A contractor's recipe for cookie compliance

As recently reported by Contractor UK, many organisations have not yet got their teeth into “cookies” requirements which came into force in May last year. The year’s lead-in period given by the UK regulator (the Information Commissioner’s Office - the ‘ICO’) is now almost up. If you are an IT professional who develops or manages websites, can you be doing more to help your client(s) with compliance? 

In this exclusive guide for CUK, information law specialist Olivia Whitcroft, principal of OBEP, provides five practical steps that freelance IT contractors can take to comply with the requirements (under the Privacy and Electronic Communications [EC Directive] Regulations 2003).

1. Run a cookie review

Identify what cookies are used or are intended to be used.  It is important to look not just at the fact of there being a cookie (or similar technology used to gain access to information on the terminal equipment of a user), but why it is there, what it does and how the resulting information is used. For example, is the cookie there solely to assist with website security? Or is the cookie primarily there to gather intelligence on user preferences for business analysis and behavioural advertising? Or perhaps the cookie has no legitimate purpose so can be removed?

You will need take into account cookies associated with third-party content included on the website (such as advertisements), as well as those you create directly for your customer.

2. Carry out an impact assessment

Consider the impact of each cookie on the relevant users. The more intrusive the cookie is on user privacy, the more obvious and clear you may need to be in providing information and seeking consent (see below). To give an example, using a cookie to analyse website performance and design is likely to be less intrusive on privacy than a cookie which tracks a visitor’s trip around the internet and builds a comprehensive profile of his/her activities.

3. Feed the findings into your approach

Address information and consent requirements. The analysis of the nature of the cookies and their impact will assist you in formulating an approach and prioritisation for compliance, addressing the method of providing notifications and obtaining consent, the content of the notifications and the scope of the consents. I have outlined some of the alternative approaches.

Overall, you should now be in a position to consider, for example, whether to include specific pop-ups on cookies, and/or combine cookie notifications and consents with notification/acceptance of specific website features or user registration procedures.

4. Ready a plan for ongoing management

Records of information provided and consents obtained should be retained by the website owner. Users must also be provided with a clear way to withdraw consent in future (for example by updating user profile options). Regular reviews or refreshers of notifications and consents may also be prudent, particularly if a user has not accessed the website for a significant period or if any changes are made to the use of cookies on the website.

5. Check for any fresh data protection and privacy implications

Storage and use of data obtained as a result of cookies may require additional data protection and privacy controls. For example, these may need to address direct marketing restrictions, security requirements and conditions for “fair and lawful” processing of personal data.

If you are tasked with developing a new website, the privacy considerations outlined above should be built into the design of the website and its underlying software, and not as a bolt-on consideration after the event. If you are managing a more mature website, existing software and functionality will need to be adapted to comply.

With hefty fines at its disposal, the ICO is unlikely to be sympathetic to organisations which have not taken steps to bring the requirements into the mixture before the end of May.

Editor’s Note: This article provides general guidance and views on the new cookies requirements and should not be relied upon as legal advice.

Apr 18, 2012