EU law change regarding use of cookies
Changes to EU/UK law coming into force on 26 May 2011 alter how all websites and organisations in the EU use cookies in future. We've investigated the changes and broken it down into plain English so you know where you stand.
(Addendum on the ICO's changes to its own website)
What’s happening?
A European directive regarding privacy has been revised leading to a change in UK law on 26 May 2011.
The change in the regulation upon which the law is based essentially says that the storage of cookies must now be done with the prior consent of the user, rather than offering a means to opt-out of cookies after the fact. [1]
Excluded from this rule are uses of cookies that are ‘strictly necessary’ for a service requested by a user (e.g. session tracking cookies for logged in users).
What are the issues?
Prior consent is ill-defined.
The regulations state it is sufficient for consent to be signified by a user who “amends or sets controls on [their] browser”. [2]
However, current browser settings generally default to allowing all cookies and only a very small percentage of users ever “amend or set” their settings. The regulations therefore don’t appear to relate to current browser behaviour but rather a future where browsers may handle privacy settings differently - perhaps by asking with a bar at the top of the page like the “remember this password?” prompt.
Muddying the waters further, the ICO (Information Commissioner’s Office, the body responsible for enforcing the law) is advising that current browser privacy settings are “not sophisticated enough to allow you to assume that the user has given their consent”. This is true given that most browsers allow cookies by default, but makes it unclear as to what the ICO’s stance would be in practice to websites that relied, or rather continued to rely, on that behaviour.
A second issue is the potentially ambiguous definition of ‘strictly necessary’. Many cookies are not necessary for the user, but are mission-critical to the website’s operator. More still are necessary to neither operator nor user, but are harmless either way.
The new ruling is intended to target the tiny minority of badly behaved marketing agencies that use cookies intrusively, however ‘[not] strictly necessary’ appears to cover the majority of perfectly benign uses of cookies not just the intrusive ones.
Therefore, this new law opens up the possibility that the use of cookies on websites may require the website to ask for explicit consent in the first instance of setting each one, and retrospectively for cookies already set if explicit consent hadn’t previously been given.
This will have some impact both in terms of cost and user experience.
What can the ICO do to you?
The ICO does not have the resources to audit every UK website checking for compliance. A complaint about an organisation’s website would have to be submitted to the ICO and they would then seek a response from the organisation as to a ‘realistic plan’ to achieve compliance.
The ICO warns it would handle such a complaint ‘very differently’ if the organisation's reponse (or no response) was to decide not to change its current practice (presupposing the complaint was valid in the first place).
There's no current guidance on how the ICO intends to enforce the changes, to a large degree because it’s evident that implementing the changes can be problematic both technically and in terms of user experience (it’s to be noted that the ICO’s own website currently sets two different types of cookie, for neither of which consent is sought).
Nor is there any indication of what the scale of penalties for non-compliance may be.
What should you do now?
There's no need to panic about achieving compliance before 26 May 2011. The government’s own view is that there should be a phased approach to the changes (not altogether surprising given how long it’s likely to take for its own gov.uk websites).
A good place to start would be to review (or create) your Privacy Policy regarding cookie use, to verify it stands up the current opt-out regulation (e.g. take line similar to ICO’s own Privacy Policy [3]).
Then, consider a review of any use of cookies for non-logged in (‘unauthenticated’) users that might store anything that could be described as personally identifiable information and which isn’t ‘strictly necessary’. We suggest focusing on non-logged in users first because, typically, users with accounts have already given consent to the use of cookies when they signed up (note though that if there was no explicit reference to accepting cookies at the time they signed up it may be necessary to get consent retrospectively - however most uses of cookies whilst logged in are likely to be ‘strictly necessary’).
In the immediate term we don’t think there needs to be a great concern about obtaining consent for cookies that store preference information (e.g. default language, size of text, colour scheme, etc) because these do not significantly impact privacy even though they are not ‘strictly necessary’ (privacy being the central aim of the regulations). The ICO seems to recognise this pragmatism as their advice is to prioritise compliance on a scale with ‘privacy neutral’ at one end and ‘intrusive’ at the other.
Nor do we think there’s immediate concern for requesting consent for Google Analytics or similar semi-anonymised cookies. Given the uncertainty in the definition of prior consent and the extensive use of such cookies on websites we feel that the ICO can only realistically make an unambiguous announcement as to how they should be dealt with, rather than pursuing complaints about individual websites.
If it was decided consent was needed what would this imply?
If a website had to explicitly ask consent to store a cookies (of a specific type or of all types, and to new users or in retrospect to existing ones), then this could be done either by some form of pop-up window or message within a page. For retrospective consent this would require the consent to be sought before any existing cookie was read, typically as soon as the user visits the website.
If the user gives consent then the cookies can be used as they are now without any further consent. With blanket consent the regulations don’t appear to prevent the website assuming consent to store any new type of cookie in the future (although it may be prudent to do so anyway if a new type of cookie were storing personally identifiable information).
There is a significant issue if the user refuses consent for cookie storage and it is one that causes disquiet in the practical implementation of the law. If the user refuses cookies then in most cases the only way of storing a record of their refusal is, ironically, in a cookie. Without being able to store their choice you have no way of knowing, when they revisit the site (or even within the same visit), that you’ve previously sought consent. In other words the user would continue to be asked for consent unless they agreed to the storage of a cookie indicating that they don’t want any other cookies stored!
Whether consent is given or refused the need to request explicit consent will have an effect on the user experience of almost every UK site using cookies. This is not only in terms of breaks in workflow to ask for consent but also to the effect of loss of functionality there may be from a cookie that can’t be used.
The site functionality may have to be amended if alternative behaviour is needed if a cookie cannot be used (this is technically true now as users can block cookies, but becomes more prominent for a website’s accessibility once consent is actively sought).
Summary
Keep Calm and Carry On.
Follow our suggestions and review the ICO’s advice for yourself [4]. This change may take many years to settle down to well-defined website practice.
Clients of Torchbox are welcome to discuss their sites’ use of cookies further with their Project Managers.
Addendum 25 May 2011
On 25 May 2011 the ICO published their plans and implementation on the changes to cookie rules for their own website.
What have the ICO done on their own website?
The ICO's plans [5] for the changes on their website and the current implementation are pragmatic and largely sensible. They're complying with the spirit of the law if not, it can can argued, the strict letter of the law.
Upon visiting the ICO website a user now sees a banner at the top of every page stating:
On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.
Accompanying this is a tickbox form allowing the user to state "I accept cookies from this site".
Additionally their privacy page [3] has now been updated to describe the cookies they use. There are three types:
1. A cookie is used by the framework of their website (ASP.NET). This is the one they describe as essential and is set automatically without consent.
The ICO are being pragmatic here. In their plans they state:
Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another.
So, they don't use the cookie, therefore it is not 'strictly necessary' and certainly not for a 'service requested by the user' (unless they are accepting that the act of visiting a site is a good enough definition of 'service requested by the user', which I doubt). What they're saying in essence therefore is that it is too hard not to set the cookie and they're going to have to work on a solution whilst they are non-compliant (to their credit they do only set the cookie for the duration of the visit).
This highlights an important point for website operators - the use of some cookies may be out of the direct control of the operator and a solution may be hard to achieve on a short timescale, e.g. requiring working with a third party (Microsoft in this case), or if practicably impossible requiring an major change of framework for the website.
2. A set of cookies are used for Google Analytics. These are the only ones for which they are currently asking consent to set.
The ICO are setting a precedent here for website operators use of Google Analytics and similar user tracking. They are actively asking for consent to track a user's website visit, albeit indirectly as they're just asking for consent to store any cookie not specifically these ones.
If this is a precedent other websites are to follow it has an important impact on the amount of data a website operator will be able to collect about their users behaviour on their website. Until now, they only missed out on the small fraction of users who actively blocked such cookies. Now, this fraction is likely to become much higher. How high is going to depend on how well a website operator can convince their users that accepting the websites cookies is beneficial to them, and whether a blanket consent of any sort of cookie is more appropriate than requesting consent for specific cookies.
There is one aspect of the use of this cookie as regards compliance that I think the ICO have missed or chosen to ignore. Any users that visited the ICO's website before the introduced their changes already have the Google Analytics cookies set, i.e. before they had a chance to explicitly give their consent. The ICO website does not automatically delete these cookies when now visiting the site when it detects consent has not yet been given (via the third cookie described below). It should do this if, in effect, it is to retrospectively ask for consent.
This may just be an oversight or maybe they don't want to loose a potentially large fraction of their tracking data for pre-existing users by implementing the automatic deletion of the cookies. This will be an interesting one to watch as it sets a precedent on whether retrospective consent should be sought for cookies that websites have already set.
3. A cookie to record if a user has accepted the use of cookies on the ICO website.
This is the obvious technical solution to not hassling users for consent on every page if they tick the "I accept cookies from this site" box (conversely users will be hassled by the banner on every page if they don't tick the box).
However, it does mean the ICO have sidestepped the thorny problem that the changes are not just about gaining consent for writing cookies, but also for reading: How can you read the presence of a cookie to see if consent has been given if, by the strict letter of the law, you have to get consent to read that cookie in the first place?!
Clearly there's no practical way around that logical inconsistency, so the ICO have taken the pragmatic approach that they cannot comply with the strict letter of the law with the current generation of browsers and have to follow its spirit instead.
What enforcement have the ICO announced?
The ICO have published information [6] on how they will 'broadly' enforce the new regulations. In brief, salient points are:
- Civil monetary penalties are limited to serious, deliberate, contraventions likely to cause substantial damage or distress.
- Guidance on how to exercise powers to impose civil monetary penalties are unlikely to be issued before October 2011.
- There will be a 'lead in' period of 12 months for website operators to develop ways of meeting the cookie related requirements of the regulations before enforcement powers would be considered to compel compliance. This period will end in May 2012.
The most significant point for most website operators is the lead in period. It is recognised that technical solutions will take time to develop, evaluate and roll out.
Chris Graham, Information Commissioner, on the Today programme 26 May 2011
[On the ICO's website changes] "That's the best we can do, day one"."The regulations were only published three weeks ago so we're got to give people some time to work out solutions."
"I don't make the law but I've got to enforce it and that's a bit of a challenge. the directive was passed two years ago, the regulations came out exactly three weeks ago."
"In respect of one aspect of the regulations, relating to cookies, where people are going to be relying on a technical fix, browser settings … we've got to give people up to a year to put that into place, because frankly the technology isn't there, and since that fix is mentioned in the regulations it would be bizarre if I was enforcing that bit of it before the technology is there."
Footnotes
[1] In regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) one of the requirements (2b) for storing/accessing information on a user’s terminal equipment (in this context: a cookie in the user’s browser) changes from the user being “given the opportunity to refuse the storage of or access to that information” to the user having “given his or her consent”.
[3] See “Visitors to our website” on http://www.ico.gov.uk/Global/privacy_statement.aspx
[4] http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/P...
[5] http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx
[6] http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf
