With no obvious industry lead emerging, there are clearly a wide range of opinions on what businesses should do to achieve compliance with the revised Regulations. Much of the 12 month lead in period has been given over to talking, rather than any clear development of ways of compliance which can be universally accepted. Those hoping that browser standards will have been implemented (the technological solution) will be disappointed as these remain a default option for the majority of users, so no change there.
Merely waiting until the end of the lead in on 26 May is not going to be acceptable and the Information Commissioner’s Office (“ICO”) has issued clear guidance during this year, in which its states that it expects website owners to have carried out that audit as a minimum. So what practical steps must organisations take in order to ensure compliance?
The ICO has provided suggested wording with various degrees of sophistication, which can be used by those organisations wishing to be fully compliant but first, these are the minimum steps/checks to follow and implement as necessary:
- Any cookies which show creation of detailed profiles of an individual’s browsing activity should be clearly identified to users
- Determine what types of cookies are used on a website, on both an individual and anonymised level
- Analyse how are those cookies used and for what purpose
- Remove any outdated/unnecessary cookies
- Decide on best solution to obtain consent
- Evaluate the likely business impact of users exercising their right to remove consent
- Ensure that the current privacy statement on the website is updated in line with the new regulation.
In spite of the new layer of complexity that the new regulations bring, cookies remain a valuable tool with a myriad of uses for thousands of businesses and organisations should not be overly daunted. Consumers are increasingly savvy about their privacy rights and how their data is used and well aware of their rights to remove consent. Businesses who choose to flout the new regulations risk not only hefty financial penalties but also the ensuing negative perceptions of non-compliance.
On the other hand those that are well prepared ahead of the deadline will benefit from the positive PR associated with best practice cookie usage and transparency and have the opportunity to convey the benefits that cookies ultimately have on the user’s experience.