The e-privacy directive is being implemented in England and Wales from 26 May 2011 by the amendment of the Privacy and Electronic Communications Regulations 2003. This law, amongst other things, makes changes to the law regarding cookies.
What is a cookie?
The Information Commissioner’s Office (ICO) guidance states that:
“A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.”
What are the changes?
Previously the law relating to the use of cookies for storing information only required the website provider to tell people how it was using cookies and how the user could ‘opt out’ if they objected. This has traditionally been included in the website’s privacy policy or terms and conditions.
The main change is that website operators will now need the user’s permission before a cookie can be used. In practice this could mean that every time a user visits a website they will have to give their consent for use of the cookie.
Consent is not required if the cookie is necessary to provide the service requested by the user. However, the ICO has indicated that this exception should be interpreted narrowly.
ICO Guidance and Enforcement
The Government is trying to work out a system whereby an individual can opt in to cookies via their browser settings rather than opting in on every website. This could potentially mean that organisations which have a website do not need to make any change to how their website uses cookies. However, in a press release on 15 April 2011 Ed Vaizey (Communications Minister) was quoted as saying,
“We recognise that work on the technical solutions for cookie use will not be complete by the implementation deadline. It will take time for meaningful solutions to be developed, evaluated and rolled out. Therefore we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.”
The ICO has been told by the government not to enforce the changes in relation to cookies now. However, the ICO has stated that, if it were to receive a complaint about a website, it would expect an organisation to show how it had considered the change in law and how it will go about achieving compliance. The ICO’s guidance states that, despite its approach to enforcement, operators cannot ignore the change in the rules.
What should you do?
The ICO’s guidance suggests that organisations should:
1. Check what type of cookies and similar technologies you use and how you use them. You should try and identify which cookies are not strictly necessary so you can identify which cookies will require consent.
2. Assess how intrusive your use of cookies is. The guidance indicates that if your use of cookies involves detailed profiles of a user’s browsing activities you will need to give greater priority to obtaining a user’s consent.
3. Decide what solution to obtain consent will be best in your circumstances. The ICO guidance states that the more intrusive the cookie the more “meaningful consent” you need to obtain.
Options for obtaining consent
In the future it is hoped that organisations will be able to rely on browser settings to determine whether a user has consented. However, as indicated above, this work is ongoing. Below are some of the consent options discussed in the ICO guidance.
Pop-Ups
This is a useful method although as highlighted by the ICO guidance this could have a negative impact on the user’s experience.
Terms and conditions
If your website is password protected it could be possible to obtain consent as part of your terms and conditions. However, you should note that it is not sufficient to simply change your terms and conditions. To satisfy the new rules you will need to ask the user to confirm that they understand and accept the new terms and conditions.
Settings-led consent
Consent can be gained when a user makes a decision about how the website works for them. This is only appropriate where a cookie is only used at the point the user makes the choice.
Third Party cookies
As highlighted by the ICO, the most challenging part of compliance with the new law will be dealing with a website’s use of third party cookies as the user will need to consent to their use. It is hoped in part this will eventually be dealt with by the government’s work regarding browser settings. However, in the meantime, the ICO’s guidance simply suggests that as much information as possible is provided to users so that they can make an “informed choice about what is stored on their device”.
Other examples of the types of consent can be found in the ICO’s guidance.
Conclusion
If your organisation has a website, you need to take steps to show how you will comply with the new rules. You should conduct an audit of your current use of cookies and assess how intrusive the cookies are. Consideration should be given to whether consent is required by website users and, if so, what type of consent will be required (which will be dependent on the type of cookie being used). However, the risk of action being taken against you for not actually implementing the consent provisions is currently relatively low (although the government and ICO may change their stance in the near future).
Selman Ansari (Of Counsel) and Philippa Hart
Bates Wells & Braithwaite London LLP
2-6 Cannon Street
London EC4M 5YH
For further information about the new EC Directive and other data protection issues please contact any of the BWB Information Law Team (Selman Ansari, Lawrie Simanowitz, Melanie Carter, Mairead O’Reilly or Lisa Marie Roca) at Bates Wells & Braithwaite or any other lawyer with whom you normally deal at BWB. This article is for information only and does not constitute legal advice.