Cookie Compliance update
- Are they made obviously aware when cookies are being used and what they are used for?
- Are they clearly consenting to their use?
- If not you may be in breach of the act and subject to prosecution.
This is because in May 2012 the UK, through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, began to enforce the regulations which changed Article 5(3) of the E-Privacy Directive. The changes require consent for storage or access to information which is stored on a subscriber or users terminal equipment – in layman terms “cookies”.
FREE monthly newsletter
Wills | Probate | Trusts | Tax | Elderly & Vulnerable Client
- Relevant learning and development opportunities
- News, articles and LawSkills’ services
- Communications which help you find appropriate training in your area
‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
Is implied consent acceptable?
Interestingly the Information Commissioner’s Office (ICO) in the UK has through its guidance inferred that Implied Consent may be acceptable in some cases. This is usually where it is clearly made known to the user that by taking a particular action data will be stored on their equipment (be that PC or mobile phone) and the user does then continue to take that action.
It is important to note that the ICO guidance does make the point that all consent has to be clearly informed. It is not good enough to assume that a user will know that by, say, adding an item to a shopping basket that it will create a cookie.
The ICO guidance gives a good analogy:
“if a patient visits a doctor this act alone would not be taken as indication that the patient consents to examination, treatment or the recording of health information. The patient and doctor would hold a conversation during which the doctor might offer an invitation to the patient to lie down on an examination couch. In the context of this exchange the doctor might now be able to infer consent from the patient’s actions”
What constitutes implied consent?
The ICO guidelines have recently been updated to clarify the rules on implied consent.
- Implied consent can be used in the context of compliance with the revised rules on cookies.
- But if relying on implied consent you have to be able to be satisfied that you have informed consent. That is that your users and visitors understand that their actions will result in cookies being placed on the PC they are using.
- Where collecting data which is more sensitive, and in particular personal data as covered by the Data Protection Act, it is likely that gaining explicit consent is more appropriate.
Is any use exempt?
In June 2012 the European data protection working party issued an opinion that some cookie uses might be exempt from needing consent. Quoting from the ICO guidance:
- Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.
- Analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised
Whilst it is important to comply with this regulation and gain informed consent there has been a certain level of annoyance amongst users about being repeatedly prompted about cookie use. Perhaps once consent has been obtained a good use of a cookie would be to store that fact and not prompt the user again?
The LawSkills Monthly Digest
Subscribe to our comprehensive Monthly Digest for insightful feedback on Wills, Probate, Trusts, Tax and Elderly & Vulnerable client matters
Not complicated to read | Requires no internet searching | Simply an informative pdf emailed to your inbox including practice points & tips
Subscribe now for monthly insightful feedback on key issues.
All for only £120 + VAT per year
(£97.50 for 10+)