Privacy & Information Security Law Blog

From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent.  This change poses significant practical challenges for website operators.  In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.

The new UK law is the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regulations”) which implement changes made in 2009 to the e-Privacy Directive (EC 2002/58).  Although the UK approach is to transpose the language of the amended e-Privacy Directive as it relates to cookies without “gold plating” its provisions, even this strategy is fraught with practical challenges.  Organizations are puzzling over how best to comply with the new requirements.  Based on the Information Commissioner’s guidance, we suggest the following approach.

1.   Prepare a cookie inventory
The starting point for all organizations will be to determine what cookies they use on their website, and what they use those cookies for.  Many organizations have no real idea of what cookies they use.  Preparing an inventory is a crucial first step.

2.  Understand your cookies - how privacy intrusive are they?
Determine which of the cookies are privacy intrusive.  These are the cookies for which consent will be essential.  Particular care should be taken with analytic cookies that may not be obviously intrusive, and third party cookies.

3.  Formulate a consent mechanism for privacy intrusive cookies
Regulation 6 (3A) contemplates the use of browser settings to signify consent.  The difficulty with this, as the Information Commissioner notes, is that most browsers settings are not sophisticated enough to be used as a means of obtaining consent. In many cases, a user will not actually use a browser.  Other possible consent mechanisms include the use of pop-ups, terms and conditions, website settings and website features.  Irrespective of the mechanism used, the key focus for website operators is to tell users what cookies are used and for what purposes, and to obtain their consent.

There is the possibility, in limited cases, of relying on an exemption where the storage of or access to information is “strictly necessary” to the service requested by the user.  The Information Commissioner has emphasized the narrow focus of this exemption, noting that it would not be available “just because you have decided that your website is more attractive if you remember users' preferences.”

The Information Commissioner has made it clear that his guidance is not the final word on cookies and that he is open to suggestions from industry as to how the Regulations might be made to work in a more practical way.

The Information Commissioner also intends to issue guidance on enforcement.  The Minister for Culture, Communications and Creative Industries, Ed Vaizey, has suggested that the Information Commissioner will not take immediate enforcement action where organizations are taking steps to address how they use cookies.  Where there is a complaint about cookies, the Information Commissioner has signaled that he will deal very differently with an organization that has created a plan to achieve compliance, even if that plan has not been implemented fully.  The Information Commissioner is very clear that organizations cannot simply ignore the new Regulations.