Compliance with the Privacy and Electronic Communications Regulations

The following information involves actions that must be taken to ensure compliance with UK law. Responsibility for compliance rests not with Cubik as a supplier of websites and website technology, but with each Cubik client ("the website owner"). Therefore, whilst we have taken every care in compiling this information, you should independently review the sources of information that we have referenced below (principally the website of the Information Commissioner's Office, www.ico.gov.uk) and/or seek independent legal advice as you feel appropriate.

Overview

The EU issued the first version of its E-Privacy Directive in 2002 and since that time, further Directives have been issued to revise and update the initial requirements of that Directive.

The area where the most recent updates have greatest impact for Cubik’s clients is in respect of the need for visitors to websites to allow the website owner to place “cookies” on the site visitor’s computer. A cookie is:

“A piece of text stored on a user's computer by their web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data”.

Source: Wikipedia (http://en.wikipedia.org/wiki/HTTP_cookie)

The latest amendments to the E-Privacy Directive were transposed by EU member states into national law on 26 May 2011. In the UK, this was achieved via amendments to the Privacy and Electronic Communications Regulations. The UK body responsible for the enforcement of this law is the Information Commissioner’s Office (“ICO” – www.ico.gov.uk). Due to the implications of the changes in the law and the confusion surrounding interpretation, the ICO allowed a grace period of 12 months prior to taking enforcement action; this grace period came to an end as of 26 May 2012.

The Information Commissioner, Christopher Graham, stated that:

“…when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

Source: Website of the ICO

It is therefore important that website owners are clear about their obligations and either achieve compliance, or (if compliance with the Law has not been achieved by 26 May 2012) have in place an appropriate strategy to achieve compliance within a reasonable timeframe.

The ICO has produced a detailed document on this topic (“Guidance on the rules on use of cookies and similar technologies”). The ICO’s document can be downloaded in PDF format from the ICO website.

This document suggests that there is no single, straightforward solution to the problem that can be applied generically across all websites; individual website owners will need to work with their developers to determine how best to achieve compliance in the context of their specific website(s).

The first three steps on the path to compliance with the Law, as suggested by the ICO, are:

1. Check what type of cookies and similar technologies you use and how you use them.
2. Assess how intrusive your use of cookies is.
3. Where you need consent - decide what solution to obtain consent will be best in your circumstances.

To support you in addressing point 1 above, we have compiled a document (“Cubik Websites and Cookie Use”) that describes every cookie used within the Cubik solution. Not every website will use every feature of the Cubik solution, so not every cookie will be used by every website. You can request a copy of this document by completing this form.

Cubik has provided all of the background information for its clients that it can reasonably prepare; individual consultations will now need to take place with clients to determine the most appropriate solution to meet their compliance needs.

There are two consultancy packages that Cubik can offer to support you.

The ICO's initial advice suggested that prior to placing cookies on a site visitor's machine, active consent was required from the site visitor. However, following meetings with leading industry representatives, the ICO modified its guidance shortly before the 26 May 2012 deadline, stating that implied consent may now suffice. That is to say, the behaviour of the site visitor may be used to infer that they have consented to the cookie use.

Option A - Active Consent

The ICO has implemented a solution that involves the display of a prominent message in the header of their website that persists across every page that is visited:

The privacy notice (accessed via a link in the statement) provides details about the cookies that are used throughout the site. Accepting cookies from the site causes the header message to disappear. It does not reappear when the visitor accesses the site again from the same browser on the same computer, since the action of acceptance places a cookie on the site visitor’s computer to prevent this.

This approach appears to offer a high-degree of certainty that a site will be considered to be compliant with the Law. However, experience suggests that many site visitors do not fully understand the implications of the statement that they are accepting and are therefore reticent to tick the 'accept' box. Since by default with this option, cookies are not being placed on the site visitor's computer, if the site vistor does not 'accept', then any features that rely upon cookies will not function. So, as an example, Google Analytics will not capture statistical information about the behaviour of your website visitors.

Option B - Implied Consent

Using the implied consent approach, the BBC make the following statement via a message in the header of their site:

In this implementation, cookies are placed upon the site visitor's computer by default. If the site visitor continues to browse the site, they are assumed to have accepted the use of cookies.

If you consider either of these two approaches to be an acceptable means to enable you to achieve compliance, we can deliver the following service to you:

• Work with you to review which of the cookies from the document “Cubik Websites and Cookie Use” are in use within your website.
• Develop the table that identifies these cookies for inclusion in your privacy notice, as per the ICO’s website (see: http://www.ico.gov.uk/Global/privacy_statement.aspx).
• Implement a site header message as per the ICO or BBC website examples above, highlighting the use of cookies within your website. (N.B. Within the implementation on the BBC website, the header message disappears after the site visitor navigates away from the first page that they have visited and the message is not displayed again to a user from the same computer using the same browser. In Cubik's implementation of the implied consent model, the header message will appear on every page until the site visitor dismisses it, following which it will not appear again to a site visitor using the same browser on the same computer).

The cost of this consultancy package for either option is £500 + VAT.

If, following your assessment of the situation, you are not happy to simply adopt either the ICO’s or the BBC's approach, we will need to enter into a detailed discussion with you to determine the specification for a bespoke solution. The cost of such a solution cannot be determined prior to the completion of the specification exercise. We will therefore require a purchase order for an initial consultancy fee of £700 + VAT to work with you to define that specification.

If you would like to discuss this further with us, please complete this form.