ANALYSIS: The United Kingdom’s New Cookies Regime: Changes And Challenges
June 2, 2011 in World Data Protection Report
By Vinod Bange and Alexia Zuber, of Speechly Bircham LLP, London.
[Editor's Note: The UK Information Commissioner announced May 25, 2011, that website operators that target UK consumers will have up to one year to comply with the new cookies regime; see related report in this issue.]
The UK Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 will finally come into force on May 26, 2011, modifying the legal landscape surrounding cookies.
The changes introduced by the revised Privacy and Electronic Communications Regulations offer reinforced protection against the use of third-party cookies stored on a user’s computer or other device. They will have important repercussions on website-driven businesses, whose entire “cookies” practices will need to be revisited.
Background to the Changes
By way of background, the amended Privacy and Electronic Communications Regulations incorporate the changes dictated by the revised e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector), under which users should be provided with better information and easier ways to control whether they want cookies stored in their terminal equipment.
Realising how delicate the task of implementing the revised Directive was, the UK Department for Culture, Media and Sports (DCMS) suggested copying the wording of revised Article 5(3) of the e-Privacy Directive into the Privacy and Electronic Communications Regulations.
The changes introduced by the revised e-Privacy Directive have generated a lot of concern in relation to cookies. The amendments were initially put forward in an attempt to protect individuals’ privacy and, more particularly, to limit the use of behavioural advertising in relation to the internet browsing of individuals. Behavioural advertising consists in tracking people’s behaviour online in order to offer them targeted advertising based on the profiles created by following them across websites. The revised Directive aims for users to be fully informed with regard to the information being stored on their machines, making them aware of the reason why they see certain advertisements.
The Revised Wording of the E-Privacy Directive
Article 5(3) of the e-Privacy Directive regulates the use of third-party tracking cookies, and the main debate revolves around the consent of individuals to these cookies being stored on their computers or other devices.
The changes in the text of the e-Privacy Directive with regard to cookies are set out in the following paragraphs with track changes, the additions corresponding to the italicised text:
“Member States shall ensure that the use of electronic communications networks to storing of information, or to gain or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.”
“This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of to provide an information society service explicitly requested by the subscriber or user to provide the service.”
Practical Implications of the Revision — A Quiet Revolution
The implications may be revolutionary, because they are challenging the way consent is viewed. It must now be given a much more central and crucial role.
In the past, it was sufficient for website operators to offer users the right to refuse the installation of cookies on their terminal equipment, also known as an “opt-out” right, and therefore imply consent of individuals who did not do so. Traditionally, businesses made sure to inform users through their privacy policies explaining how cookies may be rejected by altering the browser settings.
That approach most likely will not work anymore.
From now on, how will businesses be able to prove that they have indeed obtained individuals’ consent before being allowed to install a cookie on their equipment?
The UK ICO’s Attempt to Provide Reassurance
The UK Information Commissioner’s Office (ICO) attempted to address this thorny question by issuing its much awaited guidelines (the Guidelines) on May 9, 2011, regarding the “Changes to the rules on using cookies and similar technologies for storing information”. This guidance reiterates the need for individuals’ consent in order for a business to be able to store cookies on their device. It also acknowledges the difficult task of obtaining this consent.
The only exception to the rule of consent is if the cookie is “strictly necessary” for a service “requested” by the user. The ICO’s Guidelines give the example of a cookie used to ensure that the goods or services chosen by a user during an online purchase are added to the basket, and that, during checkout, the website remembers (via the cookie) what were the goods or services chosen on the previous page. The use of the cookie must be related to the service requested by the user in order to be regarded as strictly necessary, therefore representing what appears to be a narrow exception to the consent rule.
The Guidelines are not prescriptive and do not offer the solution businesses were hoping to see. On the contrary, the ICO has adopted a pragmatic approach, unable to provide much clarity on this very tricky and technical issue.
The ICO advocates self-regulation, allowing industries to come up with practical solutions instead of imposing a “one-size-fits-all” approach. This practical approach encourages businesses to acknowledge the changes and address the challenges raised by the new legislation by devising innovative and applicable solutions in order to ensure that a user is sufficiently informed, obtaining his/her consent while ensuring he/she is not confused…