Would You Like A Cookie?

The law that applies to ‘cookies’ is changing with effect from 26 May 2011. Within a year from that date, not only must the user be given clear and comprehensive information about the purposes of cookies and use of the data they collect; but cookies can also only be placed on the user’s device after the user has given his or her consent. There is an exception where such storage or access is strictly necessary for the provision of a service that has been requested by the user (as well as where the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network). The UK Information Commissioner has issued guidance on how to comply.

How best to obtain consent?

This is likely to vary according to the type of cookie being set and the use to which the information is put. Cookies may be either "Session” cookies, which are temporary and deleted as soon as the user closes his or her browser; or "Persistent” cookies, which are stored on the user’s device hard drive until they expire or are removed. Where a persistent cookie is set, the consent only needs to be obtained prior to it being set the first time.

Of course, users can configure their browser to warn them whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Or they can choose not to visit a website or use a service whose cookies they don’t want to receive. However, the Information Commissioner has found that most browser settings are not sophisticated enough to allow the service provider to assume the user has given his or her consent to allow your website to set a cookie. So, the Commissioner has advised that consent must be obtained in some other way.

If you are changing your terms for the use of your web site or web-based service, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms. Where a third party sets its own cookies or similar technologies onto “your” users’ devices, you will need to ensure your users’ consent is obtained either by you or the third party.

For sites with subscribers who must log-in to gain access, you could prompt the user to agree amendments to your privacy policy to cover the use of cookies at time of next log-in. More challenging is how to obtain consent to cookies from users who don't log-in or necessarily interact with your site in a way that would enable you to display terms of consent that could be agreed. The Information Commissioner has suggested that web site owners “place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.”

Whichever way you decide to meet the challenge, you'll need a psychiatrist on standby for your digital design team ;-)

Image from Jefferson Park.