Tag Archives: cookies

Cookies and Implied Consent

The recently much publicised ‘Watering Down’ of the UK implementation of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were enacted on 25th May 2011 through the Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 (PECR 2011 for short).

Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26th May 2012 deadline for enforcement, which has just passed.

The simple answer is that the ICO have changed their position on ‘Consent’ between their earlier, and their most recent statements of the last few days.  The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have ‘already’ taken towards your being compliant with PECR 2011.

So what do you need to know?

√      Audit what types of cookies you have got, why and where they are used within your website;

√      Analyse the intrusiveness of your cookies; and

√      Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages.

How does the change in the ICO’s position affect you today?

The updated guidance provides additional information around the publicised issue of ‘Implied Consent’, and the ICO says:

  • ‘Implied consent’ is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on ‘implied consent’ you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that ‘explicit’ consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says “The ICO would like to place cookies on your computer to help us make this website better.  To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description)” with a box for the User to tick if they agree with the statement “I accept cookies from this site” and a button to ‘Continue’ either way.  The ICO don’t mind anyone copying their solution but point out they will monitor and possible amend their solution in the future.

This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device.

When you are doing your cookie audit you need to collect the following data:

  • Identify which cookie are operating on or through your website;
  • Confirm the purpose(s) of each of these cookies;
  • Confirm whether you link cookies to other information held about users – such as usernames;
  • Identify what data each cookie holds;
  • Confirm the type of cookie – a ‘session’ or ‘persistent’ type;
  • If it is a ‘persistent’ cookie how long is its lifespan;
  • Is it a first or third party cookie? – If it is a third party cookie who is setting it; and
  • Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that ‘Implied Consent’ for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 – ‘Personal Data must be adequate, relevant and not excessive’.  What it is not is a euphemism for ‘Doing Nothing’, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it.  Whether the consent is ‘Implied’ or ‘Specific or Prior’ it must still be given by the user ‘Freely’ therefore some action must be taken by the ‘consenting individual’ from which their consent can be inferred.

The consenting individual must be ‘informed’ of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement.  If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set.

Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the “understanding is all on the website operator’s side and the user  ‘giving’ consent is unaware that their actions are being interpreted in this way”.  Where ‘implied consent’ is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them.  The ICO says that it does not feel it’s their place to determine exactly how the provider does this.

So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.


The new EU General Data Protection Regulation and the right to be forgotten

The new EU General Data Protection Regulation, to provide greater harmonization of data protection rules across Europe,  will be published on 26 January.  So what? 

The right to be forgotten? If Data Protection principles are being adhered to, is it really a change?

Well, rather than being something radically different or new for organisations and data controllers to get to grips with, the new Regulation trumpets compliance with two of our existing data protection principles; Personal data shall not be kept for longer than is necessary, and Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA).

For example, the much-heralded ‘le droit à l’oubli’ clause (‘the right to be forgotten’ apparently, although my school boy French was limited to ordering half a kilo of sausages with predictably hilarious results) will require person’s internet histories to be deleted after use (e.g. cookies) has incited some rather inflammatory statements in some areas.  Data protection compliance has been likened to some onerous kill-joy like Blakey from the bawdy 1970s television programme ‘On The Buses’ (http://www.scmagazineuk.com/new-data-protection-laws-will-see-blakey-in-every-business/article/218287/?DCMP=EMC-SCUK_Newswire).  However, in the end this is just applying the well-worn requirement to retain information for only as long as you require and then permanently delete it.

Likewise, the ‘new’ Regulation also addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data.  This issue became international news recently when a US court requested European Twitter account details (http://www.bbc.co.uk/news/world-us-canada-12459989).  However when all is said and done the Regulation is only reinforcing what we should all be doing anyway; i.e. not transmitting personal data outside the EEA unless there is a good and lawful reason (for the UK these are set out in Schedule 4 of the Data Protection Act – http://www.legislation.gov.uk/ukpga/1998/29/schedule/4).

The Regulation is also published against the growing issue of Cloud-based computing platforms, where service providers experience host client data globally is and it is not always clear that all of the information is permanently deleted when the client goes elsewhere.

So how do organisations ensure compliance with data protection against a backdrop of technological change, increased costs and a more competitive market place?

Well, I am sorry if it is a disappointment to you, but you do not all need to go out and get a ‘Blakey’ (anyway, there are not enough of us to go around!)

  • Firstly, identify accountable business ‘experts’ to be responsible for your business data, including compliance with statutory requirements like data protection (they could also be ‘on point’ for information security and business continuity in their areas, but I digress);
  • Secondly, talk to and coordinate these business representatives to find out where your organisation’s personal data is (a small governance team would be ideal).  It is amazing where it ends up (e.g. cookies) and you can’t look after it until you know where it is;
  • Next, identify the legal, regulatory, contractual, best practice and business requirements for your business information; and
  • Finally conduct regular assessments of your compliance against these requirements so you can monitor progress (or otherwise).

Advent IM Consultant – Mark Goddard