Changes to the rules on using cookies may be jarring

24/05/2011

By Martin Varley, Partner in Corporate & Commercial

From the 26 May 2011 the law which governs the use of cookies for storing information  on computers and mobile devices changes. A cookie is a small file of letters and numbers downloaded onto a device when  certain websites are accessed, allowing the website to recognise the user's device. The Information Commissioner's Office (ICO) recently published guidelines on the changes.

What is changing?

Currently, users must be told how website operators intend to use cookies. Users must be provided with information in relation to how they can 'opt-out' if they object.  The changes in the law will see a movement away from 'opt-out' to one of 'opt-in'. The user's consent to the use or sale of personal data by the website operator will be required.

What do the new rules say?

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 implement the changes made in 2009 to the e-Privacy Directive and amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the 2003 Regulations).

The new requirements, specifically Regulation 6 of the amended 2003 Regulations, provide that cookies can only be placed on computers or mobile devices where the user or subscriber has given consent.

What type of cookie does the rule apply to?

The new rules will apply to every type of cookie. The only exception being if the use of the cookie is 'strictly necessary' for a service requested by the user. The ICO gives as an example when a user of a website has chosen goods they wish to buy and clicks the 'add to basket' or 'proceed to checkout' button, and the site  'remembers' what they chose on a previous page. Here there is presumed consent to the cookie being downloaded as part of the purchase process.

What do website operators need to do now?

1. Prepare a cookie inventory

The ICO has suggested that a starting point for website operators will be to have a comprehensive audit of their website in order to ascertain which cookies are strictly necessary and might not need consent and identify those that will.

2. Understand your cookies

The new rule is to give a higher level of privacy protection to internet users. How intrusive is the website's use of cookies?  In simple terms, this will determine whether consent is required.

3. Formulate a consent mechanism for intrusive cookies

The 2003 Regulations now provide that the use of browser settings may act as a means of giving implied consent.  Other possible consent mechanisms include the use of pop-ups, terms and conditions, website settings and website features.

Irrespective of the mechanism used to obtain consent, website operators must tell users what cookies are used and what information will be taken.

What are the implications of doing nothing?

There will be a staged approach to enforcement. As a minimum where a complaint about website is received, the ICO would expect the operator to respond, explaining the steps it has taken and is taking to comply and to demonstrate how and when they will achieve compliance. The ICO says it will be issuing separate guidance on enforcement the new Regulations. 

Development of the rules

It is evident that these new rules are intended to protect website users as the use of internet becomes integral to everyday life. The ICO have suggested that the rules are "open to suggestions from the industry as to how they may be put into practice and continue as technologies develop".

Action

In light of these impending changes, we strongly recommend that action is taken to comply with the new law.  We await further guidance on the consequences of failure to follow the 'opt-in' regime.  In the meantime, you need to act to demonstrate that you are planning to comply with the new regulations. Repeated failure to comply may have significant consequences, in due course, irrespective of the guidance still being awaited.