There are 12 days to go until the grace period for the revision to the EU’s Privacy and Electronic Communication Directive expires. We will be releasing a series of blog posts over the next twelve days to help you get your company’s website up to the standard required before the grace period expires.
The changes dictate that “explicit consent” must be gathered from web users who are being tracked via “cookies” or an alternative method. This legislation is highly contentious however it is of the utmost importance that you show that you are taking the necessary steps to comply. Any company that has failed to take the steps necessary to comply could run the risk of enforcement action or potentially a fine.
What is the revised directive?
François wrote a blog post detailing the changes to the directive March but in brief:
“The aim of the changes is to protect privacy and, in particular, limit how much use could be made of behavioural advertising. This form of marketing involves people being tracked across websites, with their behaviours used to create a profile that dictates the type of adverts they see.”
Every visitor or user of a website must be made aware of how information is collected by websites, why the information is required and offer them the choice of whether or not they want such information to be collected.
What do the you need to do to be totally compliant?
The revisions to the directive basically mean that you must make users aware of what information you are collecting and get permission to use cookies or alternatives. This means if your website uses cookies or similar technologies:
1. The user is supplied with clear and comprehensive information about why you are collecting information, how you store and access it.
and
2. The user gives you explicit consent to collect this data.
How do you make sure you’re up to the required standard in the next 12 days?
There are four things that you must do before the 26th May 2012:
1. A Cookie Audit:
You can do this in house or we can do it for you. We have a comprehensive blog post that gives you instructions on how to complete the audit. All you have to do is follow the instructions and we can offer you mentoring on it as required.
2. Determine the Invasiveness of the cookies and the action to be taken:
“Think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.”
Our next blog post in the series will provide you with the questions you need to ask to establish the invasiveness of the cookies and the options you have to ensure compliance.
3. Compliance Strategy
You need to decide on whether or not to use invasive cookies going forwards.
If you decide not to use them you will need to remove the cookies and the functionality that places them on the website. You will not need to take any further action at this stage.
If you decide to continue using some or all of the cookies you will need to proceed to step 4 and list all the invasive cookies in use.
4. Amend your legals (T&Cs and Privacy):
You will need to amend your legals on the website to reflect the cookie compliance and have a clear link to your cookies usage policy on the website.
Gaining Explicit Consent
Once you have completed these four tasks if you use invasive cookies the next decision to take is how to gain explicit consent. Please note that this does not have to be implemented by the 26th of May 2012. The ICO suggest the following techniques:
- pop-ups, splash pages and similar techniques
- new account sign-up terms and conditions that include tick-box consent options for cookies in use
- account changes to terms and conditions that include tick-box consent options for accepting changes to the cookies in use
- settings-led consent where implications of a change to the cookies used are clearly explained
- feature-led consent where implications of a change to the cookies used are clearly explained
We’ll be reviewing the best and the worst of these options over the coming weeks once we see websites fully implementing their strategy.
How can we help you?
To ensure that your website is in full compliance with the new directive we are offering the following services:
- Cookie Audits:
- We will conduct your cookie audit for you and supply you with a full list of all the cookies (and alternatives) that are on your website and their purpose. Cookie Audits start from £150.00 (excluding VAT) depending on the size of your website.
- We can mentor you through the cookie audit. This will be priced on our standard hourly mentoring rate of £60.00 per hour.
- Determine the Invasiveness of the cookies and the action to be taken:
Following your audit we will work with you to review and assess your cookies. This would be an hour long consultation with you, and any others you wish, and then an hour for us to produce the documentation off the back of it. We are offering this service at a price of £120.00 (excluding VAT).
- Remove Cookies and Functionality:
Once the cookie audit and assessment of invasiveness is complete we can supply you with a fixed price quote for the removal (or modification) of any functionality that places cookies on a user’s computer.
- Legals and T&C Templates:
You will need to amend your legals on the website to reflect the cookie compliance and have a clear link to your cookies usage policy on the website. We can amend your legals on the website to reflect the cookie compliance. We will provide a template and update your copy and add a clear link to your cookies usage policy. We are offering this service for £175.00 (excluding VAT).
Please note if we undertake this task are not providing professional legal advice and are supplying templates.
To ensure that you are fully compliant with this legislation before the grace period expires on the 26th of May 2012 contact us on 0131 556 6818 to discuss your chosen strategy.