In the U.K., C is for Cookie and ComplianceCatherine Dunn Corporate Counsel
05-30-2012
Ever heard of a “cookie audit”? Delicious as it may sound, the refined CorpCounsel.com reader will know that’s not a reference to an inventory of the company vending machines, but rather is a crucial step in complying with a U.K. regulation that entered into force over the weekend: the so-called “cookie law.”
The U.K. law gives teeth to European Union’s Privacy and Electronic Communications Directive (also known as the E-Privacy Directive), requiring organizations to obtain consent before they collect personal data from Britons and other Europeans via cookies (i.e., a small digital file that a site can deposit on a user’s computer) on the web. Now that a year-long compliance period has ended, organizations around the world are supposed to inform website visitors which cookies will track them—and get user permission to do so—according to the Information Commissioner’s Office, the U.K. regulator in charge of the law.
“It’s this positive obligation to obtain consent that’s new,” says Bridget Treacy, managing partner of the Hunton & Williams London office. “You have to get somebody’s consent before you get their information.”
That goes for U.S. companies, too. “The E-Privacy directive does not stipulate that the law applies only to E.U. businesses,” says Robert Bond, head of data protection and information law at Speechly Bircham in London. So if your site interacts with E.U. citizens, “then you have to have the cookies compliance program in place,” he says.
Compliance can take a variety of forms, says Treacy. Some businesses, for example, are choosing to place a “cookies button” on their sites—similar to existing buttons that lead a site’s users to explanations of the company’s privacy policy and terms of use. Others businesses are opting to display a banner that leads users to the relevant information. In the U.K., “the commissioner has encouraged creativity” to get the job done, Treacy says, adding, “there is no one prescribed solution.”
But if your company’s site isn’t in compliance, chances are you’re not alone. Earlier this month, the BBC reported that even most U.K. government offices wouldn’t be in compliance with the law by the May 26 deadline. The ICO has also indicated it won’t be cracking down hard immediately. Recently, Information Commissioner Christopher Graham told the blog ZDNET U.K. that his office would not embark on a “crusade” come May 27: "We're not going to go round on the day after the year runs out and say, 'Who can we menace?' but, where we need to take regulatory action, the key thing is—well, what have you done?"
So with this brief reprieve, how can cookie-bearing companies quickly get within the bounds of the U.K. law? Both Treacy and Bond say that performing a cookie audit is the first step—that is, you have to know what types of cookies operate on your site, and what kind of information they collects about users.
The audit will help determine whether certain cookies meet the law’s exemption for those that are “essential” to how a site operates, Treacy says. And since cookies vary in their levels of intrusiveness, the audit will also aid in-house counsel in determining what kind of notice should be given to site users.
In terms of enforcement, the ICO can fine offending companies up to 500,000 pounds sterling. Though Treacy believes the regulator is unlikely to issue monetary penalties. “The threshold is quite high,” she says.
But companies that do nothing at all run a real risk of drawing attention from a regulator that is likely to bring such non-compliance to public light, say both attorneys.
“It’s that sort of naming and shaming that’s actually worse than the fine,” Bond says. “If you have a brand and a reputation, then it starts to get slightly tarnished.”
In the interest of “engendering trust,” Bond suggests that “you might as well try and structure a solution that’s transparent,” do it in such a way that doesn’t disrupt the website experience, and “get on doing business.”
|
