A contractor's recipe for cookie compliance
As recently reported by Contractor UK, many organisations have not yet got their teeth into “cookies” requirements which came into force in May last year. The year’s lead-in period given by the UK regulator (the Information Commissioner’s Office - the ‘ICO’) is now almost up. If you are an IT professional who develops or manages websites, can you be doing more to help your client(s) with compliance?
In this exclusive guide for CUK, information law specialist Olivia Whitcroft, principal of OBEP, provides five practical steps that freelance IT contractors can take to comply with the requirements (under the Privacy and Electronic Communications [EC Directive] Regulations 2003).
1. Run a cookie review
Identify what cookies are used or are intended to be used. It is important to look not just at the fact of there being a cookie (or similar technology used to gain access to information on the terminal equipment of a user), but why it is there, what it does and how the resulting information is used. For example, is the cookie there solely to assist with website security? Or is the cookie primarily there to gather intelligence on user preferences for business analysis and behavioural advertising? Or perhaps the cookie has no legitimate purpose so can be removed?
You will need take into account cookies associated with third-party content included on the website (such as advertisements), as well as those you create directly for your customer.
2. Carry out an impact assessment
Consider the impact of each cookie on the relevant users. The more intrusive the cookie is on user privacy, the more obvious and clear you may need to be in providing information and seeking consent (see below). To give an example, using a cookie to analyse website performance and design is likely to be less intrusive on privacy than a cookie which tracks a visitor’s trip around the internet and builds a comprehensive profile of his/her activities.
3. Feed the findings into your approach
Address information and consent requirements. The analysis of the nature of the cookies and their impact will assist you in formulating an approach and prioritisation for compliance, addressing the method of providing notifications and obtaining consent, the content of the notifications and the scope of the consents. I have outlined some of the alternative approaches.
Overall, you should now be in a position to consider, for example, whether to include specific pop-ups on cookies, and/or combine cookie notifications and consents with notification/acceptance of specific website features or user registration procedures.
4. Ready a plan for ongoing management
5. Check for any fresh data protection and privacy implications
Storage and use of data obtained as a result of cookies may require additional data protection and privacy controls. For example, these may need to address direct marketing restrictions, security requirements and conditions for “fair and lawful” processing of personal data.
If you are tasked with developing a new website, the privacy considerations outlined above should be built into the design of the website and its underlying software, and not as a bolt-on consideration after the event. If you are managing a more mature website, existing software and functionality will need to be adapted to comply.
With hefty fines at its disposal, the ICO is unlikely to be sympathetic to organisations which have not taken steps to bring the requirements into the mixture before the end of May.
Editor’s Note: This article provides general guidance and views on the new cookies requirements and should not be relied upon as legal advice.