slaughter and may
New rules relating to cookies and similar technologies for storing information came into force on 26 May. The new
rules are set out in the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“the
2011 Regulations”). They apply to anyone who uses cookies on their websites, and so will apply to the vast majority
of companies and website owners.
The 2011 Regulations also bring into force a number of other changes, and the Information Commissioner’s Office
(ICO) has issued guidance both on the changes relating to cookies and on its enforcement of the revised 2011
Regulations and the new powers they bring.1
Cookies – what are they and what’s new?
Cookies are small files downloaded onto a computer or other device when a user accesses certain websites. They
allow a website to recognise a user’s device and are extremely important in today’s on-line world. Indeed, the
Government has recognised that the internet, as it is today, would be unusable or severely restricted without their
use.2
Cookies are used for a variety of different purposes, some of which are necessary for the service being offered by
the site (e.g. to help a site remember what items a user has put into their on-line basket), some of which enable a
website operator to manage and develop its site (e.g. tracking which links are used most frequently by users) and
some of which can have more of an impact on a user’s privacy (e.g. creating a detailed profile of an individual’s
browsing activity, perhaps for behavioural advertising purposes). The new rules apply to both cookies and other
similar technologies used for storing information.
We already have rules relating to cookies. These require you to tell people how you use cookies and how they can
opt-out if they object to such use, unless the use is strictly necessary for the provision of a service requested by the
user.3
The new rules change this by replacing the need to offer an opt-out with the need to obtain consent. This now
means that cookies can only be placed on computers or other devices where the user or subscriber has given
consent. The new rules state that:
•• there is still an exemption if what you are doing is ‘strictly necessary’ for a service requested by the user. The
ICO guidance stresses that this is a narrow exception. It may mean that you do not need consent to use a
cookie which ensures your website remembers what goods a user chose to put into their on-line shopping
basket when the user ‘proceeds to checkout’. However, it would not apply if you decided your site was more
attractive if it remembered the users’ preferences, or wanted to collect statistical information about your
website’s use, and used cookies to do so;
BRIEFING
Summer 2011
Cookie cutting: do the new rules take the
biscuit?
Summer 2011
Cookie cutting: do the new rules take the biscuit?
•• you only need to provide information and obtain consent before a cookie is set for the first time. You do not
need to get further consent each time that cookie is used, provided it is the same person, the same cookie and
it is used for the same purpose; and
•• consent may be signified by a user who amends or sets controls on the internet browser which the subscriber
uses or by using another application or programme to signify consent. This is included in the 2011 Regulations,
and in the recitals of the Directive4 they implement. However, both the ICO guidance, and the Government’s
response to its consultation on this issue recognise that it is not currently possible to use default browser
settings to satisfy the consent requirement. Most browser settings are not sophisticated enough at present,
and not everyone who visits a site will use a browser (e.g. mobile phone users), or will upgrade to an updated
browser. Although the Government is working with major browser manufacturers to establish which enhanced
browser level solutions may become available in the future, until such solutions are developed, an alternative
method of obtaining consent must be used. Ed Vaizey, the Minister for Culture, Communications and Creative
Industries, wrote an open letter on the UK’s implementation of these new rules in which he clarifies the UK’s
position on browser settings. For example, he states that the wording in the 2011 Regulations is an example
only and the users “may” also signify consent through choosing not to amend settings or controls of a browser.
In addition to the provision of guidance about how consent can be obtained, there have been discussions about
whether prior consent is always required, particularly given the difficulties prior consent currently raises in some
situations (for example where a cookie is placed on a user’s device as soon as the user accesses the site, and before
it is possible to obtain consent through, for example, a tick-box). In Ed Vaizey’s open letter5 he states that “there is
no indication in the definition [of consent] as to when that consent may be given, and so it is possible that consent
may be given after or during processing”. However, the Article 29 Working Party subsequently produced a paper
looking generally at consent which clearly states its view that prior consent for the use of cookies is needed6. The
ICO has also confirmed to us that it considers that prior consent will be required in all but the most exceptional
circumstances, although unfortunately no guidance is currently available as to what these exceptional circumstances
may be. For now, it therefore appears that website owners and other cookie users will have to develop procedures
which allow for consent to be obtained before any cookies are used in the vast majority of cases.
When do the new rules come into force?
The 2011 Regulations came into force on 26 May 2011. However, on 25 May the ICO issued a press release and
guidance on enforcement of the 2011 Regulations which confirmed that there would be a “lead in period of 12
months for organisations to develop ways of meeting the cookie related requirements.” Enforcement of the new
rules will therefore begin in May 2012.
The fact that an extension was granted was not particularly surprising. It followed Government calls for a phased
approach to implementation. The Government also acknowledged in its response to the consultation on the new
rules that it did not expect work on technical solutions to be completed before the 26 May deadline and that it
would take time for these solutions to be developed and rolled out. In its response document the Government
also stated that it did not expect the ICO to take enforcement action against organisations which were working to
address their use of cookies.
Much of the detail about how the new rules will work in practice is still being developed, for example the
Government is working with browser manufacturers, and is supporting cross industry work on third party cookies
in behavioural advertising. An example of industry activity is Europe’s Internet Advertising Bureau, IABE, who have
agreed online behavioural advertising guidelines and launched a pan European self regulatory online behavioural
02
S L A U G HTER AND M AY
Summer 2011
Cookie cutting: do the new rules take the biscuit?
advertising framework. Adverts that track user behaviour will display an icon which links through to information
about behavioural advertising and how to manage information preferences and turn off behavioural advertising.
While the enforcement deadline has been extended, the ICO has said that in practice this does not mean that you
can ignore the new rules until next year. Organisations should be taking steps to ensure they can comply by May
2012. Those which the ICO considers are failing to make ‘adequate preparations’ may receive a warning, which the
ICO would then take into account if complaints were received after May 2012. Also, where complaints are received,
the Commissioner will provide advice to the organisation concerned on the new rules and how they may comply.
Where appropriate, and particularly as May 2012 approaches, the Commissioner may ask organisations to explain
the action they are taking to ensure they will comply by the extended 2012 deadline.
What action should you take now?
The ICO advises you to7:
•• check the type of cookies and similar technologies you use, and how you use them. This may mean a
comprehensive website audit, or could just mean checking what data files are placed on users’ terminals and
why. See which cookies are ‘strictly necessary’ and so may not need consent;
•• assess how intrusive your cookies are – the more intrusive they are, the more priority you should give to
changing how you use them and to getting meaningful consent. Some cookies do not really impact on a user’s
privacy, for example by simply allowing you to improve your website based on information they provide on
which links or pages are most regularly used. However others, for example those which create a detailed user
profile, are potentially more “privacy intrusive”. You should initially focus on this latter category, which will
require more detailed information and choices; and
•• decide how best to obtain consent. There are a variety of options available, and website operators will need to
decide which one best suits their site and their users. The ICO has given some guidance, although the ICO and
the Government have not been prescriptive about how to meet the new requirements.
How to obtain consent
As mentioned above, the use of browser settings is not currently possible. However, the ICO guidance8 lists a
number of other options. These include the use of:
•• pop ups and similar techniques (although these will need to be well designed to avoid multiple pop-ups being
generated where several cookies are used, which may impact on a user’s web experience);
•• terms and conditions – this is already a common way of obtaining user consent for a variety of things when
a user first signs up or registers. It should therefore be possible to use them to obtain consent to the use of
cookies. However, simply changing current terms of use to include the cookie consent where the user has
already signed up to them would not be sufficient. Users must be aware of the changes and that they refer to
the use of cookies and must positively indicate that they understand and agree to the changes (for example by
clicking a tick box to confirm their acceptance of the new terms); and
03
S L A U G HTER AND M AY
Summer 2011
Cookie cutting: do the new rules take the biscuit?
•• settings or feature led consent – settings like personal greetings, type size or colour schemes can sometimes be
set by the user. Where this uses a cookie, consent for its use can be obtained as part of the process by which
the user confirms how they want the site to work. Similarly, sometimes objects are stored or cookies used
when a user chooses to use a particular feature of the site (like watching a video clip). The user can be asked for
consent, and the use of the cookie explained, at the point at which they select the feature (for example, when
they click on the link for the clip).
The ICO guidance also discusses the functional uses of cookies and some of the issues around what information
should be provided and how prominently. It acknowledges that the collection of information about a site is often
done ‘in the background’ and is certainly not at the request of the user. While the use of analytical cookies for
these purposes may not seem particularly privacy intrusive, consent is still needed. The guidance suggests that
you make information you give on such cookies more prominent, particularly in the period immediately following
the introduction of the new rules, and think about what more information you can give about what you do. You
should make it clear to people if information collected about website use is passed to third parties, and you may
also be able to give people more information about what cookies you use, for example a list of what you use with
a description of how they work. The guidance does make some practical suggestions. For example, it suggests you
could place text in the footer of the web page which highlights or scrolls when you want to put a cookie on the
user’s device, and which could then prompt the user to read more information about cookie use and what options
are available in relation to it. However, how practical this is for this type of cookie, and how many sites will adopt
this approach, remains to be seen.
Finally, the guidance looks at the challenges and complexities which are raised by the use of third party cookies.
It states that everyone must play a role in making sure the user knows who is collecting what information, but
acknowledges that this may be the most challenging area in which to achieve compliance. The ICO are working
with both industry and other European authorities to help find some practical answers.
Other changes
The new cookie rules are not the only changes which came into force on 26 May. The 2011 Regulations introduced
changes to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations
2000 and the Enterprise Act 2002. They also introduced additional changes to the 2003 Privacy and Electronic
Regulations and some new powers for the ICO. These new powers include:
•• new powers to serve monetary penalty notices of up to £500,000 for the most serious breaches of the 2011
Regulations (also known as PECR). In addition to the cookie rules referred to above, PECR covers unwanted
marketing emails, texts and calls. The Commissioner has confirmed that he will revise his existing guidance
on Monetary Penalty Notices to cover this change. In early July he launched a consultation in relation to
this (linking to new draft guidance) which closes on 27 September 2011. He has confirmed that the revised
guidance is unlikely to be issued in final form before October 2011. While he does not intend to impose any
civil monetary penalties for PECR contraventions until that revised guidance has been issued, he may start to
gather evidence of non-compliance from 26 May 2011; and
•• increased powers in relation to telecommunications companies and internet services providers. These include
the power to require them to provide the ICO with information to investigate breaches of PECR, audit rights
and compulsory personal data security breach notification obligations (to the ICO and in certain cases to
customers).
The ICO guidance on enforcing the revised PECR rules provides further detail on these changes.9
04
S L A U G HTER AND M AY
Summer 2011
Cookie cutting: do the new rules take the biscuit?
Comment
The UK Government wants the new rules to be “light touch, business friendly and set a benchmark in Europe.”
However, the ICO recognises that in many cases “implementation of the rule requiring consent for cookies will be
challenging.”
It is true that the UK does seem to be ahead of many other member states in its implementation. It is also true
that the issuing of the legislation and guidance so close to the deadline, last minute extension of the enforcement
deadline and current lack of technical solutions have resulted in a somewhat uncertain start for the new rules. That
said, what is not uncertain is that there is a new cookie law in place, and organisations need to take steps now to
ensure that they will be ready for its enforcement in May 2012.
For more information on the new cookie rules or other privacy and data protection related matters please contact
Rob Sumroy, or your usual Slaughter and May contact.
1
Available on the ICO website: see “Changes to the rules on using cookies and similar technologies for storing information” (published 9 May 2011)
which the ICO describes as “a starting point for getting compliant rather than a definitive guide” and Enforcing the revised Privacy and Electronic
Communications Regulations (PECR) (published 25 May 2011).
2
BIS consultation (September 2010) and DCMS response (April 2011) Implementing the revised EU Electronic Communications Framework.
3
Privacy and Electronic Communications (EC Directive) Regulations 2003, Regulation 6.
4
The exact wording from the Directive 2009/136/EC recitals is not followed in the 2011 Regulations. Ed Vaizey’s letter of 24 May 2011 (see below)
discusses the reasoning behind this.
5
Available on the DCMS website, letter dated 24 May 2011. Ed Vaizey also confirms in the letter that the word “prior” does not appear in the relevant
clause of the Directive that the 2011 Regulations implement, although “prior consent” is mentioned in other Articles of that Directive. While he
recognises that people should be aware that consent “in its natural usage” rarely refers to permission given after the event, this does not prevent a
regulatory approach which recognises prior consent will not be practical in certain circumstances.
6
Article 29 Working Party Opinion 15/2011 on the definition of consent (WP 187).
7
ICO guidance “Changes to the rules on using cookies and similar technologies for storing information” (published 9 May 2011).
8
As above.
9
ICO guidance “Enforcing the revised Privacy and Electronic Communications Regulations” (published 25 May 2011).
© Slaughter and May 2011
This material is for general information only and is not intended to provide legal advice.
For further information, please speak to your usual Slaughter and May contact.
raxs156.indd811