Cookies – it’s complicated!
So what’s all this fuss about cookies then?
Much work has been done over the past few years to improve protection for people using the internet and to give them the ability to protect their own privacy. Legislation has been put in place by the EU and UK government giving individuals many more rights to protect their personal information and these rights are upheld by the UK regulator, the Information Commissioner’s Office.
As part of this process new regulations (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) have come into force requiring consent for cookies and similar technologies. The regulations came into force on 26 May 2011 and the ICO’s grace period to enable website operators to implement changes runs out on 26 May 2012.
But what is a cookie and what does it mean for me?
A cookie is a small file, typically of letters and numbers, downloaded on to a computer, tablet, etc when the user accesses certain websites. Cookies allow a website to recognise a user’s device. Paul Ticher, a data protection consultant who works with the voluntary and community sector, has provided a useful explanation of the types of cookies out there and what they might be used for:
- To store information during a transaction – for example my shopping basket is typically stored in a cookie until I get through the checkout.
- To store information between visits to the site, so that when I come back to it I don’t have to re-enter a lot of the same information about myself and my preferences.
- To track my activities on a website so that it can, for example, determine which advertisements I see – and sometimes this data is shared between sites so that they get a better picture of my interests.
So, some cookies are pretty much essential: the website wouldn’t work without them. Others are for my convenience or the convenience of the site owner. Some – known as ‘sessional’ cookies – are only used during one visit (or session) and are then deleted. Others – ‘persistent’ cookies – only do their job if they are kept on my computer for much longer.
A further type of cookie is that set by a third party – for example an advertiser on a site – rather than the site owner whose name appears in the URL.”
Find out more at http://www.ictknowledgebase.org.uk/cookielaw
The new regulations say that you must get consent for any non-essential cookies to be placed on your website user’s computer. The Information Commissioner’s Office has provided guidance on what to do next:
- Check what type of cookies and similar technologies you use and how you use them. You can find this information from the person who created your website.
- Where you need consent - decide what solution to obtain consent will be best in your circumstances. (There are many and various solutions to this but take your time to decide which solution is right for your organisation).
That sounds serious! What do I do next?
The main thing is not to panic! The Information Commissioner’s Office has taken a pragmatic approach to the implementation of these regulations from the beginning and there is no reason to believe that will change. This is certainly the impression given at a press briefing held in London on Friday 18 May. The best thing to do if you aren’t sure where to go from here is to read some of the resources below. These resources have been designed to give guidance clearly and in plain English.
You may recieve unsolicited offers from web development companies offering to help your organisation comply with the regulations. As with all unsolicited mail do be cautious before taking action or buying services. The person or company that developed your website will be able to help you with the cookies your website uses and there are solutions available that do not cost a lot of money or are completely free. Some of these solutions are mentioned in the resources.
One very easy and immediate thing you can do is to update your website’s privacy notice with details of the cookies your website uses, why you use them and how they can be disabled. Have a look at NICVA and CommunityNI's privacy notices but make sure that yours reflects your organisation, its work and the cookies specific to your website. You can also make your privacy notice more prominent on your website. This will help demonstrate that you are moving towards compliance while you search for a solution to gain consent from users. Look around and see what other similar organisations are doing. You might find some good examples out there to follow.
General cookies information www.allaboutcookies.org/
Paul Ticher briefing www.paulticher.com/sites/default/files/files/DP%20column%202012-04.pdf
Paul Ticher column for LASA www.ictknowledgebase.org.uk/cookielaw
Paul Ticher/LASA webinar (includes useful Q&A’s) www.ictknowledgebase.org.uk/cookieevent
ICO approach to enforcement 18 May (article by Outlaw website of Pinsent Masons law firm)
ICO approach to analytics (article by Outlaw, website of Pinsent Masons law firm)
DuaneMorris law firm update on cookies http://www.duanemorris.com/alerts/UK_cookies_update_new_laws_on_cookies_and_e-commerce_4436.html
International Chamber of Commerce guidance on cookies