The recently much publicised Watering Down of the UK implementation of the Privacy and Electronic Communications (EC Directive)

Regulations 2003, which were enacted on 25 May 2011 through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR
th

2011 for short). Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26 May 2012 deadline for enforcement, which has just passed.
th

The simple answer is that the ICO have changed their position on Consent between their earlier, and their most recent statements of the last few days. The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have already taken towards your being compliant with PECR 2011. So what do you need to know? Audit what types of cookies you have got, why and where they are used within your website; Analyse the intrusiveness of your cookies; and Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages. How does the change in the ICOs position affect you today?

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

The updated guidance provides additional information around the publicised issue of Implied Consent, and the ICO says: Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent. You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand. In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description) with a box for the User to tick if they agree with the statement I accept cookies from this site and a button to Continue either way. The ICO dont mind anyone copying their solution but point out they will monitor and possible amend their solution in the future. This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device. When you are doing your cookie audit you need to collect the following data: Identify which cookie are operating on or through your website; Confirm the purpose(s) of each of these cookies; Confirm whether you link cookies to other information held about users such as usernames; Identify what data each cookie holds; Confirm the type of cookie a session or persistent type;

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

If it is a persistent cookie how long is its lifespan; Is it a first or third party cookie? If it is a third party cookie who is setting

it; and Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that Implied Consent for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 Personal Data must be adequate, relevant and not excessive. What it is not is a euphemism for Doing Nothing, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it. Whether the consent is Implied or Specific or Prior it must still be given by the user Freely therefore some action must be taken by the consenting individual from which their consent can be inferred. The consenting individual must be informed of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement. If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set. Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the understanding is all on the website operators side and the user giving consent is unaware that their actions are being interpreted in this way. Where implied consent is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them. The ICO says that it does not feel its their place to determine exactly how the provider does this. So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

www.advent-im.co.uk www.advent-im.co.uk Independent Information and Physical Security Consultants

Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM