Quentin Archer in the Hogan Lovells London office prepared this entry.
Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.
In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.
But how can consent be given? The Directive suggests in a recital that browser settings may be used, but does not mandate this, and largely leaves the question of the method of obtaining consent up to Member States. In recent months there has appeared to be a degree of brinkmanship amongst EU regulators, with everyone wanting to see how others would achieve implementation in practice. The UK regulations published last week (snappily titled the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) state that consent may be signified by browser settings, but the problem is that at present most browser settings are not sophisticated enough to allow a website owner to ensure that consent has been given.
In his guidance the Information Commissioner says that it is the responsibility of the website owner to determine how consent will be achieved. He expects owners to review cookie use. Some cookies may be “strictly necessary” for the receipt of a service being provided by means of a website, so will not require specific consent. Some will not intrude on the user’s privacy, so while they may fall under the terms of the new law they may not deserve priority attention. Potentially intrusive cookies should be examined to determine whether they are really necessary for the business of the website owner and, if they are, plans should be drawn up for obtaining the necessary consent from each user.
If browser settings cannot be used, then the website might be modified so that a pop-up window with a tick-box appears the first time a cookie is used, although the Commissioner recognises that this could be irritating. As an alternative, terms and conditions could be changed, allowing a whole set of cookies to be accepted at the same time, but there would need to be clear information provided to the user as well as a clear mode of giving consent – previous consent to future changes (e.g. the ubiquitous provisions allowing website owners to make changes to their terms from time to time) would not be enough. Other times for obtaining consent are where the user is setting up preferences for use of a site, or selecting features that he or she wishes to enjoy.
Nothing more specific than this is likely to emerge in the short term. The Commissioner says that he will be keeping the situation under review and will consider issuing more detailed advice, if appropriate, in the future. His message to website owners is that “we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”
The Commissioner has not yet published his guidance on enforcement of the new law, but his current policy is clear. If an organisation has considered the new law and has drawn up a realistic plan to achieve compliance then it will be treated with much more leniency in the event of a complaint than an organisation which (for whatever reason) has done nothing.
There are other changes coming on the 26 May in the UK, some of which are caused by amendments to existing EU Directives. The Commissioner’s powers to serve monetary penalties of up £500,000 are extended to cover direct marketing activities. The Commissioner will be able to require telecommunications companies and ISPs to provide him with information that he needs to investigate breaches of the Privacy and Electronic Commerce Regulations. The same bodies will also be required to notify the Commissioner and their customers in certain circumstances when a data breach occurs (the first time such laws have become compulsory in the UK). But it’s cookies which continue to grab the headlines.