On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive. The guidance is intended to help website operators and those using cookies understand how the rules apply. As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period. When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen. Highlighted below are some of the more notable aspects of the guidance.
Scope. The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth. The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.
New obligations. The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:
- inform subscribers and users that the cookies are there;
- explain what the cookies are doing; and
- obtain subscriber or user consent to store a cookie on a device.
The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance. Organizations will need to be more pro-active in providing information to subscribers and users.
Exceptions. Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).
An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”. These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.
Obtaining consent in practice. The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent. The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent.
Notice. Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies. When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice.
Responsibility for compliance. As a general rule, the organization setting the cookie is responsible for compliance with the UK rules. However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent.