Cookies and cookie requirements have been about for some time now, but there is still some confusion over exactly what website operators need to do to comply with them.
The starting position is that you must:
• tell people if you set cookies
• clearly explain what the cookies do and why
• obtain their consent.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website.
However, the issue occurs when more than one person uses the same device to access your website – do you need separate consent from each of them?
In practice, unless there is a specific members area that users log into, you have no way of distinguishing between users. ICO guidance states that provided you get consent from the person in the household paying the bill then this is adequate to show that you have complied with the law. Again, this causes the issue of how you prove this.
However provided the information about cookies and the mechanism for giving consent is easily accessible, this should be ok.
So what does this mean?
There is no exact guidance on what you need to do to spell it out – only that it needs to be clear, comprehensive and readily available. And the explanation must be clear and easily available – so this means it is probably not okay to just have this hidden in your privacy policy, although you can point individuals to privacy policy for more information.
The language and level of detail must be appropriate for your intended audience.
What is meant by consent?
Unfortunately, there is no specific answer on what exactly constitutes consent. The law says that consent must be:
• freely given
• specific
• informed.
The ideal position is to obtain explicit consent from an individual, i.e. a positive action such as ticking a box, or using a pop up (which has been the common approach taken).
While this gives regulatory certainty, implied consent might also be suitable. But this should not be taken as meaning that doing nothing is appropriate.
Implied consent would be relying on the individual’s actions – for example moving from one web page to another or clicking on a particular button. However this would only be appropriate if the individual has been provided with the information they need to make an informed decision, i.e. that continuing to use the website signifies their consent to your use of cookies.
Where the setting of a cookie involves the processing of personal data, you will need to comply with additional requirements under the Data Protection Act. So the requirements may change when the new General Data Protection Regulations (“GDPRs”) become law in May 2018 – as greater emphasis is placed on privacy by design and by default, and also the requirements for obtaining consent will become stricter.
See previous GDPR blogs here: GDPR – it still matters and The countdown to the General Data Protection Regulations is (nearly) on
New cookie law is coming
There is a new cookie law expected to come into force around the same time as the GDPRs.
This will hopefully clarify the position and aims to catch up with the range of technologies available. From the guidance currently available, the focus appears to link to the principle under the GDPRs of privacy by default and by design – so shifting some of the responsibility on to web-browsers and software developers to allow users to easily manage their cookie settings, particularly third party cookies.
We will keep an eye out for developments in this new law.