New cookies law lead-in period nearly up: What should you be doing?

14th May 2012
Kim Walker provides guidance for businesses on the minimum steps/checks to follow and implement, and what might happen if they do/do not comply.
With nearly a year having passed since the introduction of new E-Commerce Regulations governing online data capture through the use of cookies, organisations have a small window in which to get their house in order ahead of the 26 May 2012 deadline. The 12 month “lead in” grace period was indicative of the Government uncertainty as to whether the solution to the requirements of the Regulations might be delivered in the form of technological upgrades to deliver a ‘browser-based’ solution.
With no obvious industry lead emerging, there are clearly a wide range of opinions on what businesses should do to achieve compliance with the revised Regulations. Much of the 12 month lead in period has been given over to talking, rather than any clear development of ways of compliance which can be universally accepted. Those hoping that browser standards will have been implemented (the technological solution) will be disappointed as these remain a default option for the majority of users, so no change there.
The industry has been less than swift to respond. A recent survey conducted by Ctrl-Shift found that none of the top 100 retailers had fully complied with the requirements just three months ahead of the deadline.
Despite this apparent laissez-faire approach, the fact remains that each business still needs to carry out its own assessment of how it uses cookies and then tailor its solution to that use and to its customers. Merely waiting until the end of the lead in on 26 May is not going to be acceptable and the Information.
Commissioner’s Office (“ICO”) has issued clear guidance during this year, in which its states that it expects website owners to have carried out that audit as a minimum. So what practical steps must organisations take in order to ensure compliance?
The ICO has provided suggested wording with various degrees of sophistication, which can be used by those organisations wishing to be fully compliant but first, these are the minimum steps/checks to follow and implement as necessary:

Any cookies which show creation of detailed profiles of an individual’s browsing activity should be clearly identified to users.

  • Determine what types of cookies are used on a website, on both an individual and anonymised level.
  • Analyse how are those cookies used and for what purpose.
  • Remove any outdated/unnecessary cookies.
  • Assess how intrusive the use of cookies is.
  • Decide on best solution to obtain consent.
  • Evaluate the likely business impact of users exercising their right to remove consent.
  • Ensure that the current privacy statement on the website is updated in line with the new regulation.
In spite of the new layer of complexity that the new regulations bring, cookies remain a valuable tool with a myriad of uses for thousands of businesses and organisations should not be overly daunted. Consumers are increasingly savvy about their privacy rights and how their data is used and well aware of their rights to remove consent. Businesses who choose to flout the new regulations risk not only hefty financial penalties but also the ensuing negative perceptions of non-compliance.
On the other hand those that are well prepared ahead of the deadline will benefit from the positive PR associated with best practice cookie usage and transparency and have the opportunity to convey the benefits that cookies ultimately have on the user’s experience.
Kim Walker is a partner at leading law firm Thomas Eggar.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.