This post was also written by Nick Tyler.
On Christmas Day, organisations operating in the UK will have just five months to get their act together and comply fully with the new EU-wide rules on cookies.
See earlier Client Alerts:
- ‘What Cookies Are In Your Jar?’ – ICO’s guidance on compliance with new EU cookie law leaves industry something to chew on (and few crumbs of comfort!)
- Prepare Now and Protect Your Cookie Jar (or those cookies may crumble)!
The 12-month lead-in period set by the UK data protection regulator, the Information Commissioner’s Office (ICO), expires on 25 May 2012. This period is a time for taking pro-active steps, with the Information Commissioner himself issuing a timely warning on his blog that not enough is being done to address compliance by too many.
If the ICO’s message wasn’t clear seven months ago, its latest reminder should be now:
“organisations will need to be able to demonstrate they have taken sensible measured action to move to compliance. If a website has not achieved full compliance at the end of the period the [ICO] will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.”
The ICO have helpfully taken the opportunity to update their guidance. This now includes a number of useful examples of what some organisations are doing to meet the new requirement for positive consent to cookies and other similar technologies.
The key first steps remain the same:
1. Cookie Audit,
2. User Impact Assessment, and
3. Action Plan.
At this stage of the lead-in period, the ICO expects organisations to have decided on the solutions appropriate to them and to have ready an
4. Implementation Plan – setting out the organisation’s activities to get into compliance between now and 25 May 2012. If you haven’t yet started this process, now is the time to start and to map out your chosen solutions!
The ICO emphasises that organisations must have in place “mechanisms for exercising user choice” to better educate consumers about the different cookies they use, what they are used for, and “making the case” about the undoubted benefits of cookies. The ICO’s guidance stems from UK Government-sponsored research revealing the general public’s limited understanding of cookies and how to manage them, including among more “internet-savvy” consumers.
While many view the new EU-wide requirement for positive consent to cookies as a legislative ‘sledgehammer to crack a nut’, the ICO’s position is that the more information given to consumers the better choice and control they are able to exercise.
The ICO’s view is the opposite of less is more in that greater information and choice will result in increased consumer confidence rather than resistance to cookies.
While the ICO recognises that technical solutions remain a “work in progress”, it also challenges the prevalent criticism and to the new rules highlighting some genuine ‘quick fixes’ which, while not perfect, seem to be good enough for them to accept as compliant.