In May 2011 the UK introduced legislation to comply with the EU Privacy and Electronic Communications Regulation of 2011, the so-called 'cookie law'. Britain's Information Commissioner 's Office (ICO) gave businesses twelve months to fall in line with the legislation, which means that the law came into effect in May 2012.
What Does the Law Require Me to Do?
As all of us who use the internet to promote our business will know, a cookie is a piece of information that is placed on the PC or mobile device of people who visit your website. The information file enables you to target the content and advertising the user sees the next time they visit your site and to gather information for the purposes of marketing. The new EU legislation is designed to protect the privacy of internet users and to curb the inappropriate use of text files.
In essence, the regulation requires you to provide visitors to your site with information about your policy on how and why you use cookies and to gain the visitor's consent to that policy. The regulations are not specific about the exact content of the information you provide, other than that it should be clear and understandable.
It is important to note that the regulations cover all internet sites based in the EU, not just new ones. Any business which has not reviewed its use of text files and has not taken appropriate action is now operating outside the scope of the new legislation and needs to take urgent action in order to comply.
How Do I Make Sure My Website Complies?
Throughout most of the twelve-month implementation period of the legislation, the ICO has been insisting that any notion of 'implied consent' by website users was not sufficient. Public awareness of all the issues involved was too low for this to be enough. However, at the last moment the ICO changed its line and an implied consent approach by businesses is now acceptable. To quote from the ICO's latest guidance:
'While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.'
This is a fundamental change that has implications for all companies who operate and conduct advertising through the internet. We need to be clear that the ICO are not saying that 'do nothing' is acceptable, but their clarification of the regulation has made its requirements less proscriptive for businesses.
Implied consent still means that sites should provide the user with information about their use of text files. Consent, however, need not be something such as an explicit 'tick here' box; the user's implied consent can be assumed by the act of them clicking on another page to continue through the site.
The ICO has the right to check what UK sites are doing to comply with the EU Regulation. Companies should, therefore, draw up an action plan, conduct audits and update their privacy policy. The 'shop window' of your compliance with the regulation, however, is the information you provide to users when they arrive at your site.
