cookies

Image courtesy of pjmorse via Flickr.

On the 26th May, the 12-month grace period for complying with the new EU cookie laws in the UK comes to an end. There’s a lot of uncertainty about exactly what will happen after 26th May, so here’s a brief summary:

The ICO (Information Commissioner’s Office) is realistic about the complexity of these issues and what is required for companies to comply. In fact, the critical point has been stated by the ICO itself in its half-term report:

“Come 26 May next year [2012], when our 12-month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.” [Bold and italics added]

The key part of this is “not yet compliant, but trying to get there”. In other words, while you can’t just sit back and do nothing, the ICO recognises that full compliance is complex and there are many grey areas; so the ICO is unlikely to implement aggressive enforcement procedures, as long as a plan towards compliance is in place and being progressed.

As a first step they recommend the following:

“If you have not started work on complying with these rules it is important to do so now. First steps should be to:

1.    Check what type of cookies and similar technologies you use and how you use them.

2.    Assess how intrusive your use of cookies is.

3.    Where you need consent - decide what solution to obtain consent will be best in your circumstances."

Full details are in their latest guidance – see the PDF link in the above press release from the ICO.

Note that certain cookies are exempt from the legislation:

“There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”

So, for example, cookies used for transactional websites would for the most part be exempt.

However, even with regard to cookies that are not exempt, the ICO is likely to take a sensible and pragmatic view. For example, many people are concerned about cookies for analytics, which are widely used and are not exempt from the legislation.

However the ICO says:

“We do not consider analytical cookies to fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent. In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.” [Bold and italics added]

The ICO’s main concern is abusive or misleading use of 3rd party tracker cookies, not legitimate use of analytical cookies and other benign uses.

Simon Lande is CEO at Magus, a sponsor of the Web Managers Group.