In the U.K., C is for Cookie and Compliance
Ever heard of a cookie audit? Delicious as it may sound, the refined CorpCounsel.com reader will know thats not a reference to an inventory of the company vending machines, but rather is a crucial step in complying with a U.K. regulation that entered into force over the weekend: the so-called cookie law.
The U.K. law gives teeth to European Unions Privacy and Electronic Communications Directive (also known as the E-Privacy Directive), requiring organizations to obtain consent before they collect personal data from Britons and other Europeans via cookies (i.e., a small digital file that a site can deposit on a users computer) on the web. Now that a year-long compliance period has ended, organizations around the world are supposed to inform website visitors which cookies will track themand get user permission to do soaccording to the Information Commissioners Office, the U.K. regulator in charge of the law.
Its this positive obligation to obtain consent thats new, says Bridget Treacy, managing partner of the Hunton & Williams London office. You have to get somebodys consent before you get their information.
That goes for U.S. companies, too. The E-Privacy directive does not stipulate that the law applies only to E.U. businesses, says Robert Bond, head of data protection and information law at Speechly Bircham in London. So if your site interacts with E.U. citizens, then you have to have the cookies compliance program in place, he says.
But if your companys site isnt in compliance, chances are youre not alone. Earlier this month, the BBC reported that even most U.K. government offices wouldnt be in compliance with the law by the May 26 deadline. The ICO has also indicated it wont be cracking down hard immediately. Recently, Information Commissioner Christopher Graham told the blog ZDNET U.K. that his office would not embark on a crusade come May 27: "We're not going to go round on the day after the year runs out and say, 'Who can we menace?' but, where we need to take regulatory action, the key thing iswell, what have you done?"
So with this brief reprieve, how can cookie-bearing companies quickly get within the bounds of the U.K. law? Both Treacy and Bond say that performing a cookie audit is the first stepthat is, you have to know what types of cookies operate on your site, and what kind of information they collects about users.
The audit will help determine whether certain cookies meet the laws exemption for those that are essential to how a site operates, Treacy says. And since cookies vary in their levels of intrusiveness, the audit will also aid in-house counsel in determining what kind of notice should be given to site users.
In terms of enforcement, the ICO can fine offending companies up to 500,000 pounds sterling. Though Treacy believes the regulator is unlikely to issue monetary penalties. The threshold is quite high, she says.
But companies that do nothing at all run a real risk of drawing attention from a regulator that is likely to bring such non-compliance to public light, say both attorneys.
Its that sort of naming and shaming thats actually worse than the fine, Bond says. If you have a brand and a reputation, then it starts to get slightly tarnished.
In the interest of engendering trust, Bond suggests that you might as well try and structure a solution thats transparent, do it in such a way that doesnt disrupt the website experience, and get on doing business.