On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules apply.  As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period.  When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen.  Highlighted below are some of the more notable aspects of the guidance.

Scope.  The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth.  The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.

New obligations.  The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:

  • inform  subscribers and users that the cookies are there;
  • explain what the cookies are doing; and
  • obtain  subscriber or user consent to store a cookie on a device.

The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance.  Organizations will need to be more pro-active in providing information to subscribers and users.

Exceptions.  Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:

  • for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).

An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”.  These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.

Consent.  Absent an applicable exception, the cookie rules require that a subscriber or a user consents to the deployment of a cookie on their device.  Prior consent is not expressly required (and may not be technically feasible in some cases), but website operators must be able to demonstrate that they have expended effort to reduce the amount of time before a subscriber or user receives information about cookies and is provided with clear options.  At present, the ICO discourages websites from relying on implied consent due to the relatively low user awareness of the functions and use of cookies.  However, as consent mechanisms evolve and user awareness improves, there is a suggestion that the position may change.

Obtaining consent in practice.  The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent.  The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent.

Notice.  Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies.  When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice.

Analytical cookies.  Setting analytical cookies on a user’s device also will require consent as they do not fall within the “strictly necessary” exception criteria.  Where websites do not have a relationship with users (e.g., users simply visit the site to browse), they must ensure information about cookies is highlighted in a prominent place (not just made available via a general privacy policy link).  Where the information collected from a subscriber or user is shared with third parties, this should be made absolutely clear.

Responsibility for compliance.  As a general rule, the organization setting the cookie is responsible for compliance with the UK rules.  However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.