The new UK law is the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the “Regulations”) which implement changes made in 2009 to the e-Privacy Directive (EC 2002/58). Although the UK approach is to transpose the language of the amended e-Privacy Directive as it relates to cookies without “gold plating” its provisions, even this strategy is fraught with practical challenges. Organizations are puzzling over how best to comply with the new requirements. Based on the Information Commissioner’s guidance, we suggest the following approach.
1. Prepare a cookie inventory
The starting point for all organizations will be to determine what cookies they use on their website, and what they use those cookies for. Many organizations have no real idea of what cookies they use. Preparing an inventory is a crucial first step.
2. Understand your cookies – how privacy intrusive are they?
Determine which of the cookies are privacy intrusive. These are the cookies for which consent will be essential. Particular care should be taken with analytic cookies that may not be obviously intrusive, and third party cookies.
3. Formulate a consent mechanism for privacy intrusive cookies
Regulation 6 (3A) contemplates the use of browser settings to signify consent. The difficulty with this, as the Information Commissioner notes, is that most browsers settings are not sophisticated enough to be used as a means of obtaining consent. In many cases, a user will not actually use a browser. Other possible consent mechanisms include the use of pop-ups, terms and conditions, website settings and website features. Irrespective of the mechanism used, the key focus for website operators is to tell users what cookies are used and for what purposes, and to obtain their consent.
There is the possibility, in limited cases, of relying on an exemption where the storage of or access to information is “strictly necessary” to the service requested by the user. The Information Commissioner has emphasized the narrow focus of this exemption, noting that it would not be available “just because you have decided that your website is more attractive if you remember users’ preferences.”
The Information Commissioner has made it clear that his guidance is not the final word on cookies and that he is open to suggestions from industry as to how the Regulations might be made to work in a more practical way.