Last May (2011) the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (PECR) 2011 came into force under the remit of the Information Commissioners Office (ICO). It was announced at that time that the regulation would not be enforced for 12 months to allow organisations time to plan and implement strategies for compliance. The regulations main impact for owners of websites relates to the use of long lived cookies to track visitors across multiple websites and target advertising at users based on their online activities. There has been a growing sophistication in the use of this technology mostly without the consent of individual web users.
The regulations have sought to control this behaviour by imposing a blanket restriction on the use of any cookie unless the user has specifically agreed to it being used. There is a general view that this is a very blunt way to solve the problem however the law is enacted and must be taken into account. The ICO guidelines also make clear that there is a requirement to inform users about the cookies used in a site and this would normally be done within the sites privacy policy.
Cookies are not in themselves dangerous or malicious, they are simply a way to retain information for the user while new web pages are loaded. When a user puts something into a shopping basket it is actually a cookie that is used to keep track of this while the user visits other pages or simply moves from the shop to the checkout. Web pages have no built in way to remember anything that a user has done, it has to be stored locally while the browser drops one page and loads another.
Cookies like this and for other 'management' tasks such as remembering that you are logged into a site and thus do not need to log in again each time you move to another page are obviously of benefit and not detrimental to the user. Cookies of this type are generally referred to as 'session' cookies and are deleted very quickly once the user leaves the site.
Luckily the regulations recognise this and specifically allows an exemption for these to not require user consent, the user by visiting the site and anticipating a specific level of functionality is deemed to have given implicit consent to these cookies being used. The next type of cookie which is commonly used are those that keep track of user visits to the site, specifically to facilitate capturing site statistics via services such as Google analytics. Almost all sites that collect Google analytics data will use longer lived cookies to do this. These cookies contain no personal data and the collected statistics are entirely anonymous.
The ICO has indicated however that this type of cookie does not enjoy the exemption granted to session cookies and thus a strict interpretation of the regulation would imply all site visitors must be asked if they consent to the recording of statistics regarding their visit to the site. This would have a serious implication for the usability of sites and makes site visit statistics very problematic to analyse in any meaningful way.
However there are 2 factors which mitigate this, firstly the ICO has stated publicly in their own guidance that:
'Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.'
In addition the Government Digital Service (GDS) has recently issued guidelines to Government departments specifically insisting that analytics cookies should be considered a special case and treated as having implicit consent.
In almost all cases websites built by 101Smart use only session cookies and Google analytics cookies and on our site we will follow the lead set by the GDS in treating analytics cookies as having implicit consent. We have also amended our own privacy policy to explain better which cookies are used and what they are for. We will also be auditing 101Smart sites on behalf of clients and in the rare cases where other cookies exist we will contact the site owners specifically to discuss the options available to them.
All site owners should of course rely upon their own counsel in deciding what to do and we will be happy to help any users that wish to implement specific actions in relation to the regulations. 101Smart cannot offer legal advice, however, we are of the opinion that the regulation is concerned with privacy rather than technology and the ICO will not be interested in targeting site owners who are not compromising visitor privacy and who have taken steps to comply with the regulation to the same extent as the GDS.
All site owners should review their privacy policies and ensure they are up to date. If you are not able to update your privacy policies directly, please contact us for assistance.
By Roger Sutton
Tags: Website Design
