Under the new rules, which went into effect on May 25th, 2011, cookies can only be placed on computers where the user has given their express consent, except in cases in which a website operator doing something that is “strictly necessary” for a service specifically requested by the user.
What exactly does this new law mean to website operators both inside and outside the EU? The UK Information Commissioner’s Office (“ICO”) has recently provided some advice on how to comply.
How Is Consent Obtained?
So how does a company obtain the required consent? The ICO states that “the more privacy intrusive your activity, the more you will need to do to get meaningful consent.” For example, the guidance explains that consent can be obtained via the following methods (note that these are not exhaustive suggestions):
- Pop-ups. A website operator could ask a user directly if they agree to a website operator putting something on their computer. Clicking “yes” would constitute consent.
- Settings-led consent. Consent could also be gained as part of the process by which the user confirms what they want to do or how they want the website to work, e.g., some websites “remember” which language version of a website a user prefers. If this feature is enabled by the storage of a cookie, then the website operator could explain this to the user and that it will not ask the user every time they visit the website.
How Does the “Strictly Necessary” Exception Operate?
The ICO states that the “strictly necessary” exception is a narrow one that may apply to cookies that website operators use to ensure that when a user of its site has chosen the goods they wish to buy and clicks “add to basket”, the website “remembers” what the user chose on a previous page. In this case, the guidance suggests, consent would not be required. Yet the guidance goes on to say that the exception would not apply, for example, just because a website operator decides that its website would be more attractive if it remembered users’ preferences or it decides to use a cookie to collect statistical information about use of the website.
Do Website Operators Have to Comply With the Changes and Guidance?
However, one cannot lose sight of the fact that there are currently four bills pending in Congress regarding this same issue, and the steps taken by those on the other side of the Atlantic will certainly be taken into consideration when the final bill is ready for the President’s signature.