iCrossing POV | New Cookie Regulations

26/05/11

May 26th 2011: New Cookie Regulations

The EU have recently ruled on the use of cookies and new regulations which will come into force on 26th May 2011 meaning that companies will need a user's permission to store a cookie on their devices. The Information Commissioner's Office (ICO) will be responsible for monitoring and enforcement of this directive in the UK. As a first step we recommend reading and digesting the ICO's position on this change. Much of the following advice is an abridged version of the ICO's guidelines.

iCrossing's recommendation in the first instance is that you take the time to understand the ruling, the implications for your business and begin the process of planning for this change. While this is potentially a significant change for everyone who runs an online business, the ICO's statement seems to present a reasonable acknowledgement of the challenges for effective implementation of this directive and therefore while it seems they expect detailed planning to commence in the short-term, it's almost certainly not the case that a full solution is expected to be in place by 26th May. This is of course not legal advice and we would advise seeking your own counsel on this matter and how it might impact your business.

Does this change include all cookies?

There is exemption for cookies which are "strictly necessary" in order to perform a key function on the website (e.g. Add to basket, proceed to checkout type activities). To qualify for an exemption, the use of a cookie must relate to the service "explicitly requested" by the user. An exception would not apply if a cookie is used to collect statistical information about the use of the website and this would therefore include pixels dropped by iCrossing's Merchantize platform and, for example, Google Analytics for the purposes of search marketing.

Ostensibly this change is being instituted in order to protect the privacy of individuals. The ICO's directive makes it clear that they view the use of cookies on a sliding scale – from those "necessary" cookies, to those which track the activity and behaviour of individuals across multiple websites and online environments. The latter of these uses is the type of which the new legislation is primarily concerned with addressing and curtailing the use of.

In short, when considering the extent to which this ruling will affect your business, the more intrusive the activity the cookie facilitates (from the point of view of user privacy) then the higher the probability that the ICO will investigate it's use and the more important it will be to explicitly gain user consent in order to comply with the ruling.

Implications of non-compliance

While the ICO have acknowledged the potential challenges in implementing suitable solutions and have stated that a "phased approach" to implementation is acceptable, should the ICO receive a complaint, their evaluation of the seriousness of the situation will depend on the ability of a company to demonstrate their planning to accommodate the new regulations. If it's clear plans are underway and have been considered, they're likely to be relatively lenient, even if a full solution is not in place.

In addition, many in the industry are calling for a self-regulation model. The IAB has launched a pan-European framework for online behavioural advertising that would address many of the EU's concerns. More information can be found here.

Suggested next steps

The ICO have produced clear and sensible recommendations which we would suggest are followed as a first step in deciding how best to interpret and deal with this change for your business:

1. Audit the use of all cookies on your website (identify what cookies are dropped, by whom and when) 2. Assess and rank the privacy implications of these (clarify the use and purpose of each cookie, and assess what the implications for user privacy are)
3. Decide on an appropriate solution with which to gain user consent

When steps 1 and 2 have been completed it will provide a suitable framework to address the third point. There are many suggested approaches to dealing with this change contained within the ICO's guidelines, however you should not consider this an exhaustive list. Deciding on and implementing the most appropriate solution for your business will be entirely dependent on your specific use of cookies, and your website's technical constraints.

iCrossing recommend beginning the audit and assessment of your site cookie usage early, however we would not advise rushing through the implementation of any technical solutions until the ICO have made their position clearer.

We will be monitoring this situation closely and will be on hand for further discussion and consultation about how best to approach compliance with these changes.

Yours sincerely,

TOM JONES

HEAD OF MEDIA
iCrossing UK

\ DOWNLOAD PDF

Categories: Press Release

request a call