21-05-12

New Restrictive Law on "Cookies" to be Enforced from 26 May 2012

 

The moratorium on enforcement of last year’s “Cookie Law” will be lifted on 26 May 2012, when the UK’s “Privacy and Electronic Communications Regulations” will come into full force.  
 
The EU has long had a legal Data Protection regime far stricter than that of most non-European countries. At its most basic, EU Data Protection Law applies the “seven principles” (Notice, Purpose, Consent, Security, Disclosure, Access and Accountability) to the collection and use of “Personal Data” (i.e. data which can identify an individual). Until 2011, the requirements for an online service collecting Personal Data were fundamentally just to collect and use Personal Data under a legally-compliant Privacy Policy and, in relation to the placement of electronic data “cookies”, notify users about placement and remind them that they can stop cookies being placed by changing browser settings.   
 
The UK implemented a new European e-Privacy Directive last year to require that (most) cookies can be placed only after the user has been provided with “clear and comprehensive information” and where the user has given “consent” – for which an “opt-out” capability is apparently not enough. 
 
When these cookie-related amendments were first announced in early 2011, a level of media panic ensued. Websites complained that it would be practically impossible to get consent from every user before each cookie was placed. The Information Commissioner’s Office took notice of these concerns and granted a 12-month “moratorium” on enforcement of these cookie-related amendments. The moratorium expires on 26 May and, whilst the ICO has discretion and will take a “practical and proportionate” approach, the ICO does have the right to enforce by way of fines of up to £500,000.
 
By most accounts, few websites are confident about how to comply with the new rules – which (it is feared) may have a “speed bump” effect on ecommerce and internet use generally. Whilst some websites will take substantial steps to try to comply, it is likely that many sites will carry on as before (possibly for reasons of misunderstanding or lack of information).
 
The ICO has provided “guidance” on compliance which recommends every website should conduct a “cookie audit” to determine which of its cookies might escape the new law (by being “strictly necessary”) and suggests that consent for all other cookies might be obtained through the use of “pop ups”, “message bars” or other prominent notification methods.
 
This is a difficult and uncertain issue that all sites operating in the EU will face from later this month. It is likely that there will be detailed discussion within the ecommerce industry and further guidance from the ICO (who is also in discussions with browser manufacturers regarding a possible new “settings level”, though any resulting solution would not arrive immediately). The ICO has stated that it will focus on “those that do not comply nor attempt to comply” so most sites should address the issue sooner than later – though, for this new “cookies” law, it may take some time for online Europe to settle on “best practice” solutions.
 
The full text of the Regulations may be accessed via: 
http://www.legislation.gov.uk/uksi/2011/1208/contents/made
Article by Tom Frederikse