific solution is endorsed, guidance sets out options including ‘pop-up’ boxes or banners. Pop-ups seem to be a popular solution, looking at various mainstream websites that have complied to date.
Website owners also need to demonstrate that they are doing as much as possible to minimise the delay between introducing or ‘placing’ a cookie and informing and obtaining consent from end-users.
Browser settings may offer a method to indicate consent to the use of given categories of cookies (and to exclude others). However, it must be clear that consent has been given in some way by the end-user/subscriber.
A practical limitation is that not all users/subscribers will use web browsers which are sophisticated enough to provide such enhanced privacy settings.
Information to be provided
No formal guidance has been provided but possible ways of informing users could include:
- using icons or images which link to further information.
Responsibility for compliance
A narrow exemption still remains for ‘strictly necessary’ cookies, referred to above. Consideration therefore needs to be given as to what category a cookie belongs to.
Practical step for businesses
Businesses with websites should check what cookies are being used, assess their intrusiveness, identify any obsolete cookies and take appropriate action. This should involve carrying out a cookie audit. For such audits, businesses must have clear communication at least between their website designers, marketing and commercial departments and their legal team.
Finally, if a website enables users to select personalised settings for their experience on the website, consent to the use of relevant cookies may be built into the setup process.
As always, if you need commercial and pragmatic legal advice, we’re here to help so please get in touch.