The Information Commissioner’s Office (ICO) has repeated its guidance that electronic devices containing data that would cause damage or distress if lost or stolen must be encrypted. (TLT LLP)

Encrypt, encrypt, encrypt…

Updated November 2011

The Information Commissioner’s Office (ICO) has repeated its guidance that electronic devices containing data that would cause damage or distress if lost or stolen must be encrypted.

The ICO’s announcement follows breaches by two organisations of the Data Protection Act by failing to encrypt personal data on laptops which were then stolen. A laptop belonging to the Association of School and College Leaders (ASCL) was stolen from a trade union employee’s house that contained unencrypted information, including data concerning the member’s mental and physical health. Although the device was equipped with the software to enable encryption, the decision on whether to encrypt was left to the employee.

In another incident, a London school breached the Data Protection Act following the theft of an unencrypted laptop from an unlocked office. The laptop contained information relating to pupils’ names, addresses, exam marks and limited information relating to their health. Following an investigation by the ICO, it became apparent that the school did not have a data protection policy in place at the time of the breach.

The ICO has taken the opportunity to reiterate its guidance on this point: “all personal information – the loss of which is liable to cause individuals damage or distress – must be encrypted”. Further the ICO has described breaches of this type “inexcusable” on the basis that encryption is one of the most basic security measures and is inexpensive to implement.

Both these episodes show the importance of monitoring data protection compliance relating to the electronic storage of personal data. The risk of breaches of this type can be reduced by ensuring that your business has appropriate data protection policies and training in place and ensuring compliance with those policies. Should your business require any assistance or advice in relation to the storage of electronic data or any other data protection matter, please contact Alison Deighton, head of TLT’s Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership

Scan this QR code into your smartpnone or tablet

News of the World – Lessons to be learned (TLT LLP)

News of the World – Lessons to be learned

Updated August 2011

The hacking scandal at the News of the World has dominated headlines in recent weeks. It is clear that there has been widespread disregard for privacy rights and data protection laws, with journalists and private investigators hacking into voicemail accounts, ‘blagging’ private information and paying for the unlawful disclosure of data by police and other trusted organisations.

These practices are, of course, shocking but what is perhaps even more surprising is that it has taken so long for these practices to be exposed and investigated. As long ago as 2006 Richard Thomas (then the Information Commissioner) published a report, ‘What Price Privacy?’ (see related links) which highlighted the unlawful trade in personal information (in particular by journalists and private investigators) and called for a custodial sentence for such activities.

Although the power to impose custodial sentences is now on the statute books, the implementing legislation to bring it into force has not yet been forthcoming. This is seemingly due to pressure put on government from the media who have expressed concerns about restrictions of freedom of expression. In the wake of the current scandal the Information Commissioner (Christopher Graham) is again calling for the custodial sentencing powers to be brought into force.

What is not yet clear in the News International context is how far up the organisation knowledge of illegal activities went. Rupert Murdoch, James Murdoch, Rebekah Brooks and Andy Coulson have all categorically denied any knowledge of illegal phone hacking activities. From a legal perspective, however, not having knowledge of privacy breaches is no defence for senior managers and directors who are responsible for ensuring that proper procedures and practices are in place.

Both the Data Protection Act 1998 (DPA) and the Regulatory of Investigatory Powers Act 2000 (RIPA) (the latter being the Act under which illegal voice hacking activities are caught), contain express provisions which make it clear that senior managers remain on the hook if they ought to have known about and prevented illegal activities. Section 61 of the DPA provides as follows:

‘Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.’

There are similar provisions in RIPA. Denying all knowledge of illegal activities is not therefore a ‘get out of jail free’ card. Directors and senior managers are advised to take stock of their internal privacy compliance arrangements to ensure they are confident that they are sufficient to prevent significant data breaches so that if a breach does occur they will not be personally liable due to their ‘neglect’.

The News of the World revelations highlight the need for organisations to ensure that there is real accountability for privacy compliance at all levels. The underlying culture of an organisation is key. If the message from senior management is to ‘get the job done’ with no questions asked about the means of obtaining results, disregard for the law can very easily become the norm.

So, what lessons can be learned from the News of the World saga? Firstly, responsibility for privacy compliance needs to start at the top and drill down to all parts of an organisation. This requires a holistic approach to compliance, including:

Ensuring that policies are regularly reviewed and updated;
Ensuring that appropriate training is provided to all employees who handle personal data;
Carrying out regular internal compliance reviews;
Making breaches of privacy policies a disciplinary offence.

Perhaps most importantly, the method of implementing policies and training programmes needs to be tailored to the individual organisation so that key messages are communicated effectively. This will allow staff to understand both their personal obligations and the wider obligations of the organisation as a whole.

Finally, and on a slightly separate note, it appears to have been astonishingly easy for journalists and investigators to obtain personal details by simply telephoning organisations and ‘blagging’ (i.e. pretending to be the individual in question). This highlights a serious shortfall in security procedures to verify the identity of callers. All organisations who handle personal data should ensure that they have robust identification procedures in place before any personal details are disclosed in telephone calls.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

The information you access via the links on this update is subject to the terms and conditions of the website provider accessible via their home page and we recommend that you read such terms.

© TLT LLP 2011.

A summary of the latest news on data protection, intellectual property, e-commerce, technology and media litigation and communications. (TLT LLP)

TLT Enews – July 2011
A summary of the latest news on data protection, intellectual property, e-commerce, technology and media litigation and communications.
Data Protection, Privacy and Information
European data protection regulators says prior consent required for use of cookies (Article 29 Data Protection Working Party)
The Article 29 Working Party, which represents European national data protection bodies, has advised that a website user’s consent must be obtained before cookies are used. This statement contradicts the guidance published by the UK’s Information Commissioner.
FOI requests at unprecedented levels (Ministry of Justice)
Between January and March this year over 12,000 freedom of information (FOI) requests were submitted to public bodies. This represents the highest quarterly total since the first quarter the Freedom of Information Act was introduced.
Intellectual Property
Court rules online marketplaces responsible if they promote infringing sales (BBC)
The European Court of Justice (ECJ) has said that online marketplaces such as Ebay will be liable for sellers’ infringement of trade mark rights if they promote infringing sales or help such sellers with their sales pages. The ECJ clarified that marketplaces will not be responsible if they only allow third parties to display infringing goods on their websites.
Study shows £65bn invested in UK’s intellectual property rights (Intellectual Property Office)
A study published by the Intellectual Property Office (IPO) has stated that the total value of protected intellectual property rights up to 2008 was £65bn. This represents a doubling in the amount of investment in protected patent, trademark, design and copyright rights, the IPO said.
Ecommerce and Information Technology
OFT launches investigation of websites charging for free Government services (Office of Fair Trading)
The OFT has begun an investigation into whether companies are misleading customers by setting up websites designed to resemble official Government sites and asking for payment for services that would otherwise be free. The OFT is worried that sites like these may be in breach of the Consumer Protection from Unfair Trading Regulations.
PayPal will stop purchases from copyright-infringing sites (IFPI)
PayPal has amended its acceptable use policy to prevent its services being used to buy items that violate copyright or other intellectual property rights. This will particularly affect websites considered illegal by the International Federation of the Phonographic Industry (IFPI).
Technology and Media Litigation
Insurers run for the hills in the wake of the Playstation Network hack (BBC)
Zurich American Insurance has applied to the American Courts seeking a declaration that it does not have to help Sony with current or future legal action related to the data breach in April 2011. Sony is currently facing multiple claims and regulator investigations as a result of the breach.
Lucasfilm defeated in The Clone Wars, fought this time in the Supreme Court (BBC)
The original designer of the Star Trooper helmet has successfully defended a copyright claim from Lucasfilm. Mr Ainsworth has been making a living creating replica helmets. He successfully argued in Court that the helmet was a industrial prop and not a work of sculpture which limits Lucasfilm’s design rights.
Communications
News Corporation ends takeover bid for BSkyB (The Guardian)
Following allegations of phone hacking at the News of the World, News Corporation has decided that its proposed acquisition of BSkyB would be too difficult to progress in the current climate.
ASA calls TalkTalk advert misleading (Advertising Standards Authority)
The Advertising Standards Authority (ASA) has ruled that a TalkTalk TV advert was likely to deceive customers by leading them to think they would save over £140 by switching provider. The ASA considered the advert to be making exaggerated and unsubstantiated claims.

The perils of email – £120,000 fine imposed for sending emails to the wrong recipients (TLT LLP)

The perils of email – £120,000 fine imposed for sending emails to the wrong recipients

Updated July 2011

We are all aware of how easy it can be to send an email to the wrong recipient. Unfortunately for Surrey County Council, such a simple error resulted in a fine of £120,000 imposed by the Information Commissioner’s Office (ICO). The fine is the largest imposed on a single organisation since the ICO was granted its enhanced powers to issue fines in April 2010. The Council was fined for three serious breaches of the Data Protection Act over the last year.

What happened?

The first breach occurred on 17 May 2010 when a Council employee inadvertently emailed personal information relating to 241 adult social care service users to the incorrect group email address. An attempt was made to recall the email but the Council could not confirm that the recipients had destroyed messages.

On a further two occasions, the Council sent sensitive personal data to the incorrect recipients.

The monetary penalty notice issued by the ICO stated that there had been a serious contravention of section 4(4) of the Data Protection Act. The Council had failed to take appropriate measures against unauthorised processing such as providing employees with appropriate IT training and support, establishing name conventions for group email distribution lists and ensuring the encryption of emails containing sensitive personal data.

The ICO also stated that the contravention was of a kind likely to cause substantial distress to individuals who would know that confidential sensitive personal data has been disclosed to a large number of people that had no right to know that information. The Information Commissioner further said that the fine took into account the serious nature of the initial breach and the occurrence of a further two similar breaches.

Comment

The facts of this case are similar to other cases where fines have been imposed by the ICO. Organisations who deal with sensitive data relating to vulnerable people need to take extra care to ensure that personal data is kept securely, that appropriate procedures are in place to protect data and that staff are properly trained in how to handle sensitive personal data – in particular when sending sensitive personal data to third parties (whether by email or other means). If breaches occur and sensitive personal data is disclosed to unauthorised recipients there is a high risk that the ICO will impose a fine.

We recommend that all organisations that handle sensitive personal data review their data handling procedures and staff training. You must ensure that appropriate technical measures have been taken to transmit sensitive personal data securely and that employees understand their duties in relation to data protection and the procedures to be followed when sending out sensitive information.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.

Hackers say Acer breach leaked data for 40,000 users (The Register)

Hackers say Acer breach leaked data for 40,000 users

Welcome to the club, Acer

By Dan Goodin in San Francisco
Posted in ID, 3rd June 2011 18:17 GMT

Hackers say they breached the website security of computer-maker Acer and made off with data for 40,000 of its customers.

Screenshots posted on Friday on The Hacker News appeared to show the purchase histories, names, email addresses, and partial addresses and phone numbers for a limited number of customers stored on acer-euro.com. The site said members of the Pakistan Cyber Army were behind the attack and planned to release the data in the next 24 hours.

“We got mail from PCA that they successfully hacked the FTP of ACER and Stole around 40,000 Users Data, Various Source Codes stored on server,” The Hacker News said.

The report comes as dozens of companies and government agencies, including RSA, the Fox network, and the State of Massachusetts, have suffered security breaches that have leaked sensitive consumer information or proprietary company data. At the top of the list is Sony, which over the past six weeks has been the target of a series of devastating hacks that have exposed details for than 100 million customers, including one that surfaced on Thursday.

In some of the cases, the breaches were the result of targeted phishing campaigns, while in others hackers gained entry by exploiting easy-to-spot vulnerabilities in the companies’ website applications.

A screenshot posted on The Hacker News showed an FTP application that appeared to have a valid username and password for ftp.acer-euro.com, but it wasn’t clear how the credentials had been obtained.

The report said the hackers also stole source code used on Acer’s website.

Acer representatives didn’t immediately respond to an email seeking comment for this post. ®

UK watchdog looking into Facebook face-tech row (The Register)

UK watchdog looking into Facebook face-tech row

Matter for national authorities, says Brussels

By Kelly Fiveash •

Posted in Policing, 8th June 2011 15:47 GMT

Find out why AppSense makes Win7 migration cheaper

Blighty’s data regulator the Information Commissioners Office is talking to Facebook about the “privacy implications” of its facial recognition technology, The Register has learned.

However, despite widespread reporting based on a Bloomberg story that suggests that European watchdogs are probing the company over this issue, no such investigation by the EU’s executive body is currently underway.

“It is misleading to say that the European Commission is investigating the issue,” a Brussels spokeswoman told El Reg.

“EU data protection rules establish criteria for processing personal details and transparency requirements about the use of such data. But it is for the national authorities in member states to monitor and enforce them.

“On the other hand, new technologies bring new challenges all the time and that is why the European Commission is currently reviewing the data protection rules.”

We asked the ICO if it was planning to investigate Facebook’s decision to quietly slot its facial recognition technology into its network without first informing its users.

“As with any new technology, we would expect Facebook to be upfront about how people’s personal information is being used,” said an ICO spokesman.

“The privacy issues that this new software might raise are obvious and users should be given as much information as possible to give them the opportunity to make an informed choice about whether they wish to use it.

“We are speaking to Facebook about the privacy implications of this technology.”

The watchdog has yet to declare an outright investigation, however, preferring instead to tell us that talks are taking place.

Facebook surprised many privacy advocates earlier this week when it quietly rolled out its facial recognition technology to countries outside of the US, by switching the feature on by default without telling its users first.

The tech, which is set as “opt out” rather than “opt in”, works by scanning newly uploaded pics and then identifying faces from previously tagged photos already stored in Mark Zuckerberg’s closed-off network.

Many reports pointed out what was essentially Facebook’s latest privacy gaffe, after Graham Cluley gave the world’s largest social networking site the red flag. The company openly admitted to The Reg and other organs that it “could have been more clear” about the rollout.

That’s an after-the-fact statement that may see Facebook marked with yet another privacy scar. ®

ICO given new powers to impose fines for marketing breaches (TLT LLP)

ICO given new powers to impose fines for marketing breaches

The Information Commissioner’s Office (ICO) has been granted new powers as a result of an amendment to the UK’s Privacy and Electronic Communications Regulations (PECR). The new powers, which came into effect on 25 May 2011, include:

Extended financial penalties: the ICO can impose a penalty of up to £500,000 for the most serious breaches of the PECR. This covers nuisance marketing emails, texts and phone calls.
Increased investigatory powers: the ICO can require telecoms companies and Internet Service Providers (ISPs) to provide information needed to investigate breaches of the PECR.
Compulsory notification when breaches occur: telecoms companies and ISPs must notify the ICO, and their customers, when a personal data breach occurs. A fixed penalty of £1,000 per offence will apply where personal data breaches are not notified.
Increased audit powers: the ICO can audit telecoms companies and ISPs for compliance with personal data breach notification requirements.
New rules for websites using cookies: the ICO will be responsible for ensuring compliance with new cookie consent requirements. (see Related publications).

The ICO will be issuing guidance on their new enforcement powers but the date for release is yet to be confirmed.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.

Changes to the rules on using cookies and similar technologies for storing information

http://www.lease-a-finance-director.co.uk

Changes to the rules on using cookies and similar technologies for storing information

The law which applies to how you use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device changed on 26 May 2011. This document sets out these changes and explains what steps you need to take to ensure you comply.
It is aimed at those organisations which are starting to think about how they will comply with the new rules. It is a starting point for getting compliant rather than a definitive guide.
These changes apply to storage or gaining access to information stored, in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information.
A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.
The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as “Flash Cookies”).
For more information see: http://www.allaboutcookies.org/
We will use the term cookies through this document to refer to cookies and similar technologies covered by the Regulations.
As explained below, you will need a user’s consent if you want to store a cookie on their device. The ICO recognises that cookies perform a number of legitimate functions. We also recognise that gaining consent will, in many cases, be a challenge. However, it is important to remember that that these rules give you the opportunity to check how well you explain how your web pages work to the people who visit them. Complying with the new rules will allow you to be confident that your users have a better and clearer understanding of what you do and how you do it.
What is changing?

The previous rule on using cookies for storing information was that you had to:

tell people how you use cookies, and

tell them how they could ‘opt out’ if they objected.
Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.
This rule was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR):
6. (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment –
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information
What do the new rules say?
The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent.
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment–
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for

the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information–
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Why is this rule changing?
The European Directive on which the Regulations are based has been revised. UK law has to change to implement that changed Directive.
Does this consent rule apply to every type of cookie?
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.
This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.
When are the rules changing?

The new legislation comes into force on 26 May 2011.
You need to take steps now to prepare and ensure you are ready to comply.
What will happen to me if I don’t do anything?
The government’s view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.
The ICO will be issuing separate guidance on how we intend to enforce these Regulations.
So what do I need to do now?
We advise you to now take the following steps:
1.
Check what type of cookies and similar technologies you use and how you use them.
2.
Assess how intrusive your use of cookies is.
3.
Decide what solution to obtain consent will be best in your circumstances.
1. Check what type of cookies you use and how you use them
This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why.
You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.
2. Assess how intrusive your use of these cookies is
The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more

intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it.
Some of the things you do will have no privacy impact at all and may even help users keep their information safe. Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views. However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity.
If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.
It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
3. Decide what solution to obtain consent will be best in your circumstances
Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent.
I have heard that browser settings can be used to indicate consent – can I rely on that?
One of the suggestions in the new Directive is that the user’s browser settings are one possible means to get user consent. In other words, if the user visits your website, you can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result you can be confident that in setting A, B and C you have his consent to do so. You would not set cookie D.
At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.

If I can’t rely on browser settings what other options are there?
In future many websites may well be able to rely on the user’s browser settings to demonstrate that they had the user’s agreement to set all sorts of cookies. We are aware that the government is working with the major browser manufacturers to establish which browser level solutions will be available and when. For now, though, you will need to consider other methods of getting user consent. What is appropriate for you will depend on what you are doing. You should also consider the fact that not all of your website visitors will have the most up-to-date browser with these enhanced privacy settings. You would still need to gain consent for those users.
You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future.

Pop ups and similar techniques
Some have suggested using pop-ups to ask for consent. This might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent – but it’s also one which might well spoil the experience of using a website if you use several cookies.
However, you might still consider gaining consent in this way if you think it will make the position absolutely clear for you and your users. Many websites routinely and regularly use pop ups or ‘splash pages’ to make users aware of changes to the site or to ask for user feedback. Similar techniques could, if designed well enough, be a useful way of informing users of the techniques you use and the choices they have. It is important to remember though that gaining consent in this potentially frustrating way is not the only option.

Terms and conditions
There are already lots of examples of gaining consent online using the terms of use or terms and conditions to which the user agrees when they first register or sign up. Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and

offer the service and there is no reason why consent for the purposes of complying with the new rules on cookies cannot be gained in the same way.
However, it is important to note that changing the terms of use alone to include consent for cookies would not be good enough even if the user had previously consented to the overarching terms. To satisfy the new rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms.
The key point is that you should be upfront with your users about how your website operates. You must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to show their acceptance. Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.

Settings-led consent
Some cookies are deployed when a user makes a choice about how the site works for them. In these cases, consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work.
For example, some websites ‘remember’ which version a user wants to access such as version of a site in a particular language. If this feature is enabled by the storage of a cookie, then you could explain this to the user and that it will mean you won’t ask them every time they visit the site. You can explain to them that by allowing you to remember their choice they are giving you consent to set the cookie.
This would apply to any feature where you tell the user that you can remember certain settings they have chosen. It might be the size of the text they want to have displayed, the colour scheme they like or even the ‘personalised greeting’ they see each time they visit the site.

Feature-led consent

Some objects are stored when a user chooses to use a particular feature of the site such as watching a video clip or when the site remembers what they have done on previous visits in order to personalise the content the user is served. In these cases, presuming that the user is taking some action to tell the webpage what they want to happen – either opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then you can ask for their consent to set a cookie at this point. Provided you make it clear to the user that by choosing to take a particular action then certain things will happen you may interpret this as their consent. The more complex or intrusive the activity the more information you will have to provide.
Where the feature is provided by a third party you may need to make users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice.

Functional uses
You will often collect information about how people access and use your site and this work is often done ‘in the background’ and not at the request of the user. An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent. You should consider how you currently explain your policies to users and make that information more prominent, particularly in the period immediately following implementation of the new Regulations. You must also think about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.
One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.
If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors. You may be able to alter the settings of your account to limit the sharing of your visitor information. Similarly, any options the user has should be prominently displayed and not hidden away.


Third party cookies
Some websites allow third parties to set cookies on a user’s device. If your website displays content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies or similar technologies onto “your” users’ devices. Obviously, the process of getting consent for these cookies is more complex and our view is that everyone has a part to play in making sure that the user is aware of what is being collected and by whom. There are a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.
This may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers.
Will the ICO be producing more specific guidance on what I need to do in future?
We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. In particular, we may supplement this advice with further examples of how to gain consent for particular types of cookies.
However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.
We are keen to ensure any future guidance we produce in this area reflects real world practice and that it can continue to be used as technologies develop.