Business Brain Storming - View Video

Providing answers, ideas and sharing the secrets of success

How the Cookies Crumble: New Rules on Data Privacy
By Christopher J Sherliker

Almost a decade ago Steven Spielberg’s futuristic film Minority Report set out a marketer’s dream – a world of interactive advertising where retailers and other businesses could market their products to individual consumers with a panoply of ads floating past them as they do their weekly shop. Although we are not quite there yet, the pervasiveness of all things digital is plain to see. In this month’s Ewire, Trainee Solicitor Ana Ivanovic looks at new changes in data privacy law and how these changes may affect your business if you advertise or trade online.

On 26th May 2011 the new Privacy and Electronic Communications Regulations 2011, derived from a European Directive on e-Privacy, became law. The regulations apply to how businesses use cookies and similar technologies for storing information on a user’s equipment, such as their computer or mobile device.

A “cookie” is, essentially, a small text file downloaded on to a device when the user accesses certain websites. Although the complexity of a cookie can vary, in its simplest form, it will contain a site name and unique user ID which allow a website to recognise a user’s device, thereby making their online shopping or browsing experience smoother and more intuitive. The basic principle of a cookie – namely the gathering of private information to market goods and services to eager consumers forms the basis of Spielberg’s interactive advertising world.

The aim of the new regulations is to protect consumers’ privacy and, in particular, limit how much information is used in behavioural advertising. The existing law requires businesses to provide consumers with clear and comprehensive information about the use of cookies, as well as giving them the opportunity to ‘opt-out’ of cookie downloads. To date most businesses have dealt with these requirements by insisting that users accept their terms and conditions, which also set out the business’s policy on the use of cookies.

The new regulations will require all organisations operating websites to gain permission from users when storing or accessing a cookie. In practice, this means that businesses will only be able to place a cookie on a user’s machine when the user has given their consent. The only exception to this is where using a cookie is ‘strictly necessary’ for a service requested by the user. For example, consent would not be required where the consumer adds goods into a virtual basket or shopping cart because it is necessary for the site to remember what was chosen on the previous page to allow the consumer to proceed to the checkout page.

The guidance published by the Information Commissioner’s Office (ICO) earlier this month emphasises that this exception is to be interpreted very narrowly. It will only apply in circumstances where services are ‘explicitly requested’ by the user, as in the example above.

In order to comply with the new regulations, businesses should perform a comprehensive review of their websites, whilst also doing the following:

  • Checking what types of cookies or similar technologies their site uses and how they are used
  • Assessing how intrusive each cookie is and what information it gathers
  • Deciding on the best way to obtain consent from users

In its guidance the ICO urges businesses to audit their web pages and effectively carry out a spring clean of all the cookies used on their site so that only information that is strictly necessary is being stored. The more privacy intrusive the cookie, the more meaningful the consent needs to be.

The ICO’s guidance is by no means comprehensive and the government appears to have acknowledged that there will be a delay in applying and enforcing the law. The Department for Culture, Media and Sport is still drafting the exact steps that businesses have to go through to comply with the law and gain consent from customers and users.

Nevertheless, businesses need to consider how they will communicate with customers to get consent and look at the technical steps that might make that process easier – burying their head in the sand due to a lack of explicit guidance will not provide a ‘get out of jail free card’ to those that choose to ignore the rules.

It is imperative that businesses use this time to review their terms and conditions, privacy policies and contracts with ad networks and other third parties that may set cookies on users’ devices. A thorough cookie audit should be undertaken to ensure that every cookie remaining is ‘strictly necessary’. Failure to comply with the law and flagrant breaches of the regulations may result in the ICO serving hefty monetary penalties on the businesses involved.

Businesses, advertisers and marketers will need to think more creatively when creating online stores, constructing websites and putting together online marketing campaigns. Finding creative and innovative solutions for gaining user consent within the law may well bring us closer to the Minority Report shopping mall.

Added: 1st June 2011

Christopher J Sherliker is a partner for Silverman Sherliker LLP who provide legal solutions across a spectrum of requirements.  Find out more about Silverman Sherliker LLP.


Recent Articles

Employment Issues in the Social Media Age
The role of social media in the employment sphere ...
> Find out more

A Star is Born: Evaluating Management Agreements for a Celebrity
Ask any eight-year-old what they want to be when t...
> Find out more

Employment Law – Yet More Change but to what End?
Those ...
> Find out more

Subscribe to Christopher J Sherliker's articles