Despite the loud furore that has accompanied discussions on the proposed amendments to the cookies law since November 2009, the Privacy and Electronic Communications (EC Directive) (Amendment)
Despite the loud furore that has accompanied discussions on the proposed amendments to the cookies law since November 2009, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 quietly made it onto our statute books on 5th May 2011, whilst the country and commentators were focused on predicting the outcome of the referendum on AV. So what do the new rules say?
The rules are unambiguous in the requirement that the user must have given his or her consent to the storage of or gaining access to information stored in the user's terminal equipment. However, as previously promised by DCMS, (see post here: http://privacylawblog.ffw.com/?p=92) the government has thrown website operators a lifeline by stating that "consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent."
Before website operators start declaring that it is business as usual, they would be advised to consider the ICO guidance on the new law, published today and available here. The ICO has made it clear that they expect organisations to consider the new law and devise a "realistic plan to achieve compliance... [The ICO] would handle this sort of [organisation] very differently... from an organisation which decides to avoid making any changes to current practice. The key point is that you cannot ignore these rules." Furthermore, the ICO has confirmed the view of DCMS and the European Commission in declaring that current browser settings are not sophisticated enough to signify a user's consent and advises organisations to use another mechanism to gain consent. Helpfully the guidance does give some suggestions as to what these other mechanisms may look like and acknowledges that website operators may need to deploy a range of solutions depending on the nature of cookies used on their sites.
In discussing such other possible mechanisms the ICO has stressed the importance of being transparent as to how your website uses cookies and providing the means by which a user can indicate their consent, for example through pop up boxes or tick boxes confirming agreement of new or amended terms and conditions. Interestingly the ICO has not precluded website operators from relying on users implied consent in some circumstances, for example where they have requested a particular service or selected various options on the site (such as language or location based services) provided that the user is fully informed of the consequences of taking such actions. One thing that is clear from the guidance is that the more intrusive the use of cookies is (for example if they are used to profile users based on browsing history) the greater the obligation on the organisation to provide clear information and increased choice.
One area where the guidance is silent as to the means of complying with the new law is in relation to third party cookies, for example cookies used to serve targeted advertising; the ICO concedes that this will be the area that poses the greatest challenge whilst deferring to industry and other European data protection authorities. The advice offered is that "anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device". Unfortunately this provides little assistance to those operators currently grappling with this issue, however it is yet another indication that initiatives such as the IAB self regulatory framework (see post here: http://privacylawblog.ffw.com/?p=86) will be the preferred route to compliance.
Both the regulator and industry are in uncharted waters; it will be a journey of discovery for all parties. Although the ICO has previously indicated that there will be a sunrise period in which it will not take enforcement action for breaches of the new law, the guidance is clear that despite the uncertainty and lack of clear solution, inaction will not be tolerated.
The rules are unambiguous in the requirement that the user must have given his or her consent to the storage of or gaining access to information stored in the user's terminal equipment. However, as previously promised by DCMS, (see post here: http://privacylawblog.ffw.com/?p=92) the government has thrown website operators a lifeline by stating that "consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent."
Before website operators start declaring that it is business as usual, they would be advised to consider the ICO guidance on the new law, published today and available here. The ICO has made it clear that they expect organisations to consider the new law and devise a "realistic plan to achieve compliance... [The ICO] would handle this sort of [organisation] very differently... from an organisation which decides to avoid making any changes to current practice. The key point is that you cannot ignore these rules." Furthermore, the ICO has confirmed the view of DCMS and the European Commission in declaring that current browser settings are not sophisticated enough to signify a user's consent and advises organisations to use another mechanism to gain consent. Helpfully the guidance does give some suggestions as to what these other mechanisms may look like and acknowledges that website operators may need to deploy a range of solutions depending on the nature of cookies used on their sites.
In discussing such other possible mechanisms the ICO has stressed the importance of being transparent as to how your website uses cookies and providing the means by which a user can indicate their consent, for example through pop up boxes or tick boxes confirming agreement of new or amended terms and conditions. Interestingly the ICO has not precluded website operators from relying on users implied consent in some circumstances, for example where they have requested a particular service or selected various options on the site (such as language or location based services) provided that the user is fully informed of the consequences of taking such actions. One thing that is clear from the guidance is that the more intrusive the use of cookies is (for example if they are used to profile users based on browsing history) the greater the obligation on the organisation to provide clear information and increased choice.
One area where the guidance is silent as to the means of complying with the new law is in relation to third party cookies, for example cookies used to serve targeted advertising; the ICO concedes that this will be the area that poses the greatest challenge whilst deferring to industry and other European data protection authorities. The advice offered is that "anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device". Unfortunately this provides little assistance to those operators currently grappling with this issue, however it is yet another indication that initiatives such as the IAB self regulatory framework (see post here: http://privacylawblog.ffw.com/?p=86) will be the preferred route to compliance.
Both the regulator and industry are in uncharted waters; it will be a journey of discovery for all parties. Although the ICO has previously indicated that there will be a sunrise period in which it will not take enforcement action for breaches of the new law, the guidance is clear that despite the uncertainty and lack of clear solution, inaction will not be tolerated.