Burning Your Cookies? Don't Panic!

The law regarding the use of cookies and user tracking tech has recently changed. This comes at a time when the use of analytics in games and online services is now commonplace and as a result of the change and the uncertainty that it has brought, it is inevitable that many web site and games operators may unwittingly find them self on the wrong side of the law.

The good news is that, in the UK at least, the Information Commissioner's Office (ICO), who police the law in the UK, has said that they aren't going to go all militant on those who may not be fully compliant - so long as they are taking steps towards doing so.

"At the time of writing, it would appear that the European Commission still isn't complying with its own directive"

The further bad news, however is that there is a great deal of uncertainty, as to what that means and what operators actually need to do to comply. Indeed that uncertainty exists, even among the experts and those policing the new law. For example, at the time of writing, it would appear that the European Commission still isn't complying with its own directive.

So its not surprising that a lot of games companies are wondering what they should do. To help you, we've set out what the changes should mean to you and have given you some suggestions on how you can deal with them.

Introduction

Under the old law if you used cookies (and similar tracking devices) in your games or website you had a legal obligation to provide information on them and allow users of your site to refuse to accept them if they wish. Previously therefore, games operators could deal with this by simply telling users that they used cookies and that if the user didn't like it they just needed to change their browser settings.

However the new law means that, from now on, consent to cookies is only valid if it is 'freely given, specific and informed' - and here is where the difficulties begin.

For one thing there is uncertainty as to what 'freely given, specific and informed' actually means and the ICO has not provided a definitive approach on the point but, instead, has stated that each website operator must determine for itself how to go about obtaining valid consent.

In determining this, the guidance has focussed on asking operators to have in mind the type of cookies they are using. If the cookies being used are especially intrusive, operators will need to do more to obtain valid consent - which will mean making the request for consent more obvious. If the cookies being dropped are not intrusive, games operators may consider taking a more relaxed approach and may be able to rely more on implied consents.

Cookie Audit

As a first step therefore, operators should conduct an audit of all the cookies they are using or plan to use. The cookie audit should show: which cookies are used; the purpose of each cookie; what information the cookie collects or links to (e.g. usernames); how long the cookie will persist; and, if the cookie is a third party cookie, the identity of that third party.

Operators may find that some of the cookies are no longer necessary, so this also presents a good opportunity to streamline.

"Consent to cookies is only valid if it is 'freely given, specific and informed' - and here is where the difficulties begin"

In addition and in particular, operators should pay special attention to consider which cookies may be "strictly necessary" for a service requested by the user to operate. This is because "strictly necessary" cookies do not require any consent and so, for example, cookies that remember the contents of a website shopping basket do not require consent. Analytics cookies are however, not considered to be strictly necessary.

Consent

Once the cookie audit has been completed, the next step is to work out what consent is needed for each of them. So let's go back to what the consent must be - namely 'freely given, specific and informed'.

In order for consent to be 'specific and informed', operators will need to give sufficient detail as to what the cookie will do and what it (and the information collected) will be used for. In particular they should update their privacy policies to ensure cookies are referred to in sufficient detail and to make sure that all information regarding cookies is provided in straightforward language.

One of the easiest ways to do this would simply be to present the results of the cookie audit to users in an easy to understand format, such as part of the privacy policy or in a separate page that is linked to the privacy policy.

In order for consent to be 'freely given', a user must take some positive action in order to give his or her consent. This is where the biggest decision that operators have must be made, namely what will be sufficient to fulfil this obligation. Already we are seeing many different approaches and also some conflicting advice.

Certainly, consent given in the form of a tick box, where the user explicitly gives consent, will be sufficient. However this can also have a significant impact on the user experience and, unless the cookies being dropped are especially intrusive, it may not be necessary. For example, consent can be implied in certain circumstances, such as where users are informed that cookies are being used and why, and by continuing to use the website, they are giving their consent to that use.

The circumstances will therefore dictate what is compliant or not and that explains why the ICO haven't been able to give the definitive guidance many operators want.

"At present the best advice is to be proactive to a point and then be prepared to react quickly if and when the ICO's position changes"

However there are some simple steps that can be taken in any case, such as building consents to cookies into those terms and conditions that website users are already required to accept in order to use a site and making sure that the attention of users is properly drawn to an appropriate privacy policy - which itself could be called a "privacy and cookies policy". Additionally, a banner or pop up may be used to draw users to the privacy and cookie policy and where the cookies are intrusive or the operator has additional concerns the banner may also contain a tick box for obtaining explicit consent.

Third Party Cookies

If a website is dropping cookies for a third party, both the website operator and the third party are responsible for obtaining consent. In almost all cases, it will be easier for the website operator to obtain consent. Third parties should therefore consider amending any agreements they may have with operators to place a contractual obligation on the operators to obtain suitable consent.

Comment

As may now be apparent it is not possible to give an actual answer on how to comply with the new laws regarding cookies. Each website will have different considerations which will inform which practical solution is most appropriate.

At present the best advice - taking into account the realities of doing business in a very competitive environment and the embryonic state of the law - is to be proactive to a point and then be prepared to react quickly if and when the ICO's position changes.

To be proactive the key is to understand the type of cookies being used, the extent to which those cookies intrude on an individual's privacy and the demographic of the website's users. Based on that you should be able to determine what your users can reasonably be expected to do in order to be deemed to have provided 'freely given, specific and informed' consent (whether expressed or implied) to their use and work from there.

As mentioned at the outset, the ICO has said that, in respect of operators that are not compliant, it will not immediately seek to impose fines or take action. Rather, the ICO will give operators feedback and an opportunity to become compliant. The ICO does, however, expect all operators to have attempted to comply with the regulations (even if these attempts have not been successful).

As a result, it is important to take steps now but also to be prepared to react to future guidance. It is fair to say that, over time, operators may be able to take a less intrusive approach to compliance with the regulations. On the other hand, operators may feel it is appropriate to take additional steps to ensure compliance.

Ultimately the long and short of it is this:

• 1. Check what cookies / tracking tech you use
• 2. Tell your users what they are and what they do
• 3. Do something that could be deemed to mean that users are happy with your use of cookies

Alex Chapman is a partner and head of interactive media at Sheridans, one of Europe's leading law firms specialising in the business and law of the games and interactive entertainment sectors.