With less than 24 hours until the grace period ends for websites to comply with the EU Privacy and Electronic Communications regulations, the ICO held a press briefing to communicate updates to the guidance they provided in December 2011.
Companies across Britain are working hard to achieve compliance but even the Government admitted last week that the majority of their websites would not be compliant before the grace period ends.
Hence the ICO have decided to clarify a few points as to how they plan to enforce the regulations by releasing version 3 of their ‘Guidance on the rules on the use of cookies and similar technologies‘ on their website and sharing this video of David Evans, the ICO’s strategic liaison group manager for business and industry, explaining the implications of the regulations and enforcement:
What are the key changes?
There are two key changes to the guidance to note:
- The ICO suggests that they will not immediately seek to penalise companies who do not comply with the new requirements for cookies and other similar technologies when the grace period expires on the 26th of May. The context of a website’s usage of cookies will also determine the ICO’s approach to when it will take enforcement action: the greater the risk to privacy, the more likely they are to give an enforcement notice. This means firms that have ‘at least’ begun a cookie audit will not immediately face an enforcement action. David Evans says himself:
“Where we have seen people with sensible timescales [for implementation of a solution to obtain consent] we are perfectly happy to work along with those.”
*Huge sigh of relief from the Government*
- The ICO explained how to avoid enforcement action when utilising cookies for Google Analytics and other data analytic cookies. As these cookies are technically seen as a 1st-party cookies (see my previous post detailing types of cookie) that are used to help improve the user experience of the website, the ICO is unlikely to start enforcement procedures if the website clearly displays the related cookie information and where to find out more about Google’s privacy policy. For example:
So what do I need to do before tomorrow?
Well there has been no real change as to the actions that companies need to take. So you will still need to take the following four steps:
- Complete a cookie audit
- Assess the invasiveness of your cookies
- Decide on your strategy for compliance
- Update your privacy policy
Don’t have time for a cookie audit?
We’re offering a range of services to help you ensure that your website complies with the new directive:
- Cookie Audits
- Audits start from £150.00 excluding VAT
- Mentoring for people conducting audits from £60.00 per hour excluding VAT
- Determine the Invasiveness of the cookies and the action to be taken:
You will receive a one-hour consultancy call during which we will review all of the cookies found on your website. Following this we will then produce the documentation required to show you are taking the steps required to comply with this legislation. We are offering this service at a price of £120.00 (excluding VAT).
- Remove Cookies and Functionality:
Once the cookie audit and assessment of invasiveness is complete we can supply you with a fixed price quote for the removal (or modification) of any functionality that places cookies on a user’s computer.
- Legals and T&C Templates:
We will provide a template for you legals and update your copy and add a clear link to your cookieusage policy. We are offering this service for £175.00 (excluding VAT).
Please note if we undertake this task are not providing professional legal advice and are supplying templates.
To ensure that you are compliant with this legislation contact us on 0131 556 6818 to discuss your chosen strategy.