26 May 2011 marked the date on which the new European rules on the use of cookies and similar web-tracking devices came into force - or at least it should have done. In practice, EU member states are still grappling with the implications of the new rules: some have not yet implemented the changes, or have granted a grace period during which the new rules will not be enforced.

This article sets out the background to the new rules and the latest legal position in five key EU jurisdictions: France, Germany, Italy, Spain and the UK.

Implementation is evidently causing headaches for local privacy regulators in these countries - even in the UK, which managed to implement the revised requirements on time, the regulator has made clear that it does not expect businesses to become compliant overnight.

As a result, there are currently no easy answers as to what compliance means or how best to achieve it - the position is likely to develop over the coming months as further countries achieve implementation and local regulators issue further guidance. As a general rule, while there may be no need to rush through drastic website changes, it would be prudent for any business that uses cookies in the EU, as a minimum, to start reviewing its use of cookies and to consider what steps it might be able to take in response to the new rules. The position should also be closely monitored over the next few months.

What are the EU's new requirements?

The new rules arise from amendments to the EU's E-Privacy Directive (Directive 2002/58/EC) (the "EPD"). In relation to the use of cookies, the amended EPD provides that it is not permitted for anyone to store information or gain access to information stored on an end-user's computer without the user's consent; and without the user having been provided with clear and comprehensive information about the purposes of the storage or access.

There is an exception to the new requirements where the storage of or access to information is either (1) for the sole purpose of carrying out a transmission of a communication over a network, or (2) strictly necessary in order for the provider of a service expressly requested by the end-user to provide that service. The "strictly necessary" exception is likely to be construed narrowly, but should cover, for example, the use of a cookie to remember the contents of a customer's on-line shopping basket when the customer clicks through to the check-out or payment page.

The revised EPD does not modify the choice of law rules under Directive 95/46/EC, and in particular the rules for determining when European data protection law applies to non-EU websites.

Situation of implementation at the national level

United Kingdom

The UK implemented the new law on time, but the ICO (the UK's privacy regulator) has said it will not take any enforcement action until May 2012 at the earliest.

In the relevant UK regulations, the government clarified that consent may be signified by a user amending or setting controls on their internet browser to accept cookies. Website operators should note, however, that the great majority of internet users currently do not "amend or set" their browser settings - instead they just leave the default settings (which permit the use of cookies) in place. The ICO has confirmed that this is not enough and "at present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent".

For now, cookie users in the UK should therefore consider other methods of getting consent, such as the use of pop-up pages, tick-box acceptance or otherwise . The ICO has advised businesses to go through the following three-step process:

  1. Check what types of cookies you currently use and how.
  2. Assess how intrusive your use of cookies is.
  3. Decide the best way to obtain users' consent for your particular circumstances.

Businesses frustrated by the lack of definitive guidance can take some comfort from the fact that the ICO has allowed a year-long "lead in" period: he will not take any enforcement action under the new rules until May 2012 at the earliest. The ICO may also issue further guidance in future as possible technical solutions are evaluated and developed.

France

As at the implementation date, the relevant French amending legislation or "Ordinance" had still not officially been issued. However, an advance draft was circulated for public consultation.

The advance draft says that end-users should receive clear and full prior information on (1) the installation of and/or access to cookies, as well as (2) the means to object to such installation and/or access. This is a reiteration of existing law. More importantly, however, the advance draft indicates that user consent is necessary, but that user consent can be validly expressed by the settings of the end-user's internet browser.

However, pending publication of the official Ordinance, the position may change (including after the outcome of a public consultation which began in May 2011, and the receipt of comments from the French privacy regulator.

For now, it seems that the most appropriate approach to take in France is:

  • ensure that full and comprehensive information regarding the use of cookies is readily accessible for users. This was already a requirement in France, but it is a good time to make sure websites comply.
  • consider providing information and requesting consent on a one-off basis upon the user's first connection to the website. If, as it seems, the French government decides to allow service providers to rely on browser settings as a form of consent, the one-off approach is likely to be regarded as a sufficient means of providing information and procuring consent.

Germany

Implementation is late in Germany too. The relevant legislation is currently going through a parliamentary approval process. It is unclear when this process will end.

The current draft bill appears not to introduce any amendments into German law regarding the use of cookies. The bill's explanatory memorandum states that there is still an ongoing Europe-wide discussion and consultation regarding the changes to the EPD. Any German rules on the use of cookies will apparently only be implemented after agreement at a pan-European level has been reached!

This means website operators should continue to follow existing German requirements for the use of cookies for now, which in essence are:

  • to inform the user if cookies collecting personal information, or even pseudonymised information, are used;
  • to require prior, express consent for the use of permanent cookies; and
  • to allow the use of session cookies without user consent if they are necessary for providing the online service.

This current approach seems to be in line with the new EPD. So it may well be that there is no change to German law in the short to medium term.

Italy

In Italy, amending legislation has not been issued. Implementation is unlikely until the end of July 2011 at the

earliest. Italian law requires that the Italian privacy regulator (the Garante) is consulted on the changes to the EPD: the Garante's opinion may well have an impact on how the new law is implemented in Italy.

Strictly speaking, website operators in Italy should as of now begin a process of ensuring they have a specific consent from users for the use of cookies, being sure to provide clear and comprehensive information about the purposes for which cookies will be used. However, if the Italian government specifies that website operators can rely on browser controls as a mechanism for establishing consent, implementing the new rules may not be as impractical as some have predicted. In particular, if browser  controls enable users to set their browsers to accept or reject cookies, these settings should satisfy the consent requirement.

Businesses should keep an eye on the evolution of the Italian implementing legislation. It is also likely that the Italian privacy regulator will at some point issue technical guidelines on the amended EPD.

Spain

The EPD is going to be implemented in Spain by a law which modifies Law 32/2003 on Telecommunications. The relevant bill was discussed by the Spanish Council of Ministries and was presented on 13 May 2011 to the Spanish Congress of Deputies for discussion as the final step prior to its approval. However, the implementation date is as yet uncertain.

Given the uncertain position, website operators in Spain may well be best advised to follow existing Spanish law on this issue which in summary provides that:

  • when a service provider employs cookies, it must inform recipients of their existence and the purposes for which cookies are used; and
  • service providers must give recipients the chance to reject cookies by a simple and free procedure (although this condition does not apply when the use of cookies is essential for the services provided).

In practice Spanish companies tend to comply with these requirements by providing recipients of cookies with information on how to disable cookies by adjusting their browser settings. Information concerning the use of cookies is usually included in a website's privacy policy or legal notice. To what extent these practices will need to change following implementation of the new EPD remains to be seen.