uk-netmarketing Archive (2011-2015)

this an article we have just done on the subject - in case it helps
 
BURNING YOUR COOKIES? DON'T PANIC!

 

The law regarding the use of cookies and user tracking tech has recently
changed - at a time when the use of analytics in digital media and
online services is now commonplace. As a result it is likely that many
web site and digital media operators may unwittingly find them self on
the wrong side of the law.

 

The good news, in the UK at least, is that the Information
Commissioner's Office ("ICO") (who police the law in the UK) has said
that they aren't going to go all militant on those who may not be fully
compliant - so long as they are taking steps towards doing so.

 

The further bad news however, is that there is a great deal of
uncertainty, as to what that means and what operators actually need to
do to comply. Indeed that uncertainty exists even among the experts and
those policing the new law. For example, at the time of writing, it
would appear that the European Commission, still isn't complying with
its own directive (www.europa.eu <http://www.europa.eu/> ).

 

So its not surprising that a lot of digital media businesses are
wondering what they should do. To help you, we've set out what the
changes should mean to you and have given you some suggestions on how
you can deal with them.

 

Introduction

Under the old law if you used cookies (and similar tracking devices) in
your digital media or website you had a legal obligation to provide
information on them and allow users of your site to refuse to accept
them if they wish. Previously therefore, digital media / online
operators could deal with this by simply telling users that they used
cookies and that if the user didn't like it they just needed to change
their browser settings. 

 

However the new law means that, from now on, consent to cookies is only
valid if it is 'freely given, specific and informed' - and here is where
the difficulties begin.

 

For one thing there is uncertainty as to what 'freely given, specific
and informed' actually means and the ICO has not provided a definitive
approach on the point. Instead, it has stated that each website operator
must determine for itself how to go about obtaining valid consent. 

 

In determining this, the guidance has focussed on asking operators to
have in mind the type of cookies they are using.  If the cookies being
used are especially intrusive, operators will need to do more to obtain
valid consent - which will mean making the request for consent more
obvious.  If the cookies being dropped are not intrusive, digital media
/ website operators may consider taking a more relaxed approach and may
be able to rely more on implied consents.

 

 

Cookie Audit  

As a first step therefore, operators should conduct an audit of all the
cookies they are using or plan to use. The cookie audit should show:
which cookies are used; the purpose of each cookie; what information the
cookie collects or links to (e.g. usernames); how long the cookie will
persist; and, if the cookie is a third party cookie, the identity of
that third party.  

 

Operators may find that some of the cookies are no longer necessary, so
this also presents a good opportunity to streamline.  

 

In addition and in particular, operators should pay special attention to
which cookies may be "strictly necessary" for a service requested by the
user to operate.  This is because "strictly necessary" cookies do not
require any consent and so, for example, cookies that remember the
contents of a website shopping basket may not require consent.
Analytics cookies are however, not considered to be "strictly
necessary".

 

Consent

Once the cookie audit has been completed, the next step is to work out
what consent is needed for each of them. So let's go back to what the
consent must be - namely "freely given, specific and informed".

 

In order for consent to be "specific and informed", operators will need
to give sufficient detail as to what the cookie will do and what it (and
the information collected) will be used for. In particular they should
update their privacy policies to ensure cookies are referred to in
sufficient detail and to make sure that all information regarding
cookies is provided in straightforward language.  

 

One of the easiest ways to do this would simply be to present the
results of the cookie audit to users in an easy to understand format,
such as part of the privacy policy or in a separate page that is linked
to the privacy policy.

 

In order for consent to be "freely given", a user must take some
positive action in order to give his or her consent. This is where the
biggest decision that operators have must be made, namely what will be
sufficient to fulfil this obligation. Already we are seeing many
different approaches and also some conflicting advice.

 

Certainly, consent given in the form of a tick box, where the user
explicitly gives consent, will be sufficient. However this can also have
a significant impact on the user experience and, unless the cookies
being dropped are especially intrusive, it may not be necessary. For
example, consent can be implied in certain circumstances, such as where
users are informed that cookies are being used and why, and by
continuing to use the website, they are giving their consent to that
use. 

 

The circumstances will therefore dictate what is compliant or not and
that explains why the ICO haven't been able to give the definitive
guidance many operators want.

 

However there are some simple steps that can be taken in any case, such
as building consents to cookies into those terms and conditions or end
user licence agreements that users are already required to accept and
making sure that the attention of users is properly drawn to an
appropriate privacy policy - which itself could be called a "privacy and
cookies policy". Additionally, a banner or pop up may be used to draw
users to the privacy and cookie policy and where the cookies are
intrusive or the operator has additional concerns the banner may also
contain a tick box for obtaining explicit consent.

 

Third Party Cookies

If cookies are being used on behalf of a third party, both the operator
of the site / game / service and the applicable third party are
responsible for ensuring that consent is obtained.  In almost all cases,
it will be easier for the operator to obtain consent.  Third parties
should therefore consider amending any agreements they may have with
operators to place a contractual obligation on the operators to obtain
suitable consent.

 

Comment

As may now be apparent it is not possible to give an actual answer on
how to comply with the new laws regarding cookies.  Each website will
have different considerations which will inform which practical solution
is most appropriate. 

 

At present the best advice - taking into account the realities of doing
business in a very competitive environment and the embryonic state of
the law (or at least its interpretation) - is to be proactive to a point
and then be prepared to react quickly if and when things change.

 

To be proactive the key is to understand the type of cookies being used,
the extent to which those cookies intrude on an individual's privacy and
the demographic of the website's users. Based on that, you should be
able to determine what your users can reasonably be expected to do in
order to be deemed to have provided "freely given, specific and
informed" consent (whether expressed or implied) to their use and work
from there.

 

As mentioned at the outset, the ICO has said that, in respect of
operators that are not compliant, it will not immediately seek to impose
fines or take action.  Rather, it will give operators feedback and an
opportunity to become compliant.  The ICO does, however, expect all
operators to have attempted to comply with the regulations (even if
these attempts have not been successful).  

 

As a result, it is important to take steps now but also to be prepared
to react to future guidance.  It is fair to say that, over time,
operators may be able to take a less intrusive approach to compliance
with the regulations. On the other hand, operators may feel it is
appropriate to take additional steps to ensure compliance.

 

Ultimately the long and short of it is this:

1.     check what cookies / tracking tech you use;

2.     tell your users what they are and what they do;

3.     do something that could be deemed to mean that they are ok with
it.

 

 

Alex Chapman, John Haggis, Jack Jones and Eitan Jankelewitz

SHERIDANS INTERACTIVE

SHERIDANS is one of Europe's leading law firms specialising in the
business and law of the digital media and interactive entertainment
sectors. For further information contact etc. etc. etc.

 

 
 

 


________________________________

From: uk-netmarketing-bounces at mm.chinwag.com
[mailto:uk-netmarketing-bounces at mm.chinwag.com] On Behalf Of Alex
Chapman
Sent: 31 May 2012 16:32
To: uk-netmarketing
Subject: Re: [uk-netmarketing] European Cookie Law - Big Debate


so I'm a bit late to this thread and I've probably missed a whole load
of really useful stuff or may be repeating what someone has already said
but I / e have been working on the advice we give clients and think we
have come up with something simple - that is a bit more helpful that the
ICO saying "it depends" even though it actually kind of does depend.
 
anyway here is a quick three liner that I think should summarise where
we are with what you should / can be doing to deal with the law change
 
The long and short of it is this:

1.     check what cookies / tracking tech you use;

2.     tell your users what they are and what they do ;

3.     do something that could be deemed to mean that they are ok with
it.

 

Alex Chapman 

Telephone +44 (0)20 7079 0145
Email achapman at sheridans.co.uk 
Web www.sheridans.co.uk


 	

This communication and any files transmitted with it are confidential
and may be subject to legal privilege and protected by copyright. It is
intended solely for the named addressee. If you have received this
e-mail (and its attachments) by mistake please notify us immediately by
replying to this email (or by notifying enquiries at sheridans.co.uk or
telephoning +44 (0)20 7079 0100) and then delete it. You should not copy
it or disclose its contents to anyone and are hereby notified that any
dissemination copying or distribution of this email and the attachments
is strictly prohibited. 

Sheridans reserves all rights and remedies against any person or entity
making any unauthorised use of this communication. Emails are not secure
and cannot be guaranteed to be error free as they can be intercepted,
amended, lost or destroyed, or contain viruses. Anyone who communicates
with us by email is taken to have accepted these risks. 

Sheridans is authorised and regulated by the Solicitors Regulation
Authority. Registration Number: 55137. A full list of partners is open
for inspection at Whittington House, Alfred Place, London WC1E 7EA 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm.chinwag.com/pipermail/uk-netmarketing/attachments/20120601/a21df066/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2127 bytes
Desc: 112053116322002501.gif
Url : http://mm.chinwag.com/pipermail/uk-netmarketing/attachments/20120601/a21df066/attachment.gif