The e-privacy directive is being implemented in England and Wales from 26 May 2011 by the amendment of the Privacy and Electronic Communications Regulations 2003. This law, amongst other things, makes changes to the law regarding cookies.
What is a cookie?
The Information Commissioner’s Office (ICO) guidance states that:
“A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.”
What are the changes?
The main change is that website operators will now need the user’s permission before a cookie can be used. In practice this could mean that every time a user visits a website they will have to give their consent for use of the cookie.
Consent is not required if the cookie is necessary to provide the service requested by the user. However, the ICO has indicated that this exception should be interpreted narrowly.
ICO Guidance and Enforcement
The ICO has been told by the government not to enforce the changes in relation to cookies now. However, the ICO has stated that, if it were to receive a complaint about a website, it would expect an organisation to show how it had considered the change in law and how it will go about achieving compliance. The ICO’s guidance states that, despite its approach to enforcement, operators cannot ignore the change in the rules.
What should you do?
The ICO’s guidance suggests that organisations should:
1. Check what type of cookies and similar technologies you use and how you use them. You should try and identify which cookies are not strictly necessary so you can identify which cookies will require consent.
3. Decide what solution to obtain consent will be best in your circumstances. The ICO guidance states that the more intrusive the cookie the more “meaningful consent” you need to obtain.
Options for obtaining consent
In the future it is hoped that organisations will be able to rely on browser settings to determine whether a user has consented. However, as indicated above, this work is ongoing. Below are some of the consent options discussed in the ICO guidance.
This is a useful method although as highlighted by the ICO guidance this could have a negative impact on the user’s experience.
Terms and conditions
If your website is password protected it could be possible to obtain consent as part of your terms and conditions. However, you should note that it is not sufficient to simply change your terms and conditions. To satisfy the new rules you will need to ask the user to confirm that they understand and accept the new terms and conditions.
Consent can be gained when a user makes a decision about how the website works for them. This is only appropriate where a cookie is only used at the point the user makes the choice.
Third Party cookies
As highlighted by the ICO, the most challenging part of compliance with the new law will be dealing with a website’s use of third party cookies as the user will need to consent to their use. It is hoped in part this will eventually be dealt with by the government’s work regarding browser settings. However, in the meantime, the ICO’s guidance simply suggests that as much information as possible is provided to users so that they can make an “informed choice about what is stored on their device”.
Other examples of the types of consent can be found in the ICO’s guidance.
Selman Ansari (Of Counsel) and Philippa Hart
Bates Wells & Braithwaite London LLP
2-6 Cannon Street
London EC4M 5YH
For further information about the new EC Directive and other data protection issues please contact any of the BWB Information Law Team (Selman Ansari, Lawrie Simanowitz, Melanie Carter, Mairead O’Reilly or Lisa Marie Roca) at Bates Wells & Braithwaite or any other lawyer with whom you normally deal at BWB. This article is for information only and does not constitute legal advice.