The Electronic Communications and Wireless Telegraphy Regulations 2011 and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into effect on 26 May 2011 in the UK, implementing into national law amendments made to the EU Communications Framework in 2009.
What do the new rules cover?
Both the original and new rules apply to storing or gaining access to information in the terminal equipment of a subscriber or user. This is generally understood to mean "cookies" (small files downloaded on to a user's computer when they access a website, which allow the website to recognise the user’s computer). However, similar technologies for storing information are also covered by the rules (for example, "Locally Stored Objects", also known as "Flash Cookies").
How have the rules changed?
Are there any exceptions?
There are two exceptions: Regulation 6 does not apply where cookies are "strictly necessary" for the provision of a service that has been requested by the user or where the storage of or access to information is for the sole purpose of carrying a transmission of a communication over a network. The Guidance published by the Information Commissioner's Office (the "ICO") who will regulate the new rules says that this is a "narrow" exception that is "limited to a small range of activities" where the "cookie must be related to the service requested by the user". The ICO gives the example of a cookie used to ensure that, when a user buys goods online and clicks the "add to basket" or "proceed to checkout" button, the site "remembers" what the customer chose on the previous page. In this case, the site would not be required to obtain users' consent for the cookies.
How can businesses comply with the new rules?
The ICO Guidance on changes to the rules on using cookies advises businesses to first of all: (i) check what type of cookies they use and how they use them; (ii) assess how intrusive their cookies are; and (iii) decide what solution to obtain user consent will be best in the circumstances. Options suggested by the ICO for obtaining consent include pop-ups, terms and conditions and website settings- or features-led consent. However, the ICO also advises that most internet browsers are not currently sophisticated enough to allow companies to rely on them to demonstrate that the user has given consent to cookies.
What happens if a business does not comply?
The new rules came into force on 26 May 2011, meaning that companies should technically already be in compliance. However, in its Guidance on Enforcing the revised Regulations, the ICO has acknowledged the difficulties faced by companies in achieving compliance. The ICO has therefore given a one year grace period for companies to "get their house in order". This does not mean that companies can ignore the new rules and the ICO Guidance confirms that companies will be expected to have a realistic plan in place to achieve compliance in the event of any complaint. It is also worth noting that the ICO will have the power to fine companies up to £500,000 for serious breaches of the Regulations.
What happens next?
Information Commissioner Christopher Graham has said that the Guidance is "is very much a work in progress" that "doesn’t yet provide all of the answers." The ICO would therefore "welcome further comments from others who have practical examples to share." In the meantime, companies should start undertaking an audit of the cookies used on their website and should consider what kind of approach it is most appropriate for them to take to obtain users' consent.
A copy of the new Regulations can be found here.