‘Good compliance’ the priority on cookies law, says regulator

Businesses and other organisations operating websites have been told that regulators want “good compliance, not rushed compliance” with a law requiring them to gain visitors’ consent before logging information about them.

Last year, the government revised the Privacy and Electronic Communications Regulations to address new EU requirements, and these came into force on 26 May 2011. The UK’s Information Commissioner’s Office (ICO) allowed businesses and other organisations a year-long period to work towards compliance with changes, which ended on 26 May.

The regulations require UK businesses and organisations running websites in the UK to gain consent from visitors to their websites in order to store cookies on users’ computers.

Cookies are small files that a website places on a user’s computer so that it can remember something, for example the user’s preferences, at a later time. The majority of businesses and organisations in the UK currently use cookies for a wide variety of reasons – from analysing consumer browsing habits to remembering their payment details when they buy products online.

A common technique with websites that have complied with the law involves a pop-up box explaining the changes. Users are then asked to click to consent to having information recorded and told what will happen if they refuse.

The ICO’s latest guidance on the issue makes it clear that “implied consent” is a valid form of consent but that this should not be seen “as an easy way out or use the term as a euphemism for ‘doing nothing’”.

It says: “For implied consent to work, there has to be some action taken by the consenting individual from which their consent can be inferred. This might, for example, be visiting a website, moving from one page to another or clicking on a particular button.

The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

Dave Evans, group manager for the ICO, said that given that websites had had a year to comply, the ICO’s new approach would be “very much more focused on those people who don’t appear to have done anything and asking them ‘Why not?’”

He told the BBC: “We never said that if you’re not compliant by 27 May we will come and get you. What we want is good compliance, not rushed compliance. If it’s focused people’s minds, that’s a good thing.”

Link: ICO information and guidance