Now that the revised rules on cookies and consent are in force in the UK1, there have been two developments that we want to bring to the attention of clients by way of an update of our earlier Client Alert.
- In an 'open letter on the UK's implementation of Article 5(3) of the e-Privacy Directive on cookies' dated 24 May 2011 (the 'DCMS letter'), the UK Department for Culture, Media and Sport (DCMS), in consultation with the UK Information Commissioner's Office (ICO), clarified how the Amended Regulations should be interpreted and implemented, following legal issues raised by industry stakeholders.
- The ICO issued further guidance on how it will enforce the new cookie regime on 25 May 2011.
While the ICO guidance was anticipated, the DCMS letter was not.
The DCMS letter
Despite the DCMS' stated goal that the Amended Regulations reflect a 'light', business-friendly, touch that sets the benchmark in Europe, industry raised two key concerns about the Amended Regulations:
1. 'Prior consent' for use of cookies
2. 'Gold-plated' regulation by requiring more than minimum compliance and placing technical constraints
The DCMS letter rejected the concerns.
Consent ≠ prior consent - Following the definition of 'consent' found in the EU Data Protection Directive 95/46/EC-'any freely given specific and informed indication of his wishes . . .'-the DCMS letter avers that consent is 'not time bound - i.e. there is no constraint on when consent may be given'. While the DCMS advocated removal of the 'prior' element to consent as the revised ePrivacy Directive made its way through the European Parliament, their arguments are unlikely to be taken into account by a UK court or Tribunal charged with interpreting the rules.
The DCMS letter recognises that 'consent' can rarely take place after the event, but asserts that such approach to applying the Amended Regulations acknowledges and accommodates the impracticability of obtaining prior consent and focuses on providing users with information and choices (which it equates with consent) based on that information. Moreover, the DCMS has left it to industry to determine the technical solution required to comply with the Amended Regulations.
This approach is sure to be welcomed by industry - it shares much with the US philosophy of 'notice and choice' in the data privacy context. However, it should be recognised as very much a UK-specific approach to implementation and is unlikely to be replicated across the EU.
Gold-plating - The DCMS strongly denied this suggestion, but was at pains to correct the implication that only prior consent will suffice, as opposed to a broad range of consents. The DCMS appears to accept that consent may be implied from inaction. The main thrust of the open letter is that consent may be inferred so long as adequate information is provided about cookies, what they do and how they can be controlled.
It is somewhat unfortunate that this part of the DCMS letter has to acknowledge and address the fact that there is an interpretive gap between what the Amended Regulations actually say and what they were intended to mean, which cannot necessarily be bridged by the DCMS letter. With the DCMS' recognition of this issue, we may end up seeing amended legislation later in the year to address the most glaring omissions or areas of doubt.
ICO Enforcement Guidance
The Amended Regulations extend the ICO's existing powers under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by the ability to impose civil penalties of up to £500,000 GBP for serious breaches. Before exercising this and other new powers, the ICO will need to revise, and consult on, its existing guidance, which it expects will take until October 2011.
The ICO appreciates the challenges organisations face in putting the consent requirement into practice, as well as the negative impact ('disproportionate inconvenience') that immediate implementation would have on the Internet and user experience.
A lead-in period of one year (25 May 2012) will be 'allowed' so organisations can 'develop ways of meeting the cookie related requirements of the [Amended] Regulations' before the ICO will exercise its enforcement powers under its Data Protection Regulatory Action Policy.
One of the key factors for the lead-in period is to give organisations an opportunity to develop technical solutions to obtaining consent for cookies. As highlighted in our previous Client Alert, the ICO expects organisations will follow the earlier advice and take immediate steps to ensure compliance by May 2012.
The ICO anticipates receiving complaints about cookies during the lead-in period and will offer compliance advice to organisations that are the subject of complaints. Most likely the ICO will also ask these organisations to explain what steps they are taking to ensure full compliance by May 2012. In addition, the ICO may issue warnings to organisations failing to prepare for compliance that will be taken into account after expiry of the lead-in period in May 2012.
The UK is one of only a few EU countries to have implemented the revised e-Privacy Directive, and we shall be keeping a close eye on developments over the coming months to see whether the UK 'recipe' for revised cookie rules is followed elsewhere.
___________________________________________________
1. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the Amended Regulations) came into force 26 May 2011.
Client Alert 2011-132