Published Autumn 2011
Will your cookies crumble under changes to the Privacy and Electronic Communications Regulations 2003 (“the Regulations”)?
As a result of European law, the Regulations came into force in the UK on 26 May 2011. They alter how cookies can be used within websites. Previously, website owners/operators simply had to tell website users how they used cookies and how users could “opt out” from having cookies installed on their computers. However, Regulation 6 now prevents a person from storing or gaining access to information stored in terminal equipment of a subscriber or user unless the the subscriber or user:
- is provided with clear and comprehensive information about the purpose of the storage of or access to that information; and
- has given his or her consent.
- is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary for the provision of an information service requested by the subscriber or user.
The Information Commissioner’s Office (the “ICO”) has been tasked with implementing and enforcing the new rules. It has the power to fine any person found in breach of the Regulations up to £500,000 (depending upon the nature of the breach). Therefore it is imperative that all website owners/operators undertake a review of their website for compliance with the Regulations.
How can you obtain informed consent?
The most problematic area for website owners/operators is how and when to obtain informed consent. The EU Working Party is of the view that consent must be given before a cookie is installed or information stored. However the Department for Culture, Media and Sport (the “DCMS”) is of the view that such prior consent is not required and in some circumstances it may be impracticable to do so. The ICO has not helped with this uncertainty as it is silent on when consent should be obtained. Therefore it’s likely to be best practice for the time being for website operators/owners to obtain prior consent in all circumstances.
The ICO states that “the fact that an individual must “signify” their agreement means that there must be some form of active communication between the parties”. A further problem in obtaining consent is that different ways of obtaining consent to cookies may be required by a website if it uses multiple cookies for different purposes. Therefore the ICO suggests that a website audit should be undertaken to:
- check what type of cookies and similar technologies are used;
- decide what solution(s) are best to obtain consent.
New Regulation 6 (3A) states that: “For the purposes of paragraph (6(2)), consent may be signified by a subscriber who amends or sets controls on their internet browser which the subscriber uses or by using another application or programme to signify consent”.
Although it is hoped that browser settings will provide a solution to obtaining consent, the Government and ICO agree that current browser settings are not sophisticated enough to deal with this and the Working Party is currently working with browser developers to see if consent can be given effectively by this method. However, a viable solution along these lines may be some time off and, in the interim, alternative forms of consent will need to be considered and implemented.
The ICO has suggested the following as alternatives to browser led consent:
- Pop ups & similar techniques – express consent provisions displayed in pop up tick boxes or similar techniques.
- Terms & conditions – consent provisions in website terms and conditions that must be accepted when users sign up to or register with a website for the first time. However this does not mean that website owners/operator can simply amend their current website terms and conditions without taking any further action as positive steps will need to be taken to ensure users have agreed with and accept the amended terms and conditions.
- Settings led consent – this would involve obtaining consent each time or at the point the user makes a choice about how they wish the website to operate for them (where such choices would involve cookies being installed). A common example of this is where the website has the option for the user’s information/login details or passwords to be remembered.
- Feature led consent – this would involve obtaining consent at the time a user wishes to use a particular feature on the website that requires cookies.
- Functional uses – the ICO notes that although analytical cookies may not be as intrusive as other cookies, they still require consent and that prominent information about the use of such cookies should be displayed on websites. The ICO have suggested (and indeed adopted this approach on their website) displaying text in headers or footers on webpages which in turn opens up full text on how cookies are used, lists what cookies are used on the website and allows the users to consent to the various cookies.
- Third party cookies – although the ICO acknowledges that this area may cause website owners/operators the greatest difficulty, its advice is that when using third party cookies on your website, users must be made aware of what information is being collected and how such information will be used by the third party.
Although the ICO’s guidance goes some way in providing practical steps that website owners/operators should take, it falls short of providing an in-depth list of workable solutions for compliance. In fact the ICO confirms that it does not intend to provide prescriptive lists on how to comply. Many website owners/operators may find themselves in an impossible situation of not being 100% certain that the methods they have deployed will be sufficient to meet the consent requirements under the new Regulations. There is some comfort in that the ICO is allowing a period of 12 months to get things in order and if the ICO receives a complaint about a particular website before May 2012, it will provide advice to the owner/operator on how they can comply. A word of warning however: the ICO may issue warnings in the interim if it is of the view that adequate preparations for compliance are not being taken and should a complaint be received after May 2012, warnings will be taken into account by the ICO for the purposes of determining whether to issue an enforcement notice. The underlying tone of the ICO’s guidance notes is that inaction is not an option. It is expecting businesses to show they have considered the new requirements and are taking positive steps to comply.
If you would like assistance when amending your website to ensure compliance with the Regulations, please contact a member of our IT team.
For more information on the ICO’s approach and guidance notes visit http://www.ico.gov.uk/.