The Citizens' Rights Directive (2009/136/EC), (“Directive”) which was adopted in November 2009 by the European Parliament, has amended the E-Privacy Directive (2002/58/EC) on the use of cookies and consent.

Member States must transpose these amendments into national law by 25 May 2011 and there has been considerable debate as to how the UK and other EU countries will implement the new requirements.

Current Legal Framework

The E-Privacy Directive currently prescribes an “opt-out” approach whereby a cookie can be stored on a user’s computer where:

(a) the user is provided with clear and comprehensive information about the purpose of the cookies and access to any information stored on the user’s computer; and

(b) the user has been given the opportunity to refuse the use of cookies.

The Information Commissioner’s Office (“ICO”) has, to date, taken a pragmatic approach by saying that the right to refuse can be given after delivery of the cookie. This means that website operators simply need to include the relevant information in their online privacy policies.

New Requirements

The revised Directive now requires an “opt-in” system whereby the use of cookies is only allowed where the user concerned has given his or her consent having been provided with clear and comprehensive information about the purposes of the cookies.

The Article 29 Working Party, who published their opinion on behavioural advertising in June 2010 (“Working Party Opinion”), has interpreted this requirement strictly, including by requiring the website operator to obtain informed consent from users before setting the cookie. For further information on the Working Party Opinion please click here.

The “opt-in” system has been strongly criticised by website operators, who fear that this could affect website functionality, as well as by the UK advertising industry which sees the amendments as a threat to the use of online behavioural advertising. However, all is not lost. Under the new rules, consent is not required when the cookie is ‘strictly necessary’ to deliver a service that has been explicitly requested by the user, for example, where a cookie takes the user from a product page to the payment page.

In addition, Recital 66 of the Directive states that where it is technically possible and effective, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. This may provide website operators and online advertisers in the UK with a sigh of relief given that this is the approach currently recommended by the UK Government’s BIS department.

UK’s Approach

The UK Government has acknowledged the importance of cookies to the operation of most websites, and recognises the need to ensure that the revised requirements are not implemented in a way that would damage the experience of UK Internet users or place an unnecessary burden on UK and EU businesses that use the Internet.

In contrast with the recommendation in the Working Party Opinion, the UK Government specifically rejects the establishment of an opt-in system and does not intend to give a hard definition of what is strictly necessary, due to the concern that it may damage innovation. Rather, the UK Government proposes to replicate the relevant parts of the revised requirements, thereby leaving the ICO with flexibility to interpret the Directive and adjust to changes in usage and technology.

Based on the UK Government’s preferred implementation strategy, the new regime will not be substantively different to the current position in the UK; however, it will be interesting to see whether the ICO interprets the new rules restrictively (following the Working Party’s Opinion) or takes a more pragmatic approach in line with the UK Government’s stance, as it has done previously.