The European Union is taking steps to safeguard individuals' privacy on the Internet, and as of May 26, 2012, new laws are being enforced that will affect you if you operate a website that targets Internet users in the United Kingdom. 

In 2009, the European Union issued a directive (2009/136/EC) requiring all European Union member countries to pass laws that require consent prior to using any cookies or similar technologies. A "cookie" is a small file downloaded on to a device when the user accesses certain websites. Cookies are then sent back to the originating website on each subsequent visit and allow the website to recognize the user's device.

To comply with the European Union directive, on May 26, 2011, the United Kingdom introduced amendments to The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). To allow website operators time to implement compliance strategies, the UK stated that the new laws would not be enforced for 12 months. On the eve of the enforcement date, the UK's Information Commissioner's Office issued a revised "Guidance on the rules on use of the cookies and similar technologies" apparently softening its stance on prior consent by explicitly stating that "implied" consent may be a legitimate method of compliance.

Nonetheless, if you operate a website targeting the UK or other EU countries, you should understand the new laws and how to comply.

The UK Law

"[A] person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless . . . the subscriber or user of that terminal equipment-

  1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  2. has given his or her consent." (Regulation 6 of PECR, as amended)

Perform a Cookie Audit

The first step in any compliance program is to do a cookie audit to understand what cookies and other technologies are used by the website and why. You may take this opportunity to eliminate or modify the cookies and technologies used if you are gathering information from users that you do not use. A cookie audit also should include a review of the information disclosed to the users regarding the use of cookies and other technologies.

Evaluate the Privacy Risks

The next step is to evaluate the privacy risk to the user associated with these cookies and other technologies.

Not all cookies pose the same privacy risks. Some cookies are essential to the purpose of the user's activities on the website; for example, cookies are necessary for a website to remember what goods have been added to a user's "shopping cart" when purchasing goods on-line. Other cookies may be necessary for security reasons or for the functionality of the website. These types of "necessary" cookies pose minimal privacy risks and are actually exempt from compliance with the UK law.

Other, less essential and more intrusive cookies, may be used for analytical purposes to count the number of unique visits to a website and still others may be used to create detailed profiles of an individual's browsing activity. A compliance strategy should be developed for these types of cookies and similar technologies.

Develop a Compliance Strategy

After evaluating your cookies and other similar technologies, you should develop a method of compliance. Cookies and technologies that pose greater privacy risks for users likely will warrant more diligent efforts to obtain consent from users.

Implied consent is a legitimate method of obtaining consent, but to the extent that it is relied upon, you should be satisfied that the users understand that their actions in using or viewing the website will result in cookies being placed on their device. Your disclosure concerning the use of the cookies and other similar technologies should be both comprehensive and clear. Burying the disclosure in a website privacy policy that is rarely read may not be sufficient to show informed consent.

In circumstances where the use of cookies or similar technologies present greater privacy risks, explicit consent may be required in the form of a pop-up messages or banners that solicit the user's specific consent, for example. These more intrusive methods of obtaining consent may detract from the user's web browsing experience so some care is required to develop a compliance strategy that both complies with the law and does not spoil the user's experience, or worse yet, causes the user to leave the website.

Conclusions

The UK laws are a response to a European Union directive, so it is very possible that other EU member countries will adopt similar laws in the near future.

Websites that acquire significant data from users and/or generate revenue from user-specific advertising may feel the greatest impact from the UK privacy laws; however, any business that operates in the UK or targets customers in the UK through the Internet should review its website(s) to determine what changes may be required to comply with the UK privacy laws.