UK Cookie Law

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is the UK implementation of the European Cookie Directive.

UK Implementation of the European Cookie Directive

The UK has implemented Directive 2009/136/EC (the Cookie Directive) through the The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 No.1208,[1] which came into force on 26 May 2011. This amends the previous regulations the Privacy and Electronic Communications Regulations 2003 No.2426[2] in the area of protecting users and subscribers concerning storing and accessing information by electronic communication networks and providers.

The Law

Regulation 2011 amends Regulation 2003 particularly with regards to confidentiality of communications and cookies under regulation 6 in order to bring the UK law in line with the obligations of the EU Cookie Directive 2009/136/EC.

Under the old regulation 6, the storing or gaining access to information in the terminal equipment of a subscriber or user was prohibited unless two requirements under paragraph 2 were met. These were that the user of the terminal equipment is a) provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information. The new law as amended by Regulation 2011 No.1208 substitutes the old wording of Regulation 6(2)(b) “is given the opportunity to refuse the storage of or access to that information” to the new paragraph b; “has given his or her consent”.

Therefore the new English law now provides that no person shall use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. These requirements are that the user is a) provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

Consent

The EU law now imposes that a communications provider must get consent from the user when storing or accessing information. However, it is not clear what the definition of consent is and how to obtain this consent. This has been a controversial and very debated area surrounding the Directive and the UK Regulation.

The UK has decided that consent is to be read according to the definition set out in the Data Protection Directive, which was implemented in the UK through the Data Protection Act 1998. “Consent” is defined in the Data Protection Directive as “any freely given specific and informed indication of his wishes” Article 2(1)(h). The UK has legislated that this requirement of consent, of being freely given, specific and informed is complied with “by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent” as stated under the new paragraph 3A.

The UK legislation mirrors the text of the Directive 2009 but takes into account Recital 66 which confirms that the internet user by changing his or her default settings on an internet browser is a method of consent to the use of cookies. The UK government therefore believe that the user’s general acceptance of cookies by changing the browser default to no cookies will be sufficient to meet the consent requirements of the regulations.[3] The government also shows a very industry focused approach in relation to cookiesthrough not imposing specific technical measures for implmentation but rather leaving it to the industry to find solutions they want to put in place in order to comply with the Regulations.[4]

The Government prefers to work with the browser manufacturers on a solution which will use enhanced browser settings to obtain requisite consent as stated in a paper the Government produced on the 15 April 2011, by the Department for Culture, Media and Sport entitled “Implementing the revised EU Electronic Communications Framework”.[5]

Rationale for the UK Approach

The UK government maintain that consent does not have to be prior consent, it is not time bound and that the ability of users changing their browser settings comply with the consent requirement in the EU Directive.[6] 

The government justify this rationale as follows.

a)       Article 5 of the Cookie Directive 2009 does not specify that consent must be “prior consent”. The original text proposed by the European Parliament did do so but this was removed during negotiation. This means that there was disagreement between the countries as to when consent should be taken and that it doesn’t necessarily have to be prior consent, as the circumstances when this consent is taken varies.

b)       ‘Prior’ consent is explicitly mentioned in other parts of the amended Cookie Directive. It is mentioned in Article 6 of the Directive dealing with traffic data which now requires “prior” consent. The Privacy in Electronic Communications Regulations have been amended to require that the subscriber/ user has “previously notified the provider that he consents” at regulation 7 dealing with traffic data. However, the word “prior” does not occur in Article 5(3) of the Directive, and it therefore does not appear in the UK transposition. Crucially, there is no indication in the definition as to when that consent may be given, and therefore consent may be given after or during processing.

c)       Even though the UK Government acknowledges that in its natural definition, consent is regarded as permission prior to an action and rarely after the action for which consent is being sought has been taken. However, the Government claim that nevertheless, this does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.  The Government supports the Industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (i.e. give consent) based on that information.

d)       The Government state that what they see as crucial in the requirements of the amended Directive 2009/136 is for informed consent. It is this emphasis on informed consent that has built the approach of the UK implementing the Directive.

e)       The Government believes that this definition of consent enables rather than precludes the OBA Framework developed by the industry.[7]

Consultations regarding the implementation of the Cookie Directive

The Government consulted widely on its proposals for implementing the amendments to the e-Privacy Directive as part of its wider consultation on the implementation of changes to the European Framework on Electronic Communications. Stakeholders, such as businesses, advertising companies and the behavioural advertising industry were broadly supportive of the Government’s proposals and recognised the efforts that were made to minimise the impacts on business.[8]

Stakeholders also recognised and welcomed the Government’s efforts to develop sensible and pragmatic policy solutions to the most challenging provisions. The emphasis of the Government is to tailor the data protection regulations specifically to the electronic communications industry. This shows a very pro industry stance of the government hence the very flexible and wide approach to the definition of consent.[9]

Support for Businesses: The Information Commissioner’s Office

The Information Commissioner's Office (ICO) has published advice on how UK businesses can comply with the new Regulations, together with details of how it proposes to enforce the new Regulations.[10] Advice from the ICO indicates that current browser settings are not sufficient to obtain users’ consent. This means that the UK may be falling short of its obligations to comply with the Cookie Directive.

The ICO in their guidelines suggest that service providers should do the following to comply with the new rules to comply with the regulation:

“1. Check what type of cookies and similar technologies you use and how you use them.

2. Assess how intrusive your use of cookies is.

3. Decide what solution to obtain consent will be best in your circumstances.”[11]

The ICO have also emphasised that “any attempt to gain consent that relies on users' ignorance about what they are agreeing to is unlikely to be compliant”.[12]

It is indicated that the ICO will afford businesses a period of 12 months (to May 2012) to adapt to the new consent regime before it will take any enforcement action for non compliance.  In the short term, it expects organisations to be able to demonstrate that they have plans in place to obtain consent from users. In essence there is no set way of going about implementing these regulations. What seems to be the situation now is that there is a lack of clarity, great uncertainty and anabsence of specific guidelines as to how to comply with the new laws regarding cookies. 

It seems that the ICO are giving service providers the responsibility and final call in deciding how best to comply with the new regulations. This may be positive as it allowed businesses the flexibility of the best way of giving protection its users without hindering their business. On the other hand, there may be a lack of incentive and difficulty in enforcing the provisions of these regulations on the businesses as well as a discrepancybetween businesses regarding the protection for users.

Such potential variation could surely fly in the face of EU aims of harmonization for an integral and better market environment defeating the object of market integration. However, the ICO is emphasizing that despite the uncertainty, “what is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”[13]

More

References

  1. Regulation 2011 No.1208, available at <http://www.legislation.gov.uk/uksi/2011/1208/contents/made>
  2. Regulation 2003 No. 2426, available at <http://www.legislation.gov.uk/uksi/2003/2426/introduction/made>
  3. http://www.mwe.com/index.cfm/fuseaction/publications.htdetail/object_id/03a2159c-55e2-4a46-852e-c7585a83584b.cfm
  4. http://www.culture.gov.uk/images/publications/cookies_open_letter.pdf
  5. Department for Culture, Media and Sport, Implementing the revised EU Electronic Communications Framework, April 2011, available at <http://www.culture.gov.uk/images/publications/FWR_implementation_Governmentresponse.pdf>
  6. Department of Culture, Media and Sport, Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies, p3.
  7. Department of Culture, Media and Sport, Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies, 24 May 2011, available at <http://www.culture.gov.uk/images/publications/cookies_open_letter.pdf>
  8. Explanatory Memorandum to the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 No. 1208, available at <http://www.legislation.gov.uk/uksi/2011/1208/pdfs/uksiem_20111208_en.pdf>
  9. Department for Culture, Media &Sport Research into consumer understanding and management of Internet Cookies and the potential impact of the EU Directive 2009/136/EU, available at<http://www.culture.gov.uk/images/consultations/PwC_Internet_Cookies_final.pdf>
  10. ICO Guidelines, Advise on the New Cookie Regulations, 9 May 2011, available at <http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx>
  11. ICO Guidelines, Advise on the New Cookie Regulations, p4.
  12. ICO Guidelines, Advise on the New Cookie Regulations, p7.
  13. ICO Guidelines, Advise on the New Cookie Regulations, p9.