UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said. This was referred to in a recent article on the BBC’s website.
The regulations regarding Cookies changed with effect from the 26th May 2011.
Until recently the regulations simply imposed an obligation on websites to;
• Advise users how they could “opt-out if they objected.
The main change relating to cookies is that websites may not place cookies on a visitor’s machine without first having received express consent. This is a move from an “opt out” culture to an “opt-in” one.
Websites are still required to provide clear and comprehensive information about the purposes, storage and access to that information.
There are some very limited exceptions to the express consent rule where, for example, a cookie is used to verify the purchase of goods e.g. when a user clicks “add to basket” or “proceed to checkout”.
Given that these regulations are very “fresh”, and given the government’s views on implementation there is no definitive answer as to how “consent” should be obtained. There is one argument that says a website can rely on the user’s browser settings At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow a website to set a cookie. Also, not everyone who visits a site will do so using a browser. They may, for example, have used an application on their mobile device.
One solution proposed is to use a “pop-up”. This might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent – but it’s also one which might well spoil the experience of using a website if you use several cookies.
The relatively good news is the government’s view that there should be a phased approach to the implementation of these changes. In light of this the Information Commissioners Office have stated that were they to receive a complaint about a website, they would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. They have also stated that they would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
The key point is that you cannot ignore these rules.
Please remember that the above comprises only a brief précis of the nature and impact of the latest regulations and is by no means a full and comprehensive summary.
Source: Brian Scott at Max Montague Limited