The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 presents business with some real challenges

. How will you stay compliant with the new cookie law?

The New ‘Cookie Law’
Making sense of nonsense

Duncan Smith, iCompli® Limited

The Cookie Law .. how we got here, wherever here is!
A long time ago in a galaxy far, far away
We had a European Directive, the Directive on Privacy and Electronic Communications 2002/58/EC (DPEC for short) that required EU Member States to enact legislation to help ensure that users privacy on the internet was safeguarded. [Ed. Directives are not law, but the legislation spawned from each Directive will be law]. In the UK, we translated DPEC into the Privacy and Electronic Communications Regulations 2003 (PECR for short). This law helped protect an individual’s privacy by requiring website owners to tell visitors to its site about the presence of cookies, what they were being used for and how to stop them . This was opt-out legislation. The problem was (is) too few people really understood what personal information this cookie technology provides and how it is used by the advertising industry. Not enough people were opting out I guess!

All change 2009
In October 2009 a specific part of the Directive, Article 5(3), was amended to address this problem. Some words were crossed out so as to read .. Member States shall ensure that the use of electronic communications networks to storing of information, or to gain or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of to provide an information society service explicitly requested by the subscriber or user to provide the service.” So, we moved from ‘tell ‘em about cookies, get their consent and give them a chance to opt out’ to ‘tell ‘em about cookies and get their consent’. A retrograde step? Could the challenge (which appears to have been there all along)be how to get website users to agree to accept cookies? Perhaps ‘recital 66’ in the amended Directive can help us.


Chapter: A long time ago in a galaxy far, far away

[Recital 66] Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities. Great! So we can get (infer) a user’s consent simply from their browser settings. Job Done. Not so; but why not so? Because the Regulators and their advisors are telling us that inferred consent obtained via the settings of a browser will not satisfy the obligation for informed consent. In June 2010 the Article 29 Working Party set out their stall. ".. for consent to be valid whatever the circumstances in which it is given, it must be freely given, specific and constitute an informed indication of the data subject's wishes. Consent must be obtained before the personal data are collected, as a necessary measure to ensure that data subjects can fully appreciate that they are consenting and what they are consenting to.."


Chapter: All change 2009

This ‘before the personal data’ phrase cannot be construed as anything other than informed, PRIOR, consent’. This is something the UK legislator (DCMS) clearly disagrees with.

If you are left in any doubt about how the ‘advisors’ feel, read their words; “... data subjects cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information .. It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes.”

The UK changes its law
The UK law has now been amended, we know have the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The Regulations state.. 6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment-(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. (3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. “(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information-(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user
Here’s the transposition of Recital 66 which allows for a ‘browser-based solution to prior consent’ as part of consent management Here is the NEW ’informed consent’ requirement


Chapter: The UK changes its law

Here is the confusing bit which tries to say some cookies are OK but doesn’t say which ones

The Regulator issues guidance
The Information Commissioner ‘wades in’ with its interpretation of the law, apparently with full consultation and agreement with the DCMS. They are (sort of) clear that organisations who set cookies on a user’s browser will need more than browser setting to satisfy the legal requirement for consent. If most browsers are not sophisticated enough, which ones are! “At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way. We are aware that the government is working with the major browser manufacturers to establish which browser level solutions will be available and when. For now, though, you will need to consider other methods of getting user consent.” OK. So what are the ‘other methods’ we have to consider? How about a really impractical and ugly pop-up on your website which, coming from our regulator, disconcertingly fails to provide adequate information to demonstrate ‘informed’ consent.

Mmm, not for me!


Chapter: The Regulator issues guidance

The Government advises – ‘Open letter’ of 24th May 2011
On the 24th of May, 2011 DCMS issues an open letter to calm our nerves. In full consultation with the Information Commissioner they set out their definition of consent. “Article 5 of the revised e-Privacy Directive does not specify that the consent must be ‘prior consent’ .. the word ‘prior’ does not occur in Article 5(3) of the Directive, and it therefore does not appear in the UK transposition. Crucially, there is no indication in the definition as to when that consent may be given, and so it is possible that consent may be given after or during processing. Now for the ‘obfuscating waffle’;
So what are these ‘certain “It is important that stakeholders are aware that in its circumstances’? Throw natural usage ‘consent’ rarely refers to a permission me a fish DCMS given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s But after the event, attempts to inform users about the specific choices right? available and as a result allow users to make choices (i.e. give consent) based on that information.”

OK So what now?
1. Do Nothing and wait to see what happens 2. Stop using Cookies 3. Ask for permission All a bit radical, so how about you put in place a ‘change program’ to both manage the transition and to provide documentary evidence that privacy and compliance are important to your organisation. The Information Commissioner has stated clearly in their guidance that; ‘we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance’.i


Chapter: The Government advises – ‘Open letter’ of 24th May 2011

In the event of a complaint to the Regulator, is important to note that they have stated that where an organisation that can demonstrate this level of awareness and compliance. ‘We [Information Commissioner] would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice’. And the government’s view on whether we’re all going to jail for sitting back and waiting? “the Government response made clear that enforcement action will not be taken until appropriate technical solution are available.” .. finally the Information Commissioner’s latest guidance The Commissioner cannot exempt organisations from the requirements of the Regulations. He will though allow a lead in period of 12 months for organisations to develop ways of meeting the cookie related requirements of the 2011 Regulations before he will move towards the approach set out in his Data Protection Regulatory Action Policy and consider using his enforcement powers to compel them to do so in appropriate cases. This lead in period will end in May 2012.


Information Commissioner’s Guidance: ‘Changes to the rules on using cookies and similar technologies for storing information’


Chapter: OK So what now?

Sign up to vote on this title
UsefulNot useful