Last year, the EU introduced a piece of legislation that limited how websites could collect data about their visitors. Primarily aimed at improving privacy it requires website owners to gain consent before they can store or retrieve information from their visitor’s devices. The practical implication of this has focussed on cookies: small files used by websites to gather data on visitors.
Cookies can be used for anything from remembering a customer is signed in to helping track movements across a range of websites in order to deliver “targeted” advertising. In the UK, these changes are reflected within the Privacy and Electronic Communications Regulations and will be policed by the Information Commissioner’s Office (ICO).
Without clear lines of what is (and isn’t) required of website owners, the ICO deferred enforcing the regulations by a year, which now start on 26th May 2012.
Unfortunately, confusion has come about as there is a large number of ways that the law can be interpreted, with variations and possible exemption for cookies that are essential for a site to function and those that are a possible privacy concern.
In order to comply, a website owner must obtain explicit clarification that they can store information about visitors on their devices. In December the ICO gave additional background on their interpretations of consent. Key points set out include:
- More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
- The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
- However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
- Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
- The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.
For our view and in-depth analysis read our EU Cookie Law information PDF.