If you have a website, web app or conduct email marketing and believed that the "Cookie monster" disappeared in the summer of 2012 - it may be sensible to reconsider.
This is particularly relevant with increasing consumer awareness of what cookies do and enable, high profile cases such as the recent iCloud hack, and planned activity to raise awareness ahead of potential new legislation in Europe.
Quick recap - background
- On 26 May 2011, an amendment to The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force. This included changes to the rules for cookies on websites, and introduced new powers for the Information Commissioner to serve monetary penalties and to investigate when the law may have been broken.
- Recognising that the majority of companies would be unable to meet the deadline an ICO press release issued on 25th May 2011 advised that UK companies were to be given up to 12 months to "get their house in order" before enforcement of the new EU cookies law began.
- Companies have subsequently adopted a range of approaches that range from no change to not allowing website visitors to access content without active consent (sometimes at a global level).
As the law (both stated and policed) has lagged behind the rapid development and expansion of new technology platforms, companies have been unable to clarify where they stand against specific standards e.g.
- Best practice
- Common practice - Industry standards
- Accepted practice - Consumers preferences (The ICO recently highlighted that reporting of consumer concerns regarding cookies has been declining)
- Required practice - Legally stated and enforced
Without any clearly defined specific requirements setting the “bar” individual companies have only been able to adopt a subjective view of where they sit and how they compare.
So what's changing?
The UK was the first country to enact the European legislation, but as the Information Commissioners Office highlighted in the 2014 Annual Report one of the reasons for the lack of clarity has been the ICO's capacity to define, educate and enforce compliance standards.
Whilst continental European countries did not enact the law as quickly there has been a series of events recently which have moved 'cookie compliance' back up the agenda.
- In early 2014 the French equivalent of the ICO (The CNIL) gained new powers to conduct remote audits of companies.
- During the week of September 15 to 19, 2014 the CNIL will participate at a European level in a "cookie sweep activity" in association with other European agencies. This will check the information captured and how user consent is obtained.
- From October 2014 the CNIL will be conducting audits and issuing enforcement notices against European companies.
- Across Europe there have been a series of enforcement activities i.e.
- The Netherlands Public Broadcasting (NPO) was deemed to have violated the rules on storing cookies and was issued with an enforcement notice to change within four weeks or pay a penalty of up to €125,000.
- The Spanish Data Protection Regulator issued its first fines against two companies who were investigated and fined after failing to comply with the obligation to provide clear and comprehensive information about the cookies they used.
The Direction of travel is clearly towards greater focus on increased consumer awareness and greater displayed “cookie compliance.
So what should you do?
There has been a three year grace period following the 2011 law change that is potentially coming to an end.
- Doing nothing is one choice!
- Uninformed rushed choices are costly
- Interactive choices can be risky if you have poor information
Therefore three questions to ask your business are:
1. What do you currently do today?
- What web properties do you control and what’s the scope of your responsibility?
- What existing cookies are set by you & third parties – if you don’t know then shouldn’t you?
- Are the cookies set valid, i.e. do they serve a purpose you know and agree with, by a company you are aware of?
- How do you communicate what you currently do with your visitors?
2. What do you want to do?
- How does existing/planned activity impact upon your commercial model?
3.How do you then implement and maintain going forward?
- Do you have robust policies, procedures and platforms in place to ensure ongoing compliance – if not what do you need?