Are your cookies toast?

The Information Commissioner’s Office (ICO) has just released guidance on how it proposes to enforce revised legislation on the use of cookies. In essence, organisations that run web sites aimed at UK consumers are being given one year to ensure that their use of cookies on such sites complies with the new EU cookies law.

The British government has changed UK law, in response to an EU Directive, by amending Regulation 6 of the Privacy and Electronic Communications Regulations (PECR) 2003. The revised Regulations come into force today (26th May).

As with EU proposals on the collection of geolocation data (see Regency’s recent article), the key to the change is that the web site owner must obtain the consent of each user to the use of cookies – at least on first visiting the site – in all but the most strictly defined circumstances. (Previously, the use of cookies was allowed provided the user was given the chance to opt out.)

The ICO advises that, as a web site owner, you need to take the following steps in order to check your compliance with the revised PECR rules:

Check what type of cookies (or similar technologies) you use and how you use them;
Assess how intrusive your use of cookies is;
Decide what solution to obtain user consent will be most effective in your particular circumstances.

More detailed advice issued by the ICO indicates that it will not be sufficient for web site owners simply to rely on the fact that a user’s browser is set up to accept certain types of cookie as indicating (at least implied) consent to the use of such cookies.

If you might be affected by the new PECR rules then Regency strongly recommends that you visit the ICO web site where further information can be obtained. Of course, the regulations governing the use of cookies represent just one example of the wide range of Data Protection legislation that the ICO is responsible for enforcing. What’s more, the ICO is demonstrating an increasing willingness to use the teeth that Parliament has given it by imposing substantial fines on organisations, both public and private, which it has determined as being in breach of their data protection obligations.

Few, if any, organisations set out to deliberately flout Data Protection legislation. Most breaches result from a lack of clarity about what is required and/or a false assumption that the organisation’s existing information security measures will be adequate to meet these changing requirements. Even where proper procedures are in place, organisations have been fined for not ensuring that they were actually being followed by their staff.

Regency IT Consulting can provide you with the assurance you need that your technical safeguards and associated procedures do provide the level of protection for personal data that is required, either under the Data Protection Act or by regulations such as PECR. Our experienced consultants have considerable expertise in carrying out compliance audits, not only in the area of data protection but against widely recognised international standards such as ISO 27001. We are also able to advise on the need for a Privacy Impact Assessment (PIA), which is an ICO requirement if you store or process sensitive personal data, and can draft a PIA report which is precisely tailored to the level of risk that you face.