The European Union is taking steps to safeguard individuals' privacy on the Internet, and as of May 26, 2012, new laws are being enforced that will affect you if you operate a website that targets Internet users in the United Kingdom.
In 2009, the European Union issued a directive (2009/136/EC) requiring all European Union member countries to pass laws that require consent prior to using any cookies or similar technologies. A "cookie" is a small file downloaded on to a device when the user accesses certain websites. Cookies are then sent back to the originating website on each subsequent visit and allow the website to recognize the user's device.
To comply with the European Union directive, on May 26, 2011, the United Kingdom introduced amendments to The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). To allow website operators time to implement compliance strategies, the UK stated that the new laws would not be enforced for 12 months. On the eve of the enforcement date, the UK's Information Commissioner's Office issued a revised "Guidance on the rules on use of the cookies and similar technologies" apparently softening its stance on prior consent by explicitly stating that "implied" consent may be a legitimate method of compliance.
Nonetheless, if you operate a website targeting the UK or other EU countries, you should understand the new laws and how to comply.
The UK Law
"[A] person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless . . . the subscriber or user of that terminal equipment-
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- has given his or her consent." (Regulation 6 of PECR, as amended)
Perform a Cookie Audit
Evaluate the Privacy Risks
The next step is to evaluate the privacy risk to the user associated with these cookies and other technologies.
Not all cookies pose the same privacy risks. Some cookies are essential to the purpose of the user's activities on the website; for example, cookies are necessary for a website to remember what goods have been added to a user's "shopping cart" when purchasing goods on-line. Other cookies may be necessary for security reasons or for the functionality of the website. These types of "necessary" cookies pose minimal privacy risks and are actually exempt from compliance with the UK law.
Other, less essential and more intrusive cookies, may be used for analytical purposes to count the number of unique visits to a website and still others may be used to create detailed profiles of an individual's browsing activity. A compliance strategy should be developed for these types of cookies and similar technologies.
Develop a Compliance Strategy
After evaluating your cookies and other similar technologies, you should develop a method of compliance. Cookies and technologies that pose greater privacy risks for users likely will warrant more diligent efforts to obtain consent from users.
The UK laws are a response to a European Union directive, so it is very possible that other EU member countries will adopt similar laws in the near future.
Websites that acquire significant data from users and/or generate revenue from user-specific advertising may feel the greatest impact from the UK privacy laws; however, any business that operates in the UK or targets customers in the UK through the Internet should review its website(s) to determine what changes may be required to comply with the UK privacy laws.