Who is subject to the U.K. rules
Websites hosted in Europe are subject to the U.K. rules. The U.K. rules also purport to apply to websites that are hosted elsewhere if they target U.K. residents. As a result, U.S. website operators may be required to follow the new U.K. rules if they market their websites to U.K. residents or if U.K. residents are using their websites.
What technologies are covered
The U.K. rules apply to "cookies," which are small text files that a website automatically places on a user's computer when the website is loaded. There are many different types of cookies, including session cookies (which track a user's activity from page to page during a session so that the user does not have to re-enter information or selections); authentication cookies (which store logon credentials so that the user does not have to log on again after navigating to a different website); persistent cookies (which store user preferences for each successive visit to a site); and tracking cookies (which are used to collect analytic data on how an individual website is used and to record a user's activities across websites). The ICO Guidance on Changes to the Rules on Using Cookies and Similar Technologies for Storing Information ("ICO Guidance") states that the rules will also apply to similar technologies for storing information, such as Flash cookies, which are data files that are stored on a consumer's computer by a website that uses Adobe's Flash player technology.
The only exception to the U.K. rules is for cookies that are "strictly necessary" for a service requested by a user, such as the use of a cookie to facilitate the use of shopping baskets on websites, and the ICO Guidance makes it clear that the exception is to be interpreted narrowly: "The exception would not apply, for example, just because you had decided that your website is more attractive if you remember users' preferences or if you decide to use a cookie to collect statistical information about the use of your website."
How user consent can be obtained
The ICO Guidance offers a number of suggestions on how the required opt-in consent may be obtained, including the following:
- Pop-ups and similar techniques. The operator may use pop-ups or splash screens to obtain consent (although the ICO Guidance notes that this "might well spoil the experience of using a website if you use several cookies").
- Settings-led consent. The operator may incorporate consent as a part of the process by which a user confirms what she wants to do or how she wants the site to work. For example, if an operator offers a feature whereby the website "remembers" which version of the website the user wants to access, the operator could explain to the user that by allowing the operator to remember her choice, she is giving the operator consent to set the cookie.
- Feature-led consent. Some objects are stored when a user chooses to use a particular feature on a website, such as watching a video clip or when the website remembers what the user has done on previous visits in order to personalize the content that the user is served. In these cases, if the user takes some action to specify the features that he wants (e.g., by clicking a button), the operator can ask for the user's consent to set a cookie at that point if the operator makes it clear to the user that by choosing to take a particular action certain things will happen.
Third party cookies
The ICO Guidance notes that where a website displays third party content, such as an advertising network or a streaming video service, the third party may read and write its own cookies or similar technologies onto the website. The process of getting consent for these third party cookies is more complex, and may be the most challenging area in which to achieve compliance with the new rules. The ICO's view is that everyone has a part to play in making sure the user is aware of what is being collected and who is collecting it. The ICO notes that there are a number of initiatives to seek to ensure that users are given more and better information about how their information is used, and advises that any operator of a website that allows or uses third party cookies must make sure it is doing everything that it can to get the right information to users and that it is allowing users to make informed choices about what cookies are stored on their devices.
A serious breach (defined in another ICO Guidance on Enforcing the Revised Privacy and Electronic Communications Regulations as a serious contravention of the rules that is likely to cause substantial damage or distress) may result in penalties of up to £500,000 if it is deliberate, or the responsible person knew or ought to have known that a contravention would occur and then failed to take reasonable steps to prevent it.
As noted, the U.K. rules purport to cover all website operators that target U.K. residents. Whether or not a U.S. website operator is determined to be covered by the U.K. rules, the trend toward requiring fuller disclosure and express consent, especially for targeted advertising cookies, is likely to be seen in the U.S. as well. For example, in its December 2010 report on consumer privacy, the FTC recommended that consumers be given the right to opt-in before tracking cookies are used. As a result, U.S. website operators should consider taking the following actions:
- Check what type of cookies and similar technologies you use on your website and how you are using them. You should determine which cookies you believe are "strictly necessary" and therefore will not require opt-in consent. You may also want to use this audit as an opportunity to stop using any cookies that are unnecessary or have been superseded as your site has evolved.
- Decide what solution to obtain consent will be best for you and implement that solution on your website.
- Review your contracts with advertisers, advertising networks, providers of website and browsing statistics, and parties with whom you offer co-branded sites to ensure that they clearly set forth who is responsible for providing cookie notices and obtaining user consent where required.