Yucca

25/01/12 - Cookie law part 1: An introduction

How the cookie law affects you

The first in our series of three blogs about the new EU cookie legislation explores the rationale behind the law, what it means for you and your website... and chicken farming.

According to a report I saw on Countryfile last month, the UK is leading the way in the important field of chicken welfare. It was with some level of national pride that John Craven told us that British farmers have been significantly better at complying to new European legislation concerning the housing of hens than have their continental counterparts.

Indeed, it was a gentle Sunday evening reminder of what a law-abiding, animal-loving country we live in, relative to the savage and barbarous wastelands across the channel.

Now, without wanting to draw too clear an analogy between battery hens and internet users (mindless clicking/clucking, noisy squabbling, lack of daylight etc.) it seems that bods at the EU decided some time ago that both needed a greater level of protection.

For the latter group this protection comes in the form of the updated Privacy and Electronic Communications Regulations (PECR) relating to cookie usage, which will start to be enforced in the UK from May 2012.

Internet users vs Chickens
The question is: will the Brits be as proactive in looking after their internet users as they have been in looking after their chickens?

Looking at sites around the web, and with just over two months to go before the Information Commissioner’s Office (ICO) starts to enforce the amended PECR in the UK, the current answer seems to be a resounding “no”.

So, it is with patriotic fervour (or perhaps as a result of too much tea) that we will be publishing a series of blog posts about the legislation, what you can do to stay on the right side of it and how you can help show that UK internet site owners are, at the very least, more upstanding and law-abiding than French chicken farmers.

It’s the law
First up, why have the regulations been updated? The primary motivation for the update stems from the need to protect internet users from Spyware and the use of “covert surveillance mechanisms online”.

Secondary to this is a concern that internet users are fully aware of, and consent to, the storage of information on their computers that can be used to identify them. Given that cookies are a particularly common instance of such information, it is on the issue of cookie usage that most focus has been placed since PECR was amended.

What do the regulations say?
Cutting through the legalese, it states that those setting cookies must:

  • tell people that the cookies are there,

  • explain what the cookies are doing, and

  • obtain their consent to store a cookie on their device.

  • Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

    So what?
    The amended version of PECR has been law in the UK since May 2011 so, technically, sites should already be asking consent to set cookies. In recognising the time required for sites to become compliant, the ICO made clear that discretion would be exercised until May 2012 after which point individuals and organisations in breach of the regulations may be subject to formal action.

    In cases where such a breach has caused “substantial damage or substantial distress”, an organisation may be liable for a monetary fine of up to £500,000.

    It’s hard to imagine what a cookie could do to somebody in order to cause this degree of harm, so a more likely course of action for the ICO to follow involves issuing one of the following notices:

  • Information notice: this requires organisations to provide the Information Commissioner with specified information within a certain time period.

  • Undertaking: this commits an organisation to a particular course of action in order to improve its compliance.

  • Enforcement notice: this compels an organisation to take the action specified in the notice to bring about compliance with the Regulations.


  • Not all cookies are equal
    The scope of the legislation is important as it makes clear that some cookies are exempt from the consent requirement; in particular, those that are deemed strictly necessary for the provision of a service that has been requested by a user.

    Examples might include cookies used to register additions to shopping baskets on an ecommerce site, or those necessary for ensuring a user’s security (e.g. for online banking transactions).

    Cookies used for analytical tracking or advertising purposes aren’t exempt.

    What to do next?
    The second blog in this series will answer some of the more common questions arising from the amended legislation, while the third blog will give clear, prioritised actions that you can take now to keep the ICO happy.

    UPDATE: Blogs two and three are now live.

    For the time being, you need to make sure that you are fully aware of the legislation so you at least can be working towards compliance by the 26th May.

    More useful links:

    The ICO’s guidelines
    An article on cookie law from legal experts Burges Salmon
    More on battery farms

    Posted by: Ed Culliford

    Tagged as: Industry, Search, Web 2.0, Web Dev

    footer