The Information Commissioner’s Office has published guidance on the changes to the rules on using cookies following the the publication of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208), which come into force on 25 May 2011.
Speedread
The Information Commissioner’s Office (ICO) has published a guidance note on the changes to the rules on using cookies, from a system of “informed opt-out” to “prior, informed opt-in”. This follows the publication of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208), which implement amendments to the E-Privacy Directive (2002/58/EC) and come into force on 25 May 2011. The ICO has drawn up the guidance note to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. The note is designed to help them consider: what type of cookies or similar technology their website uses and for what purpose; how intrusive their use is; and which solution for obtaining users’ consent would best suit them. However, website owners will be unimpressed by the fact that both the Regulations and the ICO’s guidance were published a mere three weeks before the deadline of 25 May. This now leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice. While website owners will welcome the ICO’s assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. To this end, it would have been useful if the additional guidance on enforcement, to which the current advice refers, had been published at the same time.
Background
In November 2009, a new legislative framework for electronic communications was adopted consisting of a Regulation and two Directives, which are due to be implemented by member states by 25 May 2011 (see Legal update, Telecoms reform package published in the Official Journal (www.practicallaw.com/0-501-0697)). One of the two directives, the Citizens’ Rights Directive (2009/136/EC), amends the E-Privacy Directive (2002/58/EC) including Article 5(3) which covers the use of cookies; it effectively changes the requirements for storing information on a user’s equipment from “informed opt-out” to “prior, informed opt-in”.
The UK government consulted on the implementation of the new framework and published its response in April 2011 (see Legal update, Government publishes implementation plans for new EU electronic communications framework (e-privacy aspects)). Consistent with its general approach to implementation, the government proposed in the consultation document to copy the provisions contained in Article 5(3) of the amended E-Privacy Directive, leaving the Information Commissioner’s Office (ICO) the flexibility to adjust to changes in usage and technology. In its response document, the government confirmed that it would be going ahead with this proposal and also made some general comments about the practical aspects of implementation and enforcement.
Regulation 6 of the Privacy and Electronic Communications Regulations (SI 2426/2003) (2003 Regulations) implements Article 5(3) of the E-Privacy Directive. It provides that:
(2) The requirements are that the subscriber or user of that terminal equipment –
(b) is given the opportunity to refuse the storage of or access to that information.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information-
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Regulation 6(2)(b) now states:
“(b) has given his or her consent.”
A new paragraph has been inserted which provides:
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Facts
The ICO has published a guidance note on the changes to the rules on using cookies, following the publication of the 2011 Regulations.
The ICO explains that it has drawn up the advice to help organisations start to think about the practical steps they will need to take to remain compliant with the new regulations. It emphasises that it is a starting point for achieving compliance, rather than a definitive or prescriptive guide. The ICO plans to supplement the guidance note with additional content as innovative ways to acquire users’ consent are developed.
The following is a summary of the key aspects of the ICO’s guidance note.
Explanation of the change to the rules
The ICO sets out the changes to the law on the use of cookies and similar technologies as set out in the amendments to regulation 6 of the 2003 Regulations (see above).
It explains to organisations that they will now need a user’s consent if they want to store a cookie on their device. It provides some reassurance to organisations by stating that it recognises that cookies perform a number of legitimate functions and that gaining consent will, in many cases, be a challenge.
Exception to consent rule
Regulation 6(4)(b) provides that consent is not required when a cookie is strictly necessary to deliver a service which has been explicitly requested by the user. The ICO considers that this is a narrow exception which applies to a small range of activities, such as the use of cookies in online shopping baskets, which was the view of the government in its response document.
The ICO states that the exception would not apply to an organisation which decided that its website was more attractive if it remembered users’ preferences or if it used a cookie to collect statistical information about the use of its website.
Steps an organisation should take
The ICO advises organisations to take the following steps:
- To check what type of cookies and similar technologies it is using and how it uses them.
- To assess how intrusive its use of cookies is.
- To decide on the best solution for it to obtain consent.
The ICO explains that this might amount to a comprehensive audit of an organisation’s website, or it could be as simple as checking what data files are placed on user terminals and why.
An organisation should analyse which cookies are “strictly necessary” and might not need consent. This could be a good opportunity for organisations to “clean up” their webpages and stop using any cookies that are unnecessary, or which have been superseded as their websites have evolved.
Step 2: Assessment
The ICO explains that the new rule is intended to add to the level of protection afforded to the privacy of internet users. Consequently, organisations need to give greater priority to obtaining meaningful consent for their more intrusive uses of cookies, such as those that involve creating detailed profiles of an individual’s browsing activity.
Step 3: Potential solutions
The ICO’s advice in relation to the use of browser settings as a means of indicating consent follows that of the government in its response document, namely that most browser settings are not currently sophisticated enough. It also points out that not everyone who visits a website will do so using a browser; for example, they may have used an application on their mobile device. Consequently, the ICO’s current advice is that organisations which use cookies or other means of storing information on a user’s equipment must gain consent some other way.
It notes that in the future many websites may well be able to rely on the user’s browser settings to demonstrate that they had the user’s agreement to set all sorts of cookies. As the government mentioned in its response document, it is working on this with major browser manufacturers.
In line with regulation 6(3), the ICO explains that an organisation needs to provide information about cookies and obtain consent before a cookie is set for the first time; it does not need to do so again for the same person each time it uses the same cookie (for the same purpose).
In the guidance document, the ICO then looks at various options for an organisation to obtain a user’s consent, including:
Pop-ups and similar techniques. The ICO comments that this seems a relatively easy option to achieve compliance, but may spoil a user’s experience of using a website if several cookies are used.
Terms and conditions. If users have already consented to the terms of use when they first registered online, the organisation must make them aware of the changes to its terms in relation to the use of cookies. The ICO recommends that it obtains a positive indication that users understand and agree to the changes, which can be done by asking them to tick a box.
Settings-led consent. Some cookies are deployed when a user makes a choice about how the website works for them (such as their “personalised greeting”). The ICO suggests that consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work.
Functional uses. The ICO explains that an analytic cookie, which collects information about how people access and use a website, might not appear to be as intrusive as others, but still needs consent. It recommends that organisations make information about the use of cookies more prominent, perhaps with a list of them and description of how they work. Text could be placed in the footer or header of the web page, which is highlighted when an organisation wants to set a cookie on the user’s device, prompting the user to read further information (perhaps served via the privacy pages of the website) and make any appropriate choices.
Third-party cookies. Some websites allow third parties to set cookies on a user’s device, and the process of getting consent for these cookies is more complex. The ICO advises that anyone using third-party cookies ensures that the user is aware of what is being collected and by whom, and allows them to make informed choices about what is stored on their device. It acknowledges that this may be the most challenging area in which to achieve compliance with the new rules and states that it is working with industry and other European data protection authorities to find solutions.
Enforcement
As explained by the government in its response document, its view is that is there should be a phased approach to the implementation of these changes. Consequently, the ICO says in its guidance note that were it to receive a complaint about a website, it would expect an organisation’s response to be that they have considered the changes and have a realistic plan to achieve compliance. It would handle that sort of response very differently to one from an organisation which decides to avoid making any change to current practice.
The ICO will be issuing separate guidance on how it intends to enforce the new regulations.
Comment
Pressed for time in trying to publish its guidance in time for the implementation deadline of 25 May 2011, the ICO’s advice will leave many website owners uncertain about the extent of their obligations once the new Regulations come into force. In particular, users of third-party cookies will find the ICO’s rather non-committal statement that “everyone has a part to play in making sure that the user is aware of what is being collected and by whom” less than useful. Third-party cookies are commonly used by online advertising networks for the purpose of profiling users by tracking their online behaviour and for targeting online advertisements accordingly. Given that the business models of many, otherwise free-to-access, online services depend on advertising revenue, online businesses urgently require clear guidelines about the methods they can use to achieve compliance with the new provisions in this regard.
In light of the fact that the revised E-Privacy Directive was adopted as early as December 2009, website owners will also be unimpressed by the fact that both the Regulations and the ICO’s guidance were published a mere three weeks before the deadline. This leaves many businesses with the prospect of having to carry out a complex technical and organisational audit at very short notice. While website owners will welcome the ICO’s assurance that – initially – it will only require them to show that are considering the steps to take to achieve compliance, it is as yet unclear when this transitional period will end. To this end, it would have been useful if the additional guidance on enforcement, to which the current advice refers, had been published at the same time.
Practical Law Update 01.06.2011