Cookies Consent
Regulations came into force in May 2011, and allowed a twelve month grace period for implementation, so that website owners had to obtain visitor’s consent to the use of Cookies. There has been some confusion as to the extent of cookies consent that was required. A sample of various websites shows that many companies are unsure as to the extent of compliance required, and are taking a belts and braces approach. However four out of five websites have made no effort to comply.
- The rules require an organisation with a website to obtain the consent of the individual user to the use of Cookies. That consent must be given freely, and on the back of clear and comprehensive information provided to them. It had been thought that specific request was required from users for all but the most basic use of Cookies, for example, in the form of Google analytics. Many thought that a box would have to appear on the website, and for the user to accept the use of Cookies. This could potentially have played havoc with information that products such as Google Analytics provide website owners as to the pages visitors visit, their location, whether they are a returning user and how long they spent on the site.
- The Information Commissioner, however, has now issued guidance. It is now the position that implied cookie consent is to be considered a valid form of consent. There would be no need for a user or a website to specifically accept the use of Cookies, say by ticking a box or clicking an accept button.
- That being said, the Information Commissioner has made it very clear, that implied consent does not mean a privacy policy, with terms and conditions being tucked away at the back of the website. A user must be directed, probably by the form of a banner notice on the first page, to information as to the websites use of Cookies. Only then would the Information Commissioner consider that valid consent had been given.
- So what do we need to do? Much will depend on the type of Cookies that your website users. It is unlikely that any site will be prosecuted for basic use of Google Analytics. However, more intrusive Cookies may well require a higher level of consent.
- The information Commissioner wants to see that you have completed a Cookie audit. It wants to see that you have looked at your site and seen that all Cookies are necessary. It wants to see that you have them reviewed and exclude those that are not necessary. It wants to ensure that visitors to your website are in no doubt as to what Cookies are used, where they are placed, and how long they were last on a user’s computer.
- It is likely that you are going to have to adapt your terms and conditions and privacy policy, to ensure that any user is directed to the Cookies which are being placed on their machines. It would also be a good idea to have details on how to change a user’s browser settings.
- The Information Commissioner has indicated now that the period of grace is over and on the information Commissioner’s website, they are encouraging members of the public to report sites which they do not consider to have complied with the rules.
- It is therefore vital that all website owners make great efforts to ensure that, even if they are obtaining implied consent, that sufficient information is provided to a user and a real effort is made to comply.